• Home

  • Documents

  • Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1
18
Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Embed Size (px)

DESCRIPTION

Empty! 3 Peter Ferrie, Microsoft Corporation Entry Point

Citation preview

Page 1: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Fun With Thread Local Storage (part 3)

Peter FerrieSenior Anti-virus Researcher

2 July, 2008

1

Page 2: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

You Can Call Me Al

Thread Local Storage callbacks were discovered in 2000.However, widespread use didn’t occur until 2004.Now, it should be the first place to look for code,

since it runs before the main entrypoint.And that can make all the difference…

2Peter Ferrie, Microsoft Corporation

Page 3: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Empty!

3Peter Ferrie, Microsoft Corporation

Entry Point

Page 4: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Empty!

4Peter Ferrie, Microsoft Corporation

C3 RET

Page 5: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Empty!

So the main file does nothing.If we assume that the structure is normal,

then we could check the thread local storage table.Just in case.

5Peter Ferrie, Microsoft Corporation

Page 6: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Empty!

6Peter Ferrie, Microsoft Corporation

TLS is present(size doesn’t matter)

Page 7: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Empty!

7Peter Ferrie, Microsoft Corporation

Callback pointer Callback array

Page 8: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Empty!

So the search moves to the callbacks,of which there is only one, but it looks peculiar.

It’s not a virtual address.

8Peter Ferrie, Microsoft Corporation

Page 9: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

The One and Only

9Peter Ferrie, Microsoft Corporation

Page 10: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Imported TLS callbacks

We know that the TLS callback array can be altered at runtime.We know that the TLS callbacks can point outside of the image.

Now we are looking at a new way to achieve that.Imports are resolved before TLS callbacks are called.

So TLS callbacks can be imported addresses!Let’s check the import table.

10Peter Ferrie, Microsoft Corporation

Page 11: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

The Search Goes On

11Peter Ferrie, Microsoft Corporation

TLS3.DLL

Page 12: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

The Search Goes On

12Peter Ferrie, Microsoft Corporation

a

Page 13: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

The Search Goes On

So the search moves to TLS3.DLL,and the mysterious function called ‘a’.

13Peter Ferrie, Microsoft Corporation

Page 14: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

‘A’ function

14Peter Ferrie, Microsoft Corporation

Page 15: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

The ‘Aha’ Moment

So that’s how it’s done.If we let it run…

15Peter Ferrie, Microsoft Corporation

Page 16: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Surprise!

16Peter Ferrie, Microsoft Corporation

Page 17: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Not OK

The code runs.

17Peter Ferrie, Microsoft Corporation

Page 18: Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1

Really Not OK

Just a little something to add to the workload.

18Peter Ferrie, Microsoft Corporation


THREAD CUTTING & FORMING - Concordia Universityusers.encs.concordia.ca/~nrskumar/Index_files/Mech311/...THREAD CUTTING & FORMING Threading, Thread Cutting and Thread Rolling: Machining

THREAD CUTTING & FORMING - Concordia Universityusers.encs.concordia.ca/~nrskumar/Index_files/Mech311/...THREAD CUTTING & FORMING Threading, Thread Cutting and Thread Rolling: Machining

Documents
The Premium Thread Mills - · PDF fileThe Premium Thread Mills Create Outstanding Thread Surface with the innovative PRML Thread Mills! The Premium Thread Mills

The Premium Thread Mills - · PDF fileThe Premium Thread Mills Create Outstanding Thread Surface with the innovative PRML Thread Mills! The Premium Thread Mills

Documents
PLASTIC THREAD PROTECTORS STEEL THREAD PROTECTORS PACKING …revataengineering.com/brochures/thread-protectors.pdf · 2016-09-16 · PLASTIC THREAD PROTECTORS STEEL THREAD PROTECTORS

PLASTIC THREAD PROTECTORS STEEL THREAD PROTECTORS PACKING …revataengineering.com/brochures/thread-protectors.pdf · 2016-09-16 · PLASTIC THREAD PROTECTORS STEEL THREAD PROTECTORS

