Results 1 to 4 of 4

Thread: # XP/S2K3 fails to process TLS w/o USER32

  1. #1
    Imported blog (Kris Kaspersky)
    Join Date
    May 2008
    Posts
    61

    # XP/S2K3 fails to process TLS w/o USER32

    XP and later does not execute TLS callbacks if USER32 is not loaded. this is undocumented feature that is not mentioned in the MS PE Specification and W2K does not request USER32 to process TLS callbacks, so it’s definitely a bug of XP/S2K3. just a few anti-viruses emulate TLS callbacks (Kaspersky and NOD32), but they don’t know this bug, so there is a way to bypass them. some worms have started to use this tricků

    # download paper and POCs



    http://nezumi-lab.org/blog/?p=15

  2. #2
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,517
    Blog Entries
    1
    i don't understood..
    if TLS will not called, then how to use it??

  3. #3
    Quote Originally Posted by evaluator View Post
    i don't understood..
    if TLS will not called, then how to use it??
    Because if the AV is emulating it anyway, it might think the result is benign. Say the TLS callback just does ExitProcess or something, for example. AV emulates it, says "oh this exe is fine", virus gets by...

  4. #4
    where is the POCs?

Similar Threads

  1. # TLS callbacks w/o USER32 (part III)
    By nezumi-lab in forum Blogs Forum
    Replies: 3
    Last Post: January 9th, 2009, 15:29
  2. # TLS callbacks w/o USER32 (part II)
    By nezumi-lab in forum Blogs Forum
    Replies: 0
    Last Post: January 8th, 2009, 14:22
  3. #773: bug in IDA-Pro [fails to debug zero-based PE]
    By nezumi-lab in forum Blogs Forum
    Replies: 0
    Last Post: May 14th, 2008, 12:13
  4. breakpoint on USER32.PostMessage
    By ohhara in forum OllyDbg Support Forums
    Replies: 1
    Last Post: November 1st, 2003, 01:57
  5. blendingclock fails oepfinder
    By britedream in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: June 9th, 2002, 19:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •