⚡
Diago Lima
  • ❓This Blog Has Moved
  • 🌊A Deep Dive Into Exploiting Windows Thread Pools
    • Introduction
    • Attacking Worker Factories
    • Attacking I/O Ports
    • Attacking Timer Queues
    • Closing Remarks
    • Github Repository
  • 👁️Abusing TLS Callbacks For Payload Execution
    • Introduction
    • Payload Execution
  • ☕Using Object Files For Malware Development
    • Introduction
    • The Why
    • The Common Object File Format
    • Loading An Object File
    • Closing Remarks
Powered by GitBook
On this page
  1. Abusing TLS Callbacks For Payload Execution

Introduction

PreviousAbusing TLS Callbacks For Payload ExecutionNextPayload Execution

Last updated 1 year ago

Thread Local Storage, or TLS, is a Windows mechanism that allows threads to have their own localized storage space within a process, and includes functions like TlsAlloc and TlsFree to facilitate this.

TLS callbacks are an integral part of the TLS architecture. These special functions are called upon the creation of new threads within a process, and are primarily used as a way for developers to set up a thread’s local storage in a predetermined way.

These callbacks are stored within the PE file’s TLS directory, a data directory that can be accessed via an offset found inside the optional header.

Each TLS directory contains an array of pointers, which can be accessed via it’s AddressOfCallbacks member.

PIMAGE_TLS_DIRECTORY    pImgTlsDirectory = 
    (PIMAGE_TLS_DIRECTORY)(pPeBaseAddress + PeHdrs.pEntryTLSDataDir->VirtualAddress);

// Get the address of the TLS Callbacks from the TLS Directory.
PIMAGE_TLS_CALLBACK*    pImgTlsCallback = 
    (PIMAGE_TLS_CALLBACK*)(pImgTlsDirectory->AddressOfCallBacks);
👁️