Introduction

Thread Local Storage, or TLS, is a Windows mechanism that allows threads to have their own localized storage space within a process, and includes functions like TlsAlloc and TlsFree to facilitate this.

TLS callbacks are an integral part of the TLS architecture. These special functions are called upon the creation of new threads within a process, and are primarily used as a way for developers to set up a thread’s local storage in a predetermined way.

These callbacks are stored within the PE file’s TLS directory, a data directory that can be accessed via an offset found inside the optional header.

Each TLS directory contains an array of pointers, which can be accessed via it’s AddressOfCallbacks member.

PIMAGE_TLS_DIRECTORY    pImgTlsDirectory = 
    (PIMAGE_TLS_DIRECTORY)(pPeBaseAddress + PeHdrs.pEntryTLSDataDir->VirtualAddress);

// Get the address of the TLS Callbacks from the TLS Directory.
PIMAGE_TLS_CALLBACK*    pImgTlsCallback = 
    (PIMAGE_TLS_CALLBACK*)(pImgTlsDirectory->AddressOfCallBacks);

PreviousAbusing TLS Callbacks For Payload Execution NextPayload Execution

Last updated 9 months ago