Jump to content
Tuts 4 You

Quick TLS Info question


LCF-AT

Recommended Posts

Posted

Hi guy,

I have a small question about TLS so I dont remember anymore and just asking now and I dont find any example file using TLSCallback + relocation to load file with dynamic base addresses.

So in the TLS info table I can see direct VA addresses and no RVA addresses.My question is just whether the VA addresses gets updated like this...

TLS info table VAs etc - Imagebase from PE Header = TLS RVAs + New loaded targetbase = New TLS VAs.Should be so right?

As I said I am just quickly asking about it so I dont find a dynamic file I can checkout now to see it. :)

Thanks

Posted

I'm not an expert in that matter but a few weeks ago, I was trying to reverse an application with TLS callbacks (Neo hex editor from HHD software) , take a look maybe it can help you understanding the logic you're looking for.

  • Like 1
  • 2 weeks later...
Peter Ferrie
Posted

TLS entries require relocation items that point to the entries, in order to fix them.

Files with dynamic base addresses also require relocations in order to fix up everything else.  If there's no table, then Windows (generally - there are some side-cases) won't move the file.

  • Like 1
Posted

Hi,

ah ok just wanted to know that quickly.Just sub imagebase from PE Header and add used base to it.All clear now.Thanks again.

greetz

  • 1 month later...
Posted

Hi guys,

I have a another addon question about TLS Callback/s.I wanna load a file / process which used TLScallback and did stop it at TLSC address instead of real EntryPoint and wanna inject a code which I did execute via CreateRemoteThread function / WaitForSingleObject function.The problem I see and have now is that it does fail anyhow and the only return value of WaitForSingleObject I get is WAIT_TIMEOUT.I tried to increase the timeout to 10 seconds and higher but also without success and I only get WAIT_TIMEOUT back.This only happens for targets using TLScallback and without everything works normaly.Now my question whats the reason for this and why the function WaitForSingleObject only sends WAIT_TIMEOUT back and how to handle that to get it work and getting STATUS_WAIT_0 back like I also get for if I stop it as EP.

Maybe anyone has any clue how to handle that TLSC issue.

Thank you

Posted

perhaps try eb fe on the tls callback(s) (there can be more than one) and GetThreadContext it ? (there should only be 1 thread at this stage)

  • Like 1
Posted

Hi,

I did patch it to EBFE at TLScallback/s without success.Still get WAIT_TIMEOUT back.Do you have any idea / example how to deal with that?

greetz

Posted

Hi again,

I checked the diffrent now using kernel detectiv tool and I see some diffrents starting target with TLSCallback and without where it works.

So if I run a target without TLSC and  hook EP and run my code in Olly till CreateRemoteThread function then it returns successfully as for TLSC files too and  I got the handle.The diffrent I see in kerneldetectiv tool / threads is that only in the TLSC file will created a another thread where I can  also see my code inside which should get executed but WaitForSingleObject does return WAIT_TIMEOUT anyway if I use a 10 sec or more etc.If I do same with a target what dosent use TLSC then CreateRemoteThread returns also a handle but in kernel detectiv there was NOT created a new thread and its only one GUI thread to see but here WaitForSingleObject does return success / 0 and everything works.So thats anyhow strange or?

TLSC file = I get my thread to see with my code but WaitForSingleObject failed

File without TLSC = I get my created thread not to see but WaitForSingleObject success and I get all datas my code was looking  for

Why this?

greetz

Posted

Quick question: Are you using CreateRemoteThread with a handle to its own process or to a process that actually lives in a different virtual address space?

  • Like 1
Posted

Hi,

I use CreateRemoteThread with the handle I got from CreateProcess.Normaly way and everything works with files using no TLSC only these file with TLSC I get this problem that my thread dosent get executed anyhow.

One more thing.In my pre post I wrote something about the thread I can see when its not working and the thread I dont see if its working = my fault about this.So if its working then thread was already executed & finished (dont suspend thread) and in the case where its not working (TLSC) I can still see the thread what means the thread was not executed because of any reason xy I dont know.The thread is also red marked if I check it with PC Hunter for example.Seems maybe that I dont have any rights to execute it or anything but why?Also the thread keeps in a wait status.Not sure what this is for a problem on the TLSCallback and using threads there.

Thread.png.df21878a1656dc5f3837baa12a791106.png

greetz

Posted

Its me again,

ok now I tried to work with GetThreadContext / SetThreadContext function and anyhow this does work!=?

I stopped file at TLSC address with EBFE bytes.Now I called GetThreadContext with process thread ID to get context filled back and then I changed the regEip in context to the address of my memory location and did call STC function (same paramter only regEip changed) and before I also changed the end of my patch code to EBFE too before calling STC function.Now I got success back of this function  and called right after ReadProcessMemory to read the filled address my patch code does fill if it was executed and  now Ohh & Ahh I got the right results back I was looking for = success.Now I changed the regEip back to TLSC address and executed again STC function etc and the target starts normaly after changing TLSC EBFE bytes back to original.So with this method it does work but I am not whether its a way I could use or not.Has anyone some hints for about that etc?

TLSC file = WaitForSingleObject failed with WAIT_TIMEOUT always anyway how long I set the time

If WAIT_TIMEOUT then using GTC / set regEip to memory address I did use for CreateRemoteThread / patch EBFE at the end of my thread code / call STC / change regEip back to original and  call again STC etc.

Of course its not the method I wanted to use but it seems to work but would be better to use CreateRemoteThread  & WaitForSingleObject for TLSC targets too as I also use for files who not using TLSC you know.Maybe anyone of you has some another hints why the normal way dosent success and how to make it work.

greetz

Posted (edited)

createthread / createremotethread - the thread you create will only activate when the EP is hit.. NOT before.. tls works from the main thread, slightly after the pe loader has done its thing but before the EP has been hit

Edited by evlncrn8
  • Like 1
Posted

Hi,

ahhh ok.Good to know so thanks for that info so far evlncrn8. :) So in a case of TLSC I use then the GTC / STC function method.One more question about this method.Is there any similar as WaitForSingleObject I can use after STC function?At the moment I just use sleep function after first STC call before I call STC again to restore original condition.

greetz

Posted (edited)

no real quick and easy way, just the good old gtc -> check eip / rip is where you want it, if so, do the patching and stc, otherwise sleep for 10 or something and loop, handing any error return values from gtc / stc too of course :) also bear in mind there can be more than 1 TLSC .. so handle that accordingly too :) 

Edited by evlncrn8
  • Like 1
Posted

Hi again,

ok I changed my code now and added the new method for using it if a target used TLSC.Seems to work pretty well so I dont get any problems so far with that and the files using one or more TLSC.I also see its enough to handle first TLSC only for that. :)

Thanks again and greetz

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...