Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

How Malware Defends Itself Using TLS Callback Functions

sirp
sirp
in Reverse Engineering Articles

Featured Replies

Posted

How Malware Defends Itself Using TLS Callback Functions

Malware authors employ numerous and creative techniques to protect their executables

from reverse-engineering. The arsenal includes an anti-debugging technique called TLS

callback. The approach is not new, yet it is not widely understood by malware analysts,

so I'd like to describe in this note. (Thanks to Christian Wojner from CERt.at for his

insights regarding this topic!)

What is TLS?

According to Microsoft, Thread Local Storage (TLS) is a mechanism that allows Microsoft

Windows to define data objects that are not automatic (stack) variables, yet are "local

to each individual thread that runs the code. Thus, each thread can maintain a different

value for a variable declared by using TLS." This information is stored in the PE header.

(Windows uses the PE header to store meta information about the executable to load and run

the progrem.)

A programmer can define TLS callback functions, which were designed mainly to initialize

and clear TLS data objects. From the malware author's perspective, the beauty of TLS

callbacks is that Windows executes these functions before execuding code at the traditional

start of the program.

How Can TLS Callbacks Confuse Debuggers and Analysts?

Analysts often examine the a malicious program's code by starting with the instructions

located at the Entry Point of the executable. The Entry Point is a field in the PE header

that stores the address of the "first" instruction in the program that Windows is supposed

to execute; debuggers typically take us to that instruction after loading the executable.

TLS callback functions allow malware authors to execute malicious code before the debugger

has a chance to pause at the traditional Entry Point. This allows malware to infect the system

or disable the debugger before the analyst has a chance to look at the sample's code.

Consider the TLS callback technique employed by the Nadnadzzz bot about a year ago. If you load

the bot's executable into OllyDbg, you expect to have the debugger pause at its entry point.

Instead, OllyDbg seems to immediately say that the process terminated. What happened? You just

infected yourself!

The problem is that before OllyDbg had a chance to pause at the traditional Entry Point instruction,

it executed a TLS callback function.

blog

isc-sans-edu.pdf

    •
    • Like 1

    Very nice introduction about TLS.

    thx ,very good!

    And how can you make Ollydb to don't execute that code ?

    • 4 weeks later...
    • Author

    break before bp tls apis ,) then u can trace what's going on there

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.