TLS learning Summary

We know

Immunity debugger, OD

Debugger, Which is disconnected in OEP (modifying the first byte 0xcc) during program debugging ). I am wondering what programming technology is used and the code can be executed before OEP. I found some information on the Internet and saw many great bulls on the forum. I used static TLS to do a lot of interesting things. Now I am here to finish it myself.

1. What is TLS?

TLS is short for Thread Local Storage (Thread Local Storage). It is a technology that solves the problem of using multi-thread internal variables. It is used to associate certain data with a specific thread, that is, the data is unique (private) to the associated thread ). In multi-threaded programming, if multiple threads need to share access to the same variable, the variable can be declared using the keyword volatile. If a variable does not want to be shared by multiple threads, then TLS should be used.

2. How to Use TLS programming?

TLS is very easy to use. You only need to use _ declspec (thread) for variable declaration. For example:

_ Declspec (thread) int g_ndata = 0;


3. Example of TLS in multithreading (dynamic)
Related APIs

Windows TLS APIs: tlsalloc, tlsfree, tlssetvalue, and tlsgetvalue. (Dynamic TLS)

● DWORD tlsalloc (); // (to use dynamic t l s, you must first call the tlsalloc function)

This function command system scans the bit flag in the process and finds a free flag. Then the system changes the flag from free to inuse, and tlsalloc returns the index of the flag in the bit array. DLL (or app) usually stores the index in a global variable because its value is used by every process rather than every thread.

● Bool tlssetvalue (// put a value into the thread Array

DWORD dwtlsindex,

Pvoid pvtlsvalue );

● Pvoid tlsgetvalue (DWORD dwtlsindex); // retrieves a value from the array of the thread

● Bool tlsfree (DWORD dwtlsindex); // when the TLS slot is no longer needed in all threads



Example:
# Include <windows. h>
# Include "stdio. H"

# Define threadcound 4 // Number of created threads
DWORD dwtlsindex;

// Global variable
Int inum_of_call_common = 0;
Int inum_of_call_thread = 0;


Void commonfunc (void)
{
Lpvoid lpvdata;
// Retrieve a Data Pointer for the current thread.
Inum_of_call_common ++;

Lpvdata = tlsgetvalue (dwtlsindex );
If (lpvdata = 0) & (getlasterror ()! = Error_success ))
Exit (0 );

// Use the data stored for the current thread.
Printf ("common: thread % d: lpvdata = % lx \ n ",
Getcurrentthreadid (), lpvdata );

Sleep (5000 );
}


DWORD winapi threadfunc (void)
{
Lpvoid lpvdata;

// Initialize the TLS index for this thread.
Inum_of_call_thread ++;

Lpvdata = (lpvoid) localalloc (lptr, 256 );
If (! Tlssetvalue (dwtlsindex, lpvdata ))
Exit (0 );

Printf ("thread % d: lpvdata = % lx \ n", getcurrentthreadid (), lpvdata );

Commonfunc ();

// Release the dynamic memory before the thread returns.
Lpvdata = tlsgetvalue (dwtlsindex );
If (lpvdata! = 0)
Localfree (hlocal) lpvdata );

Return 0;
}


Void main (void)
{
DWORD dwthreadid;
Handle hthread [threadcound];
Int I;
// Allocate a TLS Index
If (dwtlsindex = tlsalloc () = tls_out_of_indexes)
{
Exit (0 );
}

For (I = 0; I <threadcound; I ++)
{
Hthread [1] = createthread (null, 0, (lpthread_start_routine) threadfunc, null, 0, & dwthreadid );
If (hthread= NULL)
{
Exit (0 );
}
}
For (I = 0; I <threadcound; I ++)
{
Waitforsingleobject (hthread, Infinite );
}
Tlsfree (dwtlsindex );

Printf ("The Nums of thread is: % d \ n", inum_of_call_thread );
Printf ("The Nums of call is: % d \ n", inum_of_call_common );

}


The above is the use of dynamic TLS in multithreading.
However, local storage of static threads can play with the debugger and even infect some PES.
Local Storage of static threads is the local storage of static threads supported in the PE/coff Executable File Format of windows. That is, the 10th items in the data directory table in the PE Header point to the TLS directory. The structure of the TLS directory is as follows:

