Log in

View Full Version : Self-modifying TLS callbacks


OpenRCE_omega_red
April 9th, 2008, 09:32
Simple yet not widely known trick. If your PE image has TLS callbacks, these callbacks can alter TLS table while executing. That means you can have one callback at the start, but if this callback adds some other callbacks, those will execute as well. There are few interesting possibilities, because PE loader doesn't cache TLS table at the beginning of image load.

http://omeg.pl/code/tls_selfmodify.zip

Code:

; Self-modifying TLS callbacks
; This PE has only one TLS callback active at load time.
; However, the callback executes 0x10 times because it modifies TLS table before returning.
; Copyleft (c) Omega Red 2007
; fasm source

; 32-bit executable
format PE GUI
entry start

include '%fasminc%\win32a.inc'
include '%fasminc%\macro\proc32.inc'
;------------------------------------------------
section 'all' code data readable writable executable

start:
cinvoke printf, buf, fmt, [count]
invoke msgbox, 0, buf, t_main, 0
invoke exit, 0
;------------------------------------------------
tls_callback0:
inc dword [count]
cmp dword [count], 0x10 ; callback executed 0x10 times?
jge tls_end

; add another callback entry before returning
mov eax, [count]
mov dword [tls_callbacks+4*eax], tls_callback0

tls_end:
ret 0x0c
;------------------------------------------------
t_main db 'main',0
buf db 0x100 dup (0)
fmt db 'tls count: %d',0
count dd 0
;------------------------------------------------
; TLS directory
; !!! it's possible to change tls table WHILE IN TLS CALLBACK itself,
; fex you have only 1 tls at first, but this tls adds some more -
; those added will execute normally (table is not cached by loader)!
align 0x10
data 9 ; tls
dd 0 ;Raw Data Start VA
dd 0 ;Raw Data End VA
dd tls_index ;Address of Index
dd tls_callbacks ;Address of Callbacks
dd 0 ;Size of Zero Fill
dd 0 ;Reserved

tls_index dd 0
tls_callbacks: ; only one callback is present initially
dd tls_callback0 ; callback proc
dd 0xff dup (0) ; space reserved for more callback entries (but null at load time)
dd 0
end data
;------------------------------------------------
data import

library user, 'user32.dll',\
kernel, 'kernel32.dll'

import user,\
printf, 'wsprintfA',\
msgbox, 'MessageBoxA'

import kernel,\
exit, 'ExitProcess'
end data


https://www.openrce.org/blog/view/1114/Self-modifying_TLS_callbacks

Arcane
April 9th, 2008, 11:20
Interesting cool Stuff

rendari
April 9th, 2008, 21:27
Evil

NeOXOeN
April 9th, 2008, 23:09
very nice stuff

blabberer
April 16th, 2008, 12:28
the old plugin ntglobalflag by stingduk still catches all the tls callbacks
on both sides (0x20 times)

http://www.reversing.be/article.php?story=20050603193932184

Code:

