View Full Version : # XP/S2K3 fails to process TLS w/o USER32
nezumi-lab
January 7th, 2009, 01:35
XP and later does not execute TLS callbacks if USER32 is not loaded. this is undocumented feature that is not mentioned in the MS PE Specification and W2K does not request USER32 to process TLS callbacks, so it’s definitely a bug of XP/S2K3. just a few anti-viruses emulate TLS callbacks (Kaspersky and NOD32), but they don’t know this bug, so there is a way to bypass them. some worms have started to use this trick…
# download paper and POCs
http://nezumi-lab.org/blog/?p=15
evaluator
January 7th, 2009, 05:34
i don't understood..
if TLS will not called, then how to use it??
wtbw
January 7th, 2009, 07:48
Quote:
[Originally Posted by evaluator;78598]i don't understood..
if TLS will not called, then how to use it?? |
Because if the AV is emulating it anyway, it might think the result is benign. Say the TLS callback just does ExitProcess or something, for example. AV emulates it, says "oh this exe is fine", virus gets by...
int0
January 7th, 2009, 08:12
where is the POCs?
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.