Image_tls_directory32 structstartaddressofrawdata dd? Endaddressofrawdata dd? Addressofindex dd? Addressofcallbacks dd? Sizeofzerofill dd? Characteristics dd? Image_tls_directory32 ends is the fourth item of the structure, which is an array pointing to TLS callback. One or more TLS callback functions are stored in the array. the TLS callback function requires the following three steps: 1. when the program is linked, the connector needs to create a TLS directory in the directory table of the PE file 2. when a thread is created, the PE Loader obtains the pointer (Teb offset 2ch) pointing to the TLS callback function value from Teb (current thread environment block, obtained through FS register ). 3. check whether the TLS callback function array is empty. If it is not empty, the loader executes the callback function in sequence.
Static TLS code;
# Include "stdio. H "# include <windows. h> // tell the compiler to create the TLS directory in the PE file # pragma comment (linker, "/include :__ tls_used") // tls_callback () function, the second parameter determines the function in which case (the same as the dllmain function)/* dll_process_attach: it refers to the execution of dll_process_detach when the new thread is created and when the main thread is initialized: it refers to the execution of dll_thread_attach when the process is terminated. It refers to the execution of the new thread but does not include the main thread dll_thread_detach, but it also does not include the main thread */void go_anit () {exitprocess (0);} void _ stdcall my_tls_callback (pvoid H, DWORD reason, pvoid PV) {// Only create the main thread during process initialization and execute if (reason = dll_process_attach) {// check OEP image_dos_header * dosheader = (image_dos_header *) getmodulehandle (null ); image_nt_headers * ntheader = (image_nt_headers *) (DWORD) dosheader) + (DWORD) dosheader-> e_lfanew); byte * ope = (pbyte) (ntheader-> optionalheader. addressofentrypoint + (DWORD) dosheader); If (* ope = 0xcc) {go_anit () ;}}/ * Create a TLS segment ". CRT $ xlb "means :". CRT "indicates that C runt is used In the xlb behind the ime mechanism $, X represents a random identifier. L indicates that TLS callback section B can be replaced with any letter from B to Y. $ is for the connector. */# Pragma data_seg (". CRT $ xlb ") // defines multiple tls_callback pimage_tls_callback p_tls_callback [] = {callback, 0}; then p_tls_callback = my_tls_callback; # pragma data_seg () void main () {printf ("Hello TLS \ n"); getchar ();}
Can this method really play with the debugger? Obviously not. First, let's look at the process of creating a process 1. Open the image file to be executed in the process.
First, the operating system finds the executed Windows Image and creates a memory area object so that it can be mapped to the new process address space.
2. Create a Windows executor process object.
Next, the operating system calls the internal system function ntcreateprocess to create a windwos execution body process object. The procedure is as follows:
(1) Create an eprocess
(2) create an initial process address space (3) initialize the kernel process block kprocess
(4) end the process of creating the process address space
(5) Create peb
(6) complete the creation process of the execution body process object
3. Create an initial thread (stack, heap execution environment initialization, and execution thread object ).
At this time, the Windows execution body process object has been fully established, but it has no threads so it cannot be executed. Next, the system calls ntcreatethread to create a new suspended thread, which is the main thread body of the process.

4. Notify windows sub-system that a new process has been created (the sub-system is part of the operating system. It is a specific sub-system process that assists the operating system kernel in managing user States/customers.
Csrss.exe ).
Next, the operating system sends a data message created by a new process thread to the Windows subsystem (CSRSS) through the client state (kernel32.dll), allowing the subsystem to establish its own process thread management block. When
When the CSRSS receives the message, it performs the following processing:
* Copy the process and thread handle
* Set the process priority.
* Allocate CSRSS process Blocks
* Bind the exception handling port of the new process to CSRSS, so that when the process encounters an exception, CSRSS will receive the exception message.
* Allocate and initialize CSRSS thread blocks
* Insert a thread to the thread list of the process.
* Insert the process to the CSRSS thread list.
* Display the process startup cursor
5. Start execution of the initial thread (if the create_suincluded state of the thread is specified during creation, the thread is temporarily suspended and not executed ).
Here, the process environment has been established and the main thread that starts to be created in the process obtains the execution right to start the execution thread.
6. initialize the address space in the new process and thread environment (such as loading required DLL and libraries), and then start to execute at the process entry.
In this step, ldrinitializethunk is called to initialize the loader, the NLS table TLS array and the critical section structure of the heap manager, load any required DLL, and use
The dll_process_attach Function Code calls the DLL entry points. Finally, when the loader initialization routine returns to the user mode APC distributor, the process image starts to be executed in user mode, then it calls the thread to start the function and start execution.

The operating system will throw a createprocessevent event, which is earlier than the tls_callback function and the predictionevent event is earlier than the tls_callback function. So we can set the debugger's first breakpoint "System breakpoint". In this experiment, I used the immunity debugger, od similar options-> debugging options-> event-> set the first time you pause at the system breakpoint, you will find that you have set the current process information.

File: // C:/users/Asus/appdata/local/youdao/ynote/images/c357e1c9d1184437819e2c6a7919adb8/clipboard.png follow up here ,,, I have checked a lot of information and I don't know what this function is.

File: // C:/users/Asus/appdata/local/youdao/ynote/images/examples/clipboard.png. See call follow-up. Go to the zwcontiune function and continue to run the thread, one of its parameters is the context pointer. Find context-> EIP.

File: // C:/users/Asus/appdata/local/youdao/ynote/images/2d7f6f8ac69f46b293e3ed5cc47f167e/clipboard.png the OPE address appears.

File: // C:/users/Asus/appdata/local/youdao/ynote/images/000f6f5d807640fb92e5bfc4e562af28/clipboard.png
Follow up call eax

File: // C:/users/Asus/appdata/local/youdao/ynote/images/9820.d4d5acd48a3a6c4bf957917e3b1/clipboard.png call edX then enters OEP

File: // C:/users/Asus/appdata/local/youdao/ynote/images/6a1d98036eb64140baef6a1f7b67f792/clipboard.png

File: // C:/users/Asus/appdata/local/youdao/ynote/images/05eae8b3357d45cca?a3082c120b11/clipboard.png this process is really vague and has many questions, I don't know what the functions did before entering OEP

7. PNG(16.36 kb, downloads: 2)

 

8. PNG(10.68 kb, downloads: 1)

 

TLS learning Summary