Detect debugger with TLS callback

[Nytro]

[h=1]Detect debugger with TLS callback[/h][h=3]zwclose7[/h]

TLS callback is a function that called before the process entry point executes. If you run the executable with a debugger, the TLS callback will be executed before the debugger breaks. This means you can perform anti-debugging checks before the debugger can do anything. Therefore, TLS callback is a very powerful anti-debugging technique.

To add a TLS callback to your program, you need to create a section called .CRT$XLB in the executable image, and then put the TLS callback function address into this section. You also need to add the __tls_used symbol to the executable image.

The following stack trace shows how the TLS callback called (from Process Hacker)

0, ntoskrnl.exe!KiDeliverApc+0x1c7
1, ntoskrnl.exe!KiCommitThreadWait+0x3dd
2, ntoskrnl.exe!KeWaitForSingleObject+0x19f
3, win32k.sys!xxxRealSleepThread+0x257
4, win32k.sys!xxxSleepThread+0x59
5, win32k.sys!NtUserWaitMessage+0x46
6, ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
7, wow64cpu.dll!CpupSyscallStub+0x9
8, wow64cpu.dll!Thunk0Arg+0x5
9, wow64.dll!RunCpuSimulation+0xa
10, wow64.dll!Wow64LdrpInitialize+0x42a
11, ntdll.dll!LdrpInitializeProcess+0x17e3
12, ntdll.dll! ?? ::FNODOBFM::`string'+0x28ff0
13, ntdll.dll!LdrInitializeThunk+0xe
14, user32.dll!NtUserWaitMessage+0x15
15, user32.dll!DialogBox2+0x222
16, user32.dll!InternalDialogBox+0xe5
17, user32.dll!SoftModalMessageBox+0x757
18, user32.dll!MessageBoxWorker+0x269
19, user32.dll!MessageBoxTimeoutW+0x52
20, user32.dll!MessageBoxTimeoutA+0x76
21, user32.dll!MessageBoxExA+0x1b
22, user32.dll!MessageBoxA+0x18
23, tls.exe!TlsCallback+0x3c
24, ntdll.dll!LdrpCallInitRoutine+0x14
25, ntdll.dll!LdrpCallTlsInitializers+0x9e
26, ntdll.dll!LdrpRunInitializeRoutines+0x3ab
27, ntdll.dll!LdrpInitializeProcess+0x1400
28, ntdll.dll!_LdrpInitialize+0x78
29, ntdll.dll!LdrInitializeThunk+0x10

You can see the TLS callback is called by the loader during process startup.

Here is example code.

#include <stdio.h>

#include <Windows.h>

#pragma comment(lib,"ntdll.lib")

#pragma comment(linker,"/include:__tls_used") // This will cause the linker to create the TLS directory

#pragma section(".CRT$XLB",read) // Create a new section

extern "C" NTSTATUS NTAPI NtQueryInformationProcess(HANDLE hProcess,ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength);

#define NtCurrentProcess() (HANDLE)-1

// The TLS callback is called before the process entry point executes, and is executed before the debugger breaks

// This allows you to perform anti-debugging checks before the debugger can do anything

// Therefore, TLS callback is a very powerful anti-debugging technique

void WINAPI TlsCallback(PVOID Module,DWORD Reason,PVOID Context)

{

PBOOLEAN BeingDebugged=(PBOOLEAN)__readfsdword(0x30)+2;

HANDLE DebugPort=NULL;

if(*BeingDebugged) // Read the PEB

{

MessageBox(NULL,"Debugger detected!","TLS callback",MB_ICONSTOP);

}

else

{

MessageBox(NULL,"No debugger detected","TLS callback",MB_ICONINFORMATION);

}

// Another check

if(!NtQueryInformationProcess(

NtCurrentProcess(),

7, // ProcessDebugPort

&DebugPort, // If debugger is present, it will be set to -1 | Otherwise, it is set to NULL

sizeof(HANDLE),

NULL))

{

if(DebugPort)

{

MessageBox(NULL,"Debugger detected!","TLS callback",MB_ICONSTOP);

}

else

{

MessageBox(NULL,"No debugger detected","TLS callback",MB_ICONINFORMATION);

}

}

}

__declspec(allocate(".CRT$XLB")) PIMAGE_TLS_CALLBACK CallbackAddress[]={TlsCallback,NULL}; // Put the TLS callback address into a null terminated array of the .CRT$XLB section

// The entry point is executed after the TLS callback

int main()

{

printf("Hello world");

getchar();

return 0;

}

[h=4]Attached Files[/h]

• tls.zip 350.48KB 15 downloads
  

Sursa: Detect debugger with TLS callback - Source Codes - rohitab.com - Forums

[giv]

E useless.

In LordPe vezi Tls.

Olly 1 are un plugin pentru asa ceva iar Olly 2 are by default oprire la Tls si deci acest trick era bun acum 10 ani. Acum nu mai e valabil.

Edited May 11, 2014 by giv