Results 1 to 4 of 4

Thread: # TLS callbacks w/o USER32 (part III)

  1. #1
    Imported blog (Kris Kaspersky)
    Join Date
    May 2008
    Posts
    61

    # TLS callbacks w/o USER32 (part III)

    the story had a continue. read this:
    Peter Ferrie> The requirement is not user32.dll, just a DLL
    Peter Ferrie> that imports from kernel32.dll. I changed tls-nousr.exe
    Peter Ferrie> to import from kernel31.dll instead of kernel32.dll.
    Peter Ferrie> I created a kernel31.dll that imports from kernel32.dll
    Peter Ferrie> the LoadLibraryA and GetProcAddress, and also exports them.
    Peter Ferrie> The TLS code runs normally in that case.
    Peter Ferrie> For the OllyDbg case, maybe a plug-in called LoadLibrary(”kernel32″)
    Peter Ferrie>from inside the process. It’s probably some reference counting thing.

    yeah, right. I figured out that the MSVCR71.dll is suitable as well (see my previous post), just not changed the subject. anyway, it’s a bug of XP/S2K3 and eventually we found a workaround for it.

    I wonder if Vista is buggy or it has been fixed there? guys! if you have Vista under your hands, plz, run the examples and tell us the result. thanks!



    http://nezumi-lab.org/blog/?p=51

  2. #2
    I've seen this behaviour a few years ago, seems I was right.
    http://www.woodmann.com/forum/showthread.php?t=7762
    Vulnerant omnes, ultima necat.

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    this EXEs are very non-standart.. (includes also DOGs)
    let's make more normal exe_amples

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    i found code in NTDLL, where flags tested in module-list
    Code:
    cmp         edx,ecx
    je         . --1
    and         b,[edx+025],0EF
    test        b,[edx+025],040 << this test flag is present for NTDLL & KERNEL32
    je         . --2
    mov         edx,[edx]
    jmps       . --3


    @2:
    and then IF this DLL has EntryPoint, counter increases!
    BTW! USER32 has not EP.. but others loaded with USER32 have..

    so if this counter reterns NULL, then TLS-callback will NOT called

    RESUME:
    TLS-callback will called if there will any DLL (except NTDLL & KERNEL32) wilth EntryPoint

    APPENDIX:
    but also TLS-callback will be called on ExitProcess, if at runtime will be loaded & present
    such like DLL;
    Last edited by evaluator; January 10th, 2009 at 03:25.

Similar Threads

  1. # TLS callbacks w/o USER32 (part II)
    By nezumi-lab in forum Blogs Forum
    Replies: 0
    Last Post: January 8th, 2009, 14:22
  2. Replies: 0
    Last Post: January 12th, 2008, 00:08
  3. Replies: 0
    Last Post: January 12th, 2008, 00:08
  4. Replies: 0
    Last Post: January 12th, 2008, 00:08
  5. Replies: 0
    Last Post: January 12th, 2008, 00:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •