Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

TLSCatch An ollydbg plugin to catch Tlscallbacks easily.

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
Locked
walied
Member
Posts: 46
Joined: Tue Aug 31, 2010 6:08 am
Location: Egypt
Contact:

TLSCatch An ollydbg plugin to catch Tlscallbacks easily.

Post by walied »

This plugin simply intercepts any new module loaded into the current process address space ,searchs it for tlscallbacks and sets a one-shot breakpoint on every callback found.
It lets the malware analyst catch any tls callback in ollydbg. Just copy the plugin dll into olly plugin directory then fire ollydbg. Tested on ollydbg v1 on windows xp and Vista.

original article here http://waleedassar.blogspot.com/2010/10 ... backs.html
plugin uploaded on google code http://ollytlscatch.googlecode.com/files/TlsCatch.dll
Still working on it to make it catch dynamically added tlscallbacks.

[email protected]
User avatar
dELTA
Posts: 4209
Joined: Mon Oct 30, 2000 7:00 am
Location: Ring -1

Post by dELTA »

Looks nice. :yay:

CRCETL:
http://www.woodmann.com/collaborative/t ... lytlscatch

You are also very welcome to update this CRCETL entry yourself when new versions are released.
"Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."
User avatar
Indy
Posts: 311
Joined: Sun Nov 08, 2009 4:32 am

Post by Indy »

bp LdrpCallTlsInitializers

ntdll!ShowSnaps -> TRUE or GF -> FLG_SHOW_LDR_SNAPS. Log:

"LDR: Tls Callbacks Found. Imagebase %p Tls %p CallBacks %p",LF,""

"LDR: Calling Tls Callback Imagebase %p Function %p",LF,""
Locked