Showing posts with label dynamic TLS. Show all posts
Showing posts with label dynamic TLS. Show all posts

Wednesday, March 7, 2012

OllyDbg v2.01 And TLS Callbacks

One of the new interesting features introduced in version 2.0 of OllyDbg is the ability to pause on TLS callbacks. Actually, i discussed some flaws of this feature in a previous post, but in this post i will show you a minor bug (not so minor) that i found while playing with OllyDbg, like i sometimes do.

OllyDbg v2.0 assumes that the "Size" field in the TLS data directory is mandatory, but it is actually not. To make things clearer, i will dump the ntdll.dll code responsible for parsing the TLS info.
As you can see in the image above, the "RtlImageDirectoryEntryToData" function is called to get the absolute address of the "IMAGE_TLS_DIRECTORY32" structure. Its fourth parameter is a pointer to a variable that receives the size of  "IMAGE_TLS_DIRECTORY32" structure, which is typically 0x18 bytes. It is easy to notice that no checks are done to verify the size.

To be even more sure, let's check the code that extracts TLS info in the "RtlImageDirectoryEntryToData" function .
As the two images above imply, the OS loader simply discards the "Size" field and continues invoking TLS callbacks.

On the other side, OllyDbg stops processing the TLS info. if the "Size" field is zero. See the image below.
The source code for the image above should be something like this.
We can easily figure out from the source code that setting the "Size" field to Zero is enough to fool OllyDbg to ignore TLS info. We can also fool OllyDbg by setting the "Size" field to 0xC or abit longer depending on the executable's ImageBase.

Things get more interesting if the "AddressOfCallbacks" member is e.g. 0x01F12200 and the "Size" field is 0xF. In this case, OllyDbg will place the int3 breakpoint at 0xF12200 and since 0xF12200 will never be hit, the breakpoint will be left untouched.  Just play with this demo.

N.B. Many file inspectors are also affected by this bug e.g. Stud_PE and exeinfo.
Update: This has been fixed in Stud_PE as of version 2.6.0.8.

You can follow me on Twitter @waleedassar 

Thursday, December 15, 2011

Debuggers Anti-Attaching Techniques - Part 4

In this post i will take you through an anti-attach trick i have recently come up with.

Given the two following facts, 1) For a debugger to attach itself to a process, the debugger has to create a remote thread in the process, 2) The OS loader calls TLS callbacks when a new thread is created in a process - we can design a TLS callback which increments a global variable. This global variable holds number of threads in the current process. If value in this variable exceeds a specific number, this means that a foreign thread has just been created and the process has to exit as such. We can alternatively ask the TLS callback routine to query the entrypoint of the thread it is running under and if the entrypoint is the address of the "DbgUiRemoteBreakin" function, we should kill the process.

This is a simple demonstrating example.
Abit more complicated example can be found here and its source code from here.

N.B. Both examples have been tested on XP SP3 only.

To make things harder, we would use dynamic TLS callbacks instead.

To implement a dynamic TLS callback, follow these 2 steps:
1) Create a TLS structure and then store its rva and size in the TLS data directory at runtime.
2) Set the "_LdrpImageHasTls" global variable in ntdll.dll to true.

Source code can be found here. It works on Win XPSP3 only. You can edit the source code to include other OSes.

N.B. This trick is still in progress and i am waiting for any feedback.

You can follow me on Twitter @waleedassar