Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July, 2008 1.

Slides:



Advertisements
Similar presentations
Today we will begin our PowerPoint presentation!
Advertisements

Operating Systems Semaphores II
Messiaen Quartet for the end of time And another.
Discovering Cyclic Causal Models by Independent Components Analysis Gustavo Lacerda Peter Spirtes Joseph Ramsey Patrik O. Hoyer.
Exceptions: when things go wrong. Various sources of error public static doSomething() { int i = 3.0; while(!done); { int i = false } ) Syntactic errors.
Things you need to know before installing Linux Alan M Durham WHO/TDR/USP Bioinformatics Course July 2003.
Save time with templates Create your own templates Say you often use a certain invoice whose basic content stays the same except for certain details that.
CSC212 Data Structure - Section AB Lecture 20 Hashing Instructor: Edgardo Molina Department of Computer Science City College of New York.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
Log Files. O(n) Data Structure Exercises 16.1.
Updates: Misalignment, Statistics David Forrest (Happy new year)
CSRU 1100 Logic. Logic is concerned with determining: Is it True? Is it False?
L l Chapter 11 discusses several ways of storing information in an array, and later searching for the information. l l Hash tables are a common approach.
Informationsteknologi Friday, November 16, 2007Computer Architecture I - Class 121 Today’s class Operating System Machine Level.
1 Programming & Programming Languages Overview l Machine operations and machine language. l Example of machine language. l Different types of processor.
Fundamentals of Programming in Visual Basic 3.1 Visual basic Objects Visual Basic programs display a Windows style screen (called a form) with boxes into.
Shallow Versus Deep Copy and Pointers Shallow copy: when two or more pointers of the same types point to the same memory – They point to the same data.
Structure of program You must start with a module import# You must then encapsulate any while loop in a main function at the start of the program Then.
11 Games and Content Session 4.1. Session Overview  Show how games are made up of program code and content  Find out about the content management system.
Chapter 8 Windows Outline Programming Windows 2000 System structure Processes and threads in Windows 2000 Memory management The Windows 2000 file.
MBAC 611.  Click on the My Computer Icon  Open your private network directory  Create a new folder named lab7  Copy your lab6 Access file to the lab7.
Lecture 22 Miscellaneous Topics 4 + Memory Allocation.
1 Memory Management Memory Management COSC513 – Spring 2004 Student Name: Nan Qiao Student ID#: Professor: Dr. Morteza Anvari.
Fun With Thread Local Storage (part 1) Peter Ferrie Senior Anti-virus Researcher 18 June,
CSC 2400 Computer Systems I Lecture 5 Pointers and Arrays.
Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.
Shell (Part 2). Example r What if we want to support something like this: m ps –le | sort r One process should execute ps –le and another should execute.
Week 6 - Wednesday.  What did we talk about last time?  Exam 1!  And before that…  Review!  And before that…  Arrays and strings.
Group 6. What is data redundancy? Data redundancy occurs in database systems which have a field that is repeated in two or more tables... Data redundancy.
Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June,
CSC211 Data Structures Lecture 20 Hashing Instructor: Prof. Xiaoyan Li Department of Computer Science Mount Holyoke College.
P p Chapter 11 discusses several ways of storing information in an array, and later searching for the information. p p Hash tables are a common approach.
Shell (Addendum). Example r What if we want to support something like this: m ps –le | sort r One process should execute ps –le and another should execute.
P p Chapter 11 discusses several ways of storing information in an array, and later searching for the information. p p Hash tables are a common approach.
Writing a Run Time DLL The application loads the DLL using LoadLibrary() or LoadLibraryEx(). The standard search sequence is used by the operating system.
JETT 2005 Session 5: Algorithms, Efficiency, Hashing and Hashtables.
CS201: Data Structures and Discrete Mathematics I Hash Table.
COSC 2007 Data Structures II Chapter 13 Advanced Implementation of Tables IV.
CPSC 252 Hashing Page 1 Hashing We have already seen that we can search for a key item in an array using either linear or binary search. It would be better.
MIST System Management Reviewing and further understanding systems management - using “MIST 2006 Data Cleaning Tools” - running a “tight” system - data.
CSE 143 Lecture 12 Inheritance slides created by Ethan Apter
Department of Computer Engineering Faculty of Engineering, Prince of Songkla University 1 9 – Hash Tables Presentation copyright 2010 Addison Wesley Longman,
CSCI 156: Lab 11 Paging. Our Simple Architecture Logical memory space for a process consists of 16 pages of 4k bytes each. Your program thinks it has.
Software mechanism of Genesis --- a cheating software for Warcraft3 Yang Chen Wen Sun.
* Start coding sooner – Procrastination * Write the documents for later use, not to “just get it done” * Very little code reuse, many people solving the.
X86 MMU. Shadow Page Table Extended Page Table Guest wants to access GVA 0, guest PTE (page table entry) maps GVA 0 to GPA 0 Hardware checks NPT (nested.
VB.NET and Databases. ADO.NET VB.Net allows you many ways to connect to a database. The technology used to interact with a database or data source is.
COMP091 – Operating Systems 1 Memory Management. Memory Management Terms Physical address –Actual address as seen by memory unit Logical address –Address.
MCast Errors and HV Adjustments Multicast Errors (seen on the DATA ERIS connection) have caused a disruption of a HV Adjustment due to a timeout (since.
Copyright © 2002, Department of Systems and Computer Engineering, Carleton University 1 Exercise 10 The study of thermodynamics involves a lot of.
Custom Developer Testing Frameworks – A Practical Approach Yuval Mazor, Sela
CSE 143 Lecture 13 Inheritance slides created by Ethan Apter
Speculative execution Landon Cox April 13, Making disk accesses tolerable Basic idea Remove disk accesses from critical path Transform disk latencies.
KUSANAGI for Microsoft Azure Hands on Preparations of Advance 0Copyright © 2016 PRIME STRATEGY CO.,LTD. All rights reserved.
LONG DIVISION CAN BE EASY!.
Lecture on LONG DIVISION
Protecting Memory What is there to protect in memory?
Week 9 - Monday CS 113.
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Fun With Thread Local Storage (part 2)
CERNER MILLENNIUM Diagnoses and Problems
Error Handling Summary of the next few pages: Error Handling Cursors.
LONG DIVISION CAN BE EASY!.
Call to Fix HP Printer Installation Error Code 1603
CS 179: Lecture 3.
Speculative execution and storage
Hash Tables Chapter 12 discusses several ways of storing information in an array, and later searching for the information. Hash tables are a common.
you get to solve puzzles!
Presentation transcript:

