How Malware Defends Itself Using TLS Callback Functions

[sirp]

How Malware Defends Itself Using TLS Callback Functions

Malware authors employ numerous and creative techniques to protect their executables

from reverse-engineering. The arsenal includes an anti-debugging technique called TLS

callback. The approach is not new, yet it is not widely understood by malware analysts,

so I'd like to describe in this note. (Thanks to Christian Wojner from CERt.at for his

insights regarding this topic!)

What is TLS?

According to Microsoft, Thread Local Storage (TLS) is a mechanism that allows Microsoft

Windows to define data objects that are not automatic (stack) variables, yet are "local

to each individual thread that runs the code. Thus, each thread can maintain a different

value for a variable declared by using TLS." This information is stored in the PE header.

(Windows uses the PE header to store meta information about the executable to load and run

the progrem.)

A programmer can define TLS callback functions, which were designed mainly to initialize

and clear TLS data objects. From the malware author's perspective, the beauty of TLS

callbacks is that Windows executes these functions before execuding code at the traditional

start of the program.

How Can TLS Callbacks Confuse Debuggers and Analysts?

Analysts often examine the a malicious program's code by starting with the instructions

located at the Entry Point of the executable. The Entry Point is a field in the PE header

that stores the address of the "first" instruction in the program that Windows is supposed

to execute; debuggers typically take us to that instruction after loading the executable.

TLS callback functions allow malware authors to execute malicious code before the debugger

has a chance to pause at the traditional Entry Point. This allows malware to infect the system

or disable the debugger before the analyst has a chance to look at the sample's code.

Consider the TLS callback technique employed by the Nadnadzzz bot about a year ago. If you load

the bot's executable into OllyDbg, you expect to have the debugger pause at its entry point.

Instead, OllyDbg seems to immediately say that the process terminated. What happened? You just

infected yourself!

The problem is that before OllyDbg had a chance to pause at the traditional Entry Point instruction,

it executed a TLS callback function.

blog

isc-sans-edu.pdf

[E33]

Very nice introduction about TLS.

[frozenrain]

thx ,very good!

[Paul4games]

And how can you make Ollydb to don't execute that code ?

[sirp]

break before bp tls apis ,) then u can trace what's going on there