Saturday, October 30, 2010

A Quick Look At TLS Callbacks

TLS callbacks have been used by many malware programmers to hide code from reverse engineers eyes. As most debuggers (in their default settings) don't really see them because TLS callbacks are called by the PE loader (in ntdll.dll) even before debuggers e.g. ollydbg, break on PE files Entry points.

And this is why they have mainly been used as an anti-debug method. I will give a simple example, which is a simple executable file executing its code within a TLS callback. In this example i built pxm.exe using minimum header files and standard libraries. And here is the source code

This file was tested on both XP SP2 and Vista. So what should reverse engineers do to catch these callbacks??
The first solution is to use IDA pro, where You will see TLS callback functions shown in the "Names" window if the PE file does really have TLS calback functions.
Then we can easily add a breakpoint.
The second solution is to use ollydbg v2, which can be configured to make its first pause on TLS callbacks.

1) If the same module has more than one TLS callback (consider the source code in the figure below), Olly will break on the first TLS callback only and discard any other TLS callback.
2) If the module has no TLS callbacks but implicitly linked with a DLL that has a TLS callback, Olly will not break at all. To try this yourself, here is a simple project (just try to debug pxm.exe with olly).
Here are reports about the PE files included in this project.
pxm.exe report
pxmd.dll report
When you run pxm.exe under olly, you will notice that TLS callback of pxmd.dll will run before that of pxm.exe and that olly will not break on pxmd.dll TLS callback.
So how to overcome these 2 flaws in olly???
To overcome these 2 flaws, i had to create an ollydbg plugin. This plugin simply intercepts any new module loaded into a process address space, searchs it for TLS callbacks, and sets a one-shot breakpoint on every callback found.
plugin here
This plugin, TLSCatch, was tested on windows XP SP2, Vista, and 7.

N.B i am still working on this plugin to make it catch dynamically added TLS callbacks.

Version 0.3 of TLSCatch can be found here and its source code from here.