Log data
Address Message

File 'C:\Documents and Settings\CP-M\Desktop\odbg110\tls_selfmodify\tls.exe'
New process with ID 00000394 created
00401000 Main thread with ID 00000160 created
00400000 Module C:\Documents and Settings\CP-M\Desktop\odbg110\tls_selfmodify\tls.exe
00401000 Code size in header is 0, assuming code in section 'all'
CRC changed, discarding .udd data
77C70000 Module C:\WINDOWS\system32\GDI32.dll
77D40000 Module C:\WINDOWS\system32\user32.dll
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.dll
77E60000 Module C:\WINDOWS\system32\kernel32.dll
77F50000 Module C:\WINDOWS\System32\ntdll.dll
CRC changed, discarding .udd data
78000000 Module C:\WINDOWS\system32\RPCRT4.dll
77F767CD System startup breakpoint
77F80889 Debug string: [394,160] LDR: Real INIT LIST for process C:\Documents and Settings\CP-M\Desktop\odbg110\tls_selfmodify\tls.exe pid 916 0x394
77F80889 Debug string: [394,160] C:\WINDOWS\system32\RPCRT4.dll init routine 78001E0F
77F80889 Debug string: [394,160] C:\WINDOWS\system32\ADVAPI32.dll init routine 77DD1D3D
77F80889 Debug string: [394,160] C:\WINDOWS\system32\user32.dll init routine 77D539F9
77F80889 Debug string: [394,160] LDR: RPCRT4.dll loaded
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: - Calling init routine at 78001E0F
77F80889 Debug string: [394,160] LDR: ADVAPI32.dll loaded
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: - Calling init routine at 77DD1D3D
77F80889 Debug string: [394,160] LDR: user32.dll loaded
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: - Calling init routine at 77D539F9
77F80889 Debug string: LDR: Tls Callbacks Found. Imagebase 00400000 Tls 00401170 CallBacks 0040118C
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
00401000 Program entry point
Analysing tls
1 heuristical procedure
3 calls to known functions
77F80889 Debug string: LDR: LdrLoadDll, loading C:\WINDOWS\System32\uxtheme.dll from C:\WINDOWS\System32;C:\WINDOWS\System32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOW S;C:\WINDOWS\System32\Wbem
77F80889 Debug string: LDR: Loading (DYNAMIC, NON_REDIRECTED) C:\WINDOWS\System32\uxtheme.dll
77F80889 Debug string: LDR: uxtheme.dll bound to msvcrt.dll
5AD70000 Module C:\WINDOWS\System32\uxtheme.dll
77F80889 Debug string: LDR: msvcrt.dll bound to KERNEL32.dll
77F80889 Debug string: LDR: msvcrt.dll has correct binding to KERNEL32.dll
77F80889 Debug string: LDR: msvcrt.dll bound to NTDLL.DLL via forwarder(s) from kernel32.dll
77F80889 Debug string: LDR: msvcrt.dll has correct binding to NTDLL.DLL
77F80889 Debug string: LDR: msvcrt.dll bound to NTDLL.DLL
77F80889 Debug string: LDR: msvcrt.dll has correct binding to NTDLL.DLL
77F80889 Debug string: LDR: uxtheme.dll has stale binding to msvcrt.dll
77F80889 Debug string: LDR: Stale Bind msvcrt.dll from uxtheme.dll
77F80889 Debug string: LDR: uxtheme.dll bound to ntdll.dll
77F80889 Debug string: LDR: uxtheme.dll has correct binding to ntdll.dll
77F80889 Debug string: LDR: uxtheme.dll bound to KERNEL32.dll
77F80889 Debug string: LDR: uxtheme.dll has correct binding to KERNEL32.dll
77F80889 Debug string: LDR: uxtheme.dll bound to ntdll.dll via forwarder(s) from kernel32.dll
77F80889 Debug string: LDR: uxtheme.dll has correct binding to ntdll.dll
77F80889 Debug string: LDR: uxtheme.dll bound to USER32.dll
77F80889 Debug string: LDR: uxtheme.dll has correct binding to USER32.dll
77F80889 Debug string: LDR: uxtheme.dll bound to GDI32.dll
77F80889 Debug string: LDR: uxtheme.dll has correct binding to GDI32.dll
77F80889 Debug string: LDR: uxtheme.dll bound to ADVAPI32.dll
77F80889 Debug string: LDR: uxtheme.dll has correct binding to ADVAPI32.dll
77F80889 Debug string: LDR: Refcount msvcrt.dll (1)
77F80889 Debug string: [394,160] LDR: Real INIT LIST for process C:\Documents and Settings\CP-M\Desktop\odbg110\tls_selfmodify\tls.exe pid 916 0x394
77F80889 Debug string: [394,160] C:\WINDOWS\system32\msvcrt.dll init routine 77C1E94F
77F80889 Debug string: [394,160] C:\WINDOWS\System32\uxtheme.dll init routine 5AD71539
77F80889 Debug string: [394,160] LDR: msvcrt.dll loaded
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: - Calling init routine at 77C1E94F
77F80889 Debug string: LDR: LdrGetDllHandle, searching for kernel32.dll from
77F80889 Debug string: LDR: LdrGetProcedureAddress by
77F80889 Debug string: NAME - InitializeCriticalSectionAndSpinCount
77F80889 Debug string: [394,160] LDR: uxtheme.dll loaded
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: - Calling init routine at 5AD71539
77F80889 Debug string: LDR: LdrLoadDll, loading .\UxTheme.dll from C:\Documents and Settings\CP-M\Desktop\odbg110\tls_selfmodify;C:\WINDOWS\System32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\syste m32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
77F80889 Debug string: LDR: Refcount msvcrt.dll (2)
77F80889 Debug string: LDR: LdrLoadDll, loading C:\WINDOWS\System32\uxtheme.dll from C:\WINDOWS\System32;C:\WINDOWS\System32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOW S;C:\WINDOWS\System32\Wbem
77F80889 Debug string: LDR: Refcount msvcrt.dll (3)
77F80889 Debug string: LDR: Derefcount msvcrt.dll (2)
77F80889 Debug string: LDR: UNINIT LIST
77F80889 Debug string: LDR: LdrLoadDll, loading C:\WINDOWS\System32\uxtheme.dll from C:\WINDOWS\System32;C:\WINDOWS\System32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOW S;C:\WINDOWS\System32\Wbem
77F80889 Debug string: LDR: Refcount msvcrt.dll (3)
77F80889 Debug string: LDR: Derefcount msvcrt.dll (2)
77F80889 Debug string: LDR: UNINIT LIST
77F80889 Debug string: LDR: LdrLoadDll, loading C:\WINDOWS\System32\uxtheme.dll from C:\WINDOWS\System32;C:\WINDOWS\System32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOW S;C:\WINDOWS\System32\Wbem
77F80889 Debug string: LDR: Refcount msvcrt.dll (3)
77F80889 Debug string: LDR: Derefcount msvcrt.dll (2)
77F80889 Debug string: LDR: UNINIT LIST
77F80889 Debug string: LDR: PID: 0x394 finished - '"C:\Documents and Settings\CP-M\Desktop\odbg110\tls_selfmodify\tls.exe"'
77F80889 Debug string: LDR: Tls Callbacks Found. Imagebase 00400000 Tls 00401170 CallBacks 0040118C
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: LDR: Calling Tls Callback Imagebase 00400000 Function 00401035
77C10000 Module C:\WINDOWS\system32\msvcrt.dll
Process terminated, exit code 0