About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Wednesday, March 7 2012 13:14.12 CST  
Printer Friendly ...
OllyDbg v2.01 And TLS Callbacks
Author: waleedassar # Views: 1935

One of the new interesting features introduced in version 2.0 of OllyDbg is the ability to pause on TLS callbacks. Actually, i discussed some flaws of this feature in a previous post, but in this post i will show you a minor bug (not so minor) that i found while playing with OllyDbg, like i sometimes do.

OllyDbg v2.0 assumes that the "Size" field in the TLS data directory is mandatory, but it is actually not. To make things clearer, i will dump the ntdll.dll code responsible for parsing the TLS info.

As you can see in the image above, the "RtlImageDirectoryEntryToData" function is called to get the absolute address of the "IMAGE_TLS_DIRECTORY32" structure. Its fourth parameter is a pointer to a variable that receives the size of  "IMAGE_TLS_DIRECTORY32" structure, which is typically 0x18 bytes. It is easy to notice that no checks are done to verify the size.

To be even more sure, let's check the code that extracts TLS info in the "RtlImageDirectoryEntryToData" function .

As the two images above imply, the OS loader simply discards the "Size" field and continues invoking TLS callbacks.

On the other side, OllyDbg stops processing the TLS info. if the "Size" field is zero. See the image below.

The source code for the image above should be something like this.

We can easily figure out from the source code that setting the "Size" field to Zero is enough to fool OllyDbg to ignore TLS info. We can also fool OllyDbg by setting the "Size" field to 0xC or abit longer depending on the executable's ImageBase.

Things get more interesting if the "AddressOfCallbacks" member is e.g. 0x01F12200 and the "Size" field is 0xF. In this case, OllyDbg will place the int3 breakpoint at 0xF12200 and since 0xF12200 will never be hit, the breakpoint will be left untouched.  
Just play with this demo.
http://ollybugs.googlecode.com/files/fake_tls.exe

N.B. Many file inspectors are also affected by this bug e.g. Stud_PE and exeinfo.




Add New Comment
Comment:









There are 29,883 total registered users.


Recently Created Topics
Incorrect bitness wh...
May/20
PaiMei stalker modul...
May/19
Attach to program us...
May/13
IDA PRO how to make ...
May/12
FACT: OpenRCE is dead.
May/08
Int 3 anti debug?
May/05
help needed - Beginn...
May/03
Attaching IDA Pro to...
Apr/27
File type
Apr/21
Debugging iphone app...
Apr/15


Recent Forum Posts
Ollydbg 2.0 - Plugin...
openrce...
IDA PRO how to make ...
codeinject
FACT: OpenRCE is dead.
codeinject
IDA Resource Viewer ...
r2x64
FACT: OpenRCE is dead.
djnemo
FACT: OpenRCE is dead.
codeinject
FACT: OpenRCE is dead.
pedram
help needed - Beginn...
araujo
Attaching IDA Pro to...
codeinject
Int 3 anti debug?
codeinject


Recent Blog Entries
sweetyss
May/18
Adam Wainwright continues t...
lowpriority
Apr/13
OllyMigrate Plugin for Olly...
everdox
Mar/08
2 anti-trace mechanisms spe...
everdox
Mar/07
Advanced debugging techniques
everdox
Mar/06
Branch tracing and LBR acce...
More ...


Recent Blog Comments
clarisonic on:
Apr/03
New version of Ollydbg!
clarisonic on:
Apr/03
New version of Ollydbg!
trackerx90 on:
Mar/04
SuppressDebugMsg As Anti-De...
coachfactory on:
Feb/25
Portable Executable Format ...
coachfactory on:
Feb/25
A new Anti-Olly trick.
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit