TLSCatch An ollydbg plugin to catch Tlscallbacks easily. [Archive]

View Full Version : TLSCatch An ollydbg plugin to catch Tlscallbacks easily.

walied

November 2nd, 2010, 22:19

This plugin simply intercepts any new module loaded into the current process address space ,searchs it for tlscallbacks and sets a one-shot breakpoint on every callback found.
It lets the malware analyst catch any tls callback in ollydbg. Just copy the plugin dll into olly plugin directory then fire ollydbg. Tested on ollydbg v1 on windows xp and Vista.

original article here http://waleedassar.blogspot.com/2010/10/quick-look-at-tls-callbacks.html
plugin uploaded on google code http://ollytlscatch.googlecode.com/files/TlsCatch.dll
Still working on it to make it catch dynamically added tlscallbacks.

waliedassar@gmail.com

dELTA

November 3rd, 2010, 13:09

Looks nice.

CRCETL:
http://www.woodmann.com/collaborative/tools/Ollytlscatch

You are also very welcome to update this CRCETL entry yourself when new versions are released.

Indy

November 3rd, 2010, 21:15

bp LdrpCallTlsInitializers

ntdll!ShowSnaps -> TRUE or GF -> FLG_SHOW_LDR_SNAPS. Log:

"LDR: Tls Callbacks Found. Imagebase %p Tls %p CallBacks %p",LF,""

"LDR: Calling Tls Callback Imagebase %p Function %p",LF,""