Fun With Thread Local Storage (part 3) Peter Ferrie Senior Anti-virus Researcher 2 July,

You Can Call Me Al Thread Local Storage callbacks were discovered in However, widespread use didn’t occur until Now, it should be the first place to look for code, since it runs before the main entrypoint. And that can make all the difference… 2 Peter Ferrie, Microsoft Corporation

Empty! 3 Peter Ferrie, Microsoft Corporation Entry Point

Empty! 4 Peter Ferrie, Microsoft Corporation C3 RET

Empty! So the main file does nothing. If we assume that the structure is normal, then we could check the thread local storage table. Just in case. 5 Peter Ferrie, Microsoft Corporation

Empty! 6 Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)

Empty! 7 Peter Ferrie, Microsoft Corporation Callback pointerCallback array

Empty! So the search moves to the callbacks, of which there is only one, but it looks peculiar. It’s not a virtual address. 8 Peter Ferrie, Microsoft Corporation

The One and Only 9 Peter Ferrie, Microsoft Corporation

Imported TLS callbacks We know that the TLS callback array can be altered at runtime. We know that the TLS callbacks can point outside of the image. Now we are looking at a new way to achieve that. Imports are resolved before TLS callbacks are called. So TLS callbacks can be imported addresses! Let’s check the import table. 10 Peter Ferrie, Microsoft Corporation

The Search Goes On 11 Peter Ferrie, Microsoft Corporation TLS3.DLL

The Search Goes On 12 Peter Ferrie, Microsoft Corporation a

The Search Goes On So the search moves to TLS3.DLL, and the mysterious function called ‘a’. 13 Peter Ferrie, Microsoft Corporation

‘A’ function 14 Peter Ferrie, Microsoft Corporation

The ‘Aha’ Moment So that’s how it’s done. If we let it run… 15 Peter Ferrie, Microsoft Corporation

Surprise! 16 Peter Ferrie, Microsoft Corporation

Not OK The code runs. 17 Peter Ferrie, Microsoft Corporation

Really Not OK Just a little something to add to the workload. 18 Peter Ferrie, Microsoft Corporation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.