Documents
The ethical conduct of research Jo Ferrie Jo.Ferrie@glasgow.ac.uk Interim Director of Graduate Training

The ethical conduct of research Jo Ferrie [email protected] Interim Director of Graduate Training

Documents
Thread Measuring Systems - THREAD Check Inc

Thread Measuring Systems - THREAD Check Inc

Documents
Dr Lindsey Ferrie, Simon Cotterill Michael Thirlwell and Emma Curry

Dr Lindsey Ferrie, Simon Cotterill Michael Thirlwell and Emma Curry

Documents
THREAD LIMIT GAUGE - Niigata Seikidata/offerAttachments/offerAttachment_21.pdf · Thread Ring Gauge, Class 2 GRIR Thread Plug Gauge, Class 2 Category THREAD PLUG GAUGE THREAD LIMIT

THREAD LIMIT GAUGE - Niigata Seikidata/offerAttachments/offerAttachment_21.pdf · Thread Ring Gauge, Class 2 GRIR Thread Plug Gauge, Class 2 Category THREAD PLUG GAUGE THREAD LIMIT

Documents
Thread Making - TaeguTec - H.Q (English) · PDF fileC 2 Thread Making Tool Selection guide TS-THREAD (Thread Milling) C4 T-TAP (Tapping) C8 grades C10 TS-Thread (Thread Milling) Solid

Thread Making - TaeguTec - H.Q (English) · PDF fileC 2 Thread Making Tool Selection guide TS-THREAD (Thread Milling) C4 T-TAP (Tapping) C8 grades C10 TS-Thread (Thread Milling) Solid

Documents
ANTI-UNPACKER TRICKS - Peter Ferrie - Tripod

ANTI-UNPACKER TRICKS - Peter Ferrie - Tripod

Documents
Researcher KnowHow: Managing your researcher identity

Researcher KnowHow: Managing your researcher identity

Education
Thread Making - TaeguTec · 02.02.2000 · C 2 Thread Making Tool Selection guide T-THREAD (Thread Turning) C4 grades C8 contents *

Thread Making - TaeguTec · 02.02.2000 · C 2 Thread Making Tool Selection guide T-THREAD (Thread Turning) C4 grades C8 contents *

Documents
Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June, 2008 1

Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June, 2008 1

Documents
Anti-Unpacking techniques Peter Ferrie Senior Anti-virus Researcher 1 May, 2008 1

Anti-Unpacking techniques Peter Ferrie Senior Anti-virus Researcher 1 May, 2008 1

Documents
5. MULTITHREADING. POINTS TO BE COVERED.. THREAD PTHREAD API FOR THREAD MANAGEMENT THREAD SCHEDULING AND PRIORITIES THREAD CONTENTION SCOPE

5. MULTITHREADING. POINTS TO BE COVERED.. THREAD PTHREAD API FOR THREAD MANAGEMENT THREAD SCHEDULING AND PRIORITIES THREAD CONTENTION SCOPE

Documents
HH SERIES TAB - Livingston & Haven · KK1 Small Male Thread Large Male Thread KK3 Female Thread KK3M Female Metric Rod Thread KK3X Female Special Thread KK4 Full Dia. Male Thread

HH SERIES TAB - Livingston & Haven · KK1 Small Male Thread Large Male Thread KK3 Female Thread KK3M Female Metric Rod Thread KK3X Female Special Thread KK4 Full Dia. Male Thread

Documents
Embellish Thread...Flawless Polyester 60 wt Thread Embellish ® Thread The Perfect Thread for Small Lettering & Fine Details! This beautiful high-sheen, micro-thin polyester thread

Embellish Thread...Flawless Polyester 60 wt Thread Embellish ® Thread The Perfect Thread for Small Lettering & Fine Details! This beautiful high-sheen, micro-thin polyester thread

Documents
# Researcher Researcher Name 1 Abelardo Antônio de Assunção

# Researcher Researcher Name 1 Abelardo Antônio de Assunção

Documents
Metric Thread -- Extended Thread Size Range (Iso)

