Fun With Thread Local Storage (part 2)

Slides:



Advertisements
Similar presentations
Operating Systems Semaphores II
Advertisements

Messiaen Quartet for the end of time And another.
SYMBOL TABLES &CODE GENERATION FOR EXECUTABLES. SYMBOL TABLES Compilers that produce an executable (or the representation of an executable in object module.
101.  Computers DO NOT think for themselves. For them to do anything they need to be told what to do.  Simply put computer programming is when you tell.
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
CUSTOM TOOLBAR MANAGER--- REVISITED Brenda Wesner from Janis Rodriguez 2004 RUG May 9, 2015.
CSC Timers Since this is a microcontroller it mainly finds itself in embedded devices Quite often embedded devices need to synchronize events The.
Microprocessors Frame Pointers and the use of the –fomit-frame-pointer switch Feb 25th, 2002.
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
Mr Barton’s Maths Notes
SharePoint document libraries I: Introduction to sharing files How to add and edit files Wondering how to actually work with a document library? You’re.
Day 1 “This is the genre that I am most excited about because I feel so comfortable since pop music is the genre that I grow to love due to the long.
Other Features Index and table of contents Macros and VBA.
Structure of program You must start with a module import# You must then encapsulate any while loop in a main function at the start of the program Then.
Power Point EDU 271 Microsoft PowerPoint is a powerful tool to create professional looking presentations and slide shows. PowerPoint allows you to construct.
MBAC 611.  Click on the My Computer Icon  Open your private network directory  Create a new folder named lab7  Copy your lab6 Access file to the lab7.
1 Chapter 4. To familiarize you with methods used to 1. Access input and output files 2. Read data from an input file 3. Perform simple move operations.
Nachos Phase 1 Code -Hints and Comments
Lecture-1 Compilation process
9 Simple Steps to Building A Strong and Inspiring “Why or I” Story
Fun With Thread Local Storage (part 1) Peter Ferrie Senior Anti-virus Researcher 18 June,
This slide deck is for LPI Academy instructors to use for lectures for LPI Academy courses. ©Copyright Network Development Group Module 9 Basic Scripting.
Forming and Managing Challenge Groups Team Next Level.
Probability Rules!! Chapter 15.
CSE451 Linking and Loading Autumn 2002 Gary Kimura Lecture #21 December 9, 2002.
Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June,
Optimizing Your Computer To Run Faster Using Msconfig Technical Demonstration by: Chris Kilkenny.
Writing a Run Time DLL The application loads the DLL using LoadLibrary() or LoadLibraryEx(). The standard search sequence is used by the operating system.
Christmas Let`s play today Let`s read today Let`s write today Let`s dream today.
CS412/413 Introduction to Compilers and Translators April 14, 1999 Lecture 29: Linking and loading.
CSE 143 Lecture 12 Inheritance slides created by Ethan Apter
There are many holidays. At my school some of the holidays we celebrate are.
CPSC 217 T03 Week V Part #1: Iteration Hubert (Sathaporn) Hu.
Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Unit OS3: Concurrency 3.3. Advanced Windows Synchronization.
Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July,
CSCI 156: Lab 11 Paging. Our Simple Architecture Logical memory space for a process consists of 16 pages of 4k bytes each. Your program thinks it has.
Project 1 Roadmap read the project description ? read the newsgroup ? read the ELF specification ? –( , , ) read the elfHeader correctly.
As I returned to the picture, those two wide eyes began to say something different. Now they asked, "Do you know me?" This time I didn't feel so.
Repetition everywhere – comparing while in a method and as an event Susan Rodger Duke University July 2010.
COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.
Copyright © 2002, Department of Systems and Computer Engineering, Carleton University 1 Exercise 10 The study of thermodynamics involves a lot of.
CSE 143 Lecture 13 Inheritance slides created by Ethan Apter
GOT overwrites and IAT hooks. What is this?  The GOT hijack was a key exploit technique for me, it was the first time I internalized that we are overwriting.
1 Project 12: Cars from File. This is an extension of Project 11, Car Class You may use the posted solution for Project 11 as a starting point for this.
LONG DIVISION CAN BE EASY!.
Lecture on LONG DIVISION
Week 9 - Monday CS 113.
I like to play games and I like to win!
Loops BIS1523 – Lecture 10.
How to Use the Earthquake Travel Time Graph (Page 11
Thread Fundamentals Header Advanced .NET Threading, Part 1
Chapter 5 Conclusion CIS 61.
Error Handling Summary of the next few pages: Error Handling Cursors.
LONG DIVISION CAN BE EASY!.
PSP Class Practice 1 MARCIA begins work her program [10:00] by reviewing the requirements in the assignment package, including the test requirements, to.
Cookies BIS1523 – Lecture 23.
Computer Architecture “Bomb Lab Hints”
Microsoft® Office Word 2007 Training
Chapter 14 Probability Rules!.
Check Mark Method How can you be sure you have answered all of the items asked for on a….. short answer or extended response question?
Module 4 Loops.
Peer Pressure.
CS 179: Lecture 3.
How to Use the Earthquake Travel Time Graph (Page 11
How to Use the Earthquake Travel Time Graph (Page 11
Unit 1 Sections 1-4 Sentence Frames
CSC 497/583 Advanced Topics in Computer Security
you get to solve puzzles!
CSE 326: Data Structures Lecture #14
Presentation transcript:

Fun With Thread Local Storage (part 2) Peter Ferrie Senior Anti-virus Researcher 26 June, 2008 1

You Can Call Me Al Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t occur until 2004. Now, it should be the first place to look for code, since it runs before the main entrypoint. And that can make all the difference… Peter Ferrie, Microsoft Corporation 2

Empty! Entry Point Peter Ferrie, Microsoft Corporation 3

Empty! C3 RET Peter Ferrie, Microsoft Corporation 4

Empty! So the main file does nothing. If we assume that the structure is normal, then we could check the thread local storage table. Just in case. Peter Ferrie, Microsoft Corporation 5

TLS is present (size doesn’t matter) Empty! Peter Ferrie, Microsoft Corporation 6

Callback pointer Callback array Empty! Peter Ferrie, Microsoft Corporation 7

Empty! So the search moves to the callbacks, of which there is only one... or is there? Peter Ferrie, Microsoft Corporation 8

The One and Only Peter Ferrie, Microsoft Corporation 9

Maybe DllMain contains something interesting? Am I Missing Something? CODE:00401010 push offset LibFileName ; "tls2" CODE:00401005 call j_LoadLibraryA CODE:0040100A mov ds:TlsCallbacksEnd, eax Hmm, LoadLibrary("tls2") Maybe DllMain contains something interesting? Peter Ferrie, Microsoft Corporation 10

I Am Missing Something No, that’s not it. Peter Ferrie, Microsoft Corporation 11

Let’s revisit the code: Take 2 Let’s revisit the code: CODE:00401010 push offset LibFileName ; "tls2" CODE:00401005 call j_LoadLibraryA CODE:0040100A mov ds:TlsCallbacksEnd, eax Peter Ferrie, Microsoft Corporation 12

It’s All About Image It’s the TlsCallBacks extended array trick again. Q. What value does the new callback contain? A. The DLL’s imagebase. Q. DEP won’t let that run, right? A. … Peter Ferrie, Microsoft Corporation 13

Surprise! Peter Ferrie, Microsoft Corporation 14

Not OK Of course it will. You just have to ask nicely. Or take a cue from a driver. Peter Ferrie, Microsoft Corporation 15

Chaotic-Evil When the SectionAlignment value is less than 4kb, the file header is marked Writable and Executable (unless the last section characteristics override it). That turns the ImageBase into code. Peter Ferrie, Microsoft Corporation 16

Before So we go from this… Peter Ferrie, Microsoft Corporation 17

After To this… Peter Ferrie, Microsoft Corporation 18

Presto! Peter Ferrie, Microsoft Corporation 19

Just a little something to add to the workload. Really Not OK Just a little something to add to the workload. Peter Ferrie, Microsoft Corporation 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.