fun with thread local storage (part 3) peter ferrie senior anti-virus researcher 2 july, 2008 1
DESCRIPTION
Empty! 3 Peter Ferrie, Microsoft Corporation Entry PointTRANSCRIPT
![Page 1: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/1.jpg)
Fun With Thread Local Storage (part 3)
Peter FerrieSenior Anti-virus Researcher
2 July, 2008
1
![Page 2: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/2.jpg)
You Can Call Me Al
Thread Local Storage callbacks were discovered in 2000.However, widespread use didn’t occur until 2004.Now, it should be the first place to look for code,
since it runs before the main entrypoint.And that can make all the difference…
2Peter Ferrie, Microsoft Corporation
![Page 3: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/3.jpg)
Empty!
3Peter Ferrie, Microsoft Corporation
Entry Point
![Page 4: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/4.jpg)
Empty!
4Peter Ferrie, Microsoft Corporation
C3 RET
![Page 5: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/5.jpg)
Empty!
So the main file does nothing.If we assume that the structure is normal,
then we could check the thread local storage table.Just in case.
5Peter Ferrie, Microsoft Corporation
![Page 6: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/6.jpg)
Empty!
6Peter Ferrie, Microsoft Corporation
TLS is present(size doesn’t matter)
![Page 7: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/7.jpg)
Empty!
7Peter Ferrie, Microsoft Corporation
Callback pointer Callback array
![Page 8: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/8.jpg)
Empty!
So the search moves to the callbacks,of which there is only one, but it looks peculiar.
It’s not a virtual address.
8Peter Ferrie, Microsoft Corporation
![Page 9: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/9.jpg)
The One and Only
9Peter Ferrie, Microsoft Corporation
![Page 10: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/10.jpg)
Imported TLS callbacks
We know that the TLS callback array can be altered at runtime.We know that the TLS callbacks can point outside of the image.
Now we are looking at a new way to achieve that.Imports are resolved before TLS callbacks are called.
So TLS callbacks can be imported addresses!Let’s check the import table.
10Peter Ferrie, Microsoft Corporation
![Page 11: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/11.jpg)
The Search Goes On
11Peter Ferrie, Microsoft Corporation
TLS3.DLL
![Page 12: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/12.jpg)
The Search Goes On
12Peter Ferrie, Microsoft Corporation
a
![Page 13: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/13.jpg)
The Search Goes On
So the search moves to TLS3.DLL,and the mysterious function called ‘a’.
13Peter Ferrie, Microsoft Corporation
![Page 14: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/14.jpg)
‘A’ function
14Peter Ferrie, Microsoft Corporation
![Page 15: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/15.jpg)
The ‘Aha’ Moment
So that’s how it’s done.If we let it run…
15Peter Ferrie, Microsoft Corporation
![Page 16: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/16.jpg)
Surprise!
16Peter Ferrie, Microsoft Corporation
![Page 17: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/17.jpg)
Not OK
The code runs.
17Peter Ferrie, Microsoft Corporation
![Page 18: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1](https://reader035.vdocuments.site/reader035/viewer/2022062401/5a4d1b417f8b9ab0599a14d9/html5/thumbnails/18.jpg)
Really Not OK
Just a little something to add to the workload.
18Peter Ferrie, Microsoft Corporation