Metric Thread -- Extended Thread Size Range (Iso)

Documents
Rich Ferrie - University of Manchester Innovation Group

Rich Ferrie - University of Manchester Innovation Group

Documents
GO/NO GO Thread Plug Gauge GO/NO GO Thread Ring Gauge Thread Pitch Diameter Comparator · 2017-06-02 · Thread Plug & Ring Gauge I.S Taper Thread Gauge (B.S.P.T) B.S Cycle Thread

GO/NO GO Thread Plug Gauge GO/NO GO Thread Ring Gauge Thread Pitch Diameter Comparator · 2017-06-02 · Thread Plug & Ring Gauge I.S Taper Thread Gauge (B.S.P.T) B.S Cycle Thread

Documents
NexTech2010 keynotes overview25102010 - IARIA€¦ · PBSM Thread Processors PBSM Thread Processors Thread Processors Thread Processors Thread Processors Thread Processors Thread

NexTech2010 keynotes overview25102010 - IARIA€¦ · PBSM Thread Processors PBSM Thread Processors Thread Processors Thread Processors Thread Processors Thread Processors Thread

Documents
Thread Gauges | Thread Ring Gages | Thread Check

Thread Gauges | Thread Ring Gages | Thread Check

Documents
Fun With Thread Local Storage (part 1) Peter Ferrie Senior Anti-virus Researcher 18 June, 2008 1

Fun With Thread Local Storage (part 1) Peter Ferrie Senior Anti-virus Researcher 18 June, 2008 1

Documents
Basics of CUDA Programming - msi.umn.eduGrid 2 Courtesy: NDVIA Figure 3.2. An Example of CUDA Thread Organization. Block (1, 1) Thread (0,1,0) Thread (1,1,0) Thread (2,1,0) Thread

Basics of CUDA Programming - msi.umn.eduGrid 2 Courtesy: NDVIA Figure 3.2. An Example of CUDA Thread Organization. Block (1, 1) Thread (0,1,0) Thread (1,1,0) Thread (2,1,0) Thread

Documents
Thread Inserts, self-tapping for Thread Reinforcement and ... · Thread Inserts, self-tapping for Thread Reinforcement and Thread Repair Made in Germany 2013 . Precision and Quality

Thread Inserts, self-tapping for Thread Reinforcement and ... · Thread Inserts, self-tapping for Thread Reinforcement and Thread Repair Made in Germany 2013 . Precision and Quality

Documents
Thomas Ball Principal Researcher Microsoft Corporation Sebastian Burckhardt Researcher Microsoft Corporation Madan Musuvathi Researcher Microsoft

Thomas Ball Principal Researcher Microsoft Corporation Sebastian Burckhardt Researcher Microsoft Corporation Madan Musuvathi Researcher Microsoft

Documents
EC 513 - Secure Computing · different data elements § All threads run the same kernel Thread Warp 3 Thread Warp 8 Thread Warp 7 Thread Warp Scalar thread A thread B Scalar thread

EC 513 - Secure Computing · different data elements § All threads run the same kernel Thread Warp 3 Thread Warp 8 Thread Warp 7 Thread Warp Scalar thread A thread B Scalar thread

Documents
Mohan Thread Mills Private Limited, Gopal Thread New Delhi,Silk Thread

Mohan Thread Mills Private Limited, Gopal Thread New Delhi,Silk Thread

Business
METALLIC THREAD - · PDF fileMETALLIC THREAD COLORCHART Kreinik Metallic Thread Types Balger

METALLIC THREAD - · PDF fileMETALLIC THREAD COLORCHART Kreinik Metallic Thread Types Balger

Documents
Table of Contents - docs.citrixvirtualclassroom.comdocs.citrixvirtualclassroom.com/events/syn2015/word... · Web viewKimberly Ferrie. May 2015. 608: Advanced Configuration of XenApp

Table of Contents - docs.citrixvirtualclassroom.comdocs.citrixvirtualclassroom.com/events/syn2015/word... · Web viewKimberly Ferrie. May 2015. 608: Advanced Configuration of XenApp

Documents