+- +-

+-User

Welcome, Guest.
Please login or register.
 
 
 
Forgot your password?

+-Stats

Members
Total Members: 130
Latest: REEG
New This Month: 1
New This Week: 0
New Today: 0
Stats
Total Posts: 319
Total Topics: 160
Most Online Today: 2
Most Online Ever: 159
(June 29, 2021, 10:20:55 pm)
Users Online
Members: 0
Guests: 1
Total: 1

Author Topic: Detect debugger with TLS callback  (Read 411 times)

zwclose7

  • Administrator
  • Full Member
  • *****
  • Posts: 155
  • I love anime and science!
    • View Profile
    • My blog
Detect debugger with TLS callback
« on: March 29, 2016, 11:54:27 pm »
TLS callback is a function that called before the process entry point executes. If you run the executable with a debugger, the TLS callback will be executed before the debugger breaks. This means you can perform anti-debugging checks before the debugger can do anything. Therefore, TLS callback is a very powerful anti-debugging technique.

To add a TLS callback to your program, you need to create a section called .CRT$XLB in the executable image, and then put the TLS callback function address into this section. You also need to add the __tls_used symbol to the executable image.

The following stack trace shows how the TLS callback called (from Process Hacker)

Code: [Select]
0, ntoskrnl.exe!KiDeliverApc+0x1c7
1, ntoskrnl.exe!KiCommitThreadWait+0x3dd
2, ntoskrnl.exe!KeWaitForSingleObject+0x19f
3, win32k.sys!xxxRealSleepThread+0x257
4, win32k.sys!xxxSleepThread+0x59
5, win32k.sys!NtUserWaitMessage+0x46
6, ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
7, wow64cpu.dll!CpupSyscallStub+0x9
8, wow64cpu.dll!Thunk0Arg+0x5
9, wow64.dll!RunCpuSimulation+0xa
10, wow64.dll!Wow64LdrpInitialize+0x42a
11, ntdll.dll!LdrpInitializeProcess+0x17e3
12, ntdll.dll! ?? ::FNODOBFM::`string'+0x28ff0
13, ntdll.dll!LdrInitializeThunk+0xe
14, user32.dll!NtUserWaitMessage+0x15
15, user32.dll!DialogBox2+0x222
16, user32.dll!InternalDialogBox+0xe5
17, user32.dll!SoftModalMessageBox+0x757
18, user32.dll!MessageBoxWorker+0x269
19, user32.dll!MessageBoxTimeoutW+0x52
20, user32.dll!MessageBoxTimeoutA+0x76
21, user32.dll!MessageBoxExA+0x1b
22, user32.dll!MessageBoxA+0x18
23, tls.exe!TlsCallback+0x3c
24, ntdll.dll!LdrpCallInitRoutine+0x14
25, ntdll.dll!LdrpCallTlsInitializers+0x9e
26, ntdll.dll!LdrpRunInitializeRoutines+0x3ab
27, ntdll.dll!LdrpInitializeProcess+0x1400
28, ntdll.dll!_LdrpInitialize+0x78
29, ntdll.dll!LdrInitializeThunk+0x10

You can see the TLS callback is called by the loader during process startup.

https://www.youtube.com/watch?v=o4wIeABOVxk

Here is example code.

Code: [Select]
#include <stdio.h>
#include <Windows.h>

#pragma comment(lib,"ntdll.lib")

#pragma comment(linker,"/include:__tls_used") // This will cause the linker to create the TLS directory
#pragma section(".CRT$XLB",read) // Create a new section

extern "C" NTSTATUS NTAPI NtQueryInformationProcess(HANDLE hProcess,ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength);

#define NtCurrentProcess() (HANDLE)-1

// The TLS callback is called before the process entry point executes, and is executed before the debugger breaks
// This allows you to perform anti-debugging checks before the debugger can do anything
// Therefore, TLS callback is a very powerful anti-debugging technique

void WINAPI TlsCallback(PVOID Module,DWORD Reason,PVOID Context)
{
PBOOLEAN BeingDebugged=(PBOOLEAN)__readfsdword(0x30)+2;
HANDLE DebugPort=NULL;

if(*BeingDebugged) // Read the PEB
{
MessageBox(NULL,"Debugger detected!","TLS callback",MB_ICONSTOP);
}

else
{
MessageBox(NULL,"No debugger detected","TLS callback",MB_ICONINFORMATION);
}

// Another check

if(!NtQueryInformationProcess(
NtCurrentProcess(),
7, // ProcessDebugPort
&DebugPort, // If debugger is present, it will be set to -1 | Otherwise, it is set to NULL
sizeof(HANDLE),
NULL))
{
if(DebugPort)
{
MessageBox(NULL,"Debugger detected!","TLS callback",MB_ICONSTOP);
}

else
{
MessageBox(NULL,"No debugger detected","TLS callback",MB_ICONINFORMATION);
}
}
}

__declspec(allocate(".CRT$XLB")) PIMAGE_TLS_CALLBACK CallbackAddress[]={TlsCallback,NULL}; // Put the TLS callback address into a null terminated array of the .CRT$XLB section

// The entry point is executed after the TLS callback

int main()
{
printf("Hello world");
getchar();

return 0;
}

Process Hacker download:
http://processhacker.sourceforge.net/

 

+-Recent Topics

Independent Call Girls in Chandigarh by dilpreetkaur
June 21, 2021, 01:02:52 pm

Hi zwclose7. How to create process by using NT apis? by zwclose7
June 01, 2021, 03:09:52 pm

Poison of the Day by zwclose7
March 16, 2020, 06:45:08 pm

IRC by AzeS
February 17, 2020, 08:18:01 am

Native API tutorial by hMihaiDavid
January 08, 2019, 02:11:02 am

The properties of GP nerve agent by xchg
October 19, 2018, 07:40:57 pm

A new route of synthesis for G-series agents by Basquyatti
October 15, 2018, 06:12:57 am

Synthesis of Methylisobutylcarbinylsarin (GH) by APC process by Basquyatti
October 14, 2018, 07:55:33 am

Synthesis conventional of Sarin by Basquyatti
October 02, 2018, 07:57:32 am

Reaction CX-7 (Experimental) by zwclose7
October 02, 2018, 12:46:47 am