📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.





About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New


Customize Theme

Flag: Tornado! Hurricane!

 Forums >>  Brainstorms - General  >>  TLS Callbacks as Anti-Debuggin

Topic created on: August 8, 2008 23:30 CDT by tweaker .

I started to work on this contest:

http://www.khallenge.com/

and I completed the first file and received the second one.

The second file contains a lot of anti-debugging techniques.  The one that caught my interest was the tls callback.

I found some general information on the net about it, but I'm really not sure what the stack is supposed to look like upon entering a tls callback.  The one instruction that I am confused about is:

arg_4           = dword ptr  8

cmp     [esp+arg_4], 1    

found immediately upon entering the TLS Callback function.  Where are the main's arguments on the stack after entering the TLS Callback?  

Can anyone help me out here?  I'd just look to hear more about tls callbacks from the assembler's POV.

  Piotr     August 9, 2008 01:28.18 CDT
Prototype:

typedef void (MODENTRY *PIMAGE_TLS_CALLBACK) ( PTR DllHandle, UINT32 Reason, PTR Reserved );


Some old funny thing:

void __stdcall tls_callback(void * /*instance*/,
                        DWORD reason,
                        void * /*reserved*/)
{
  if ( reason == DLL_PROCESS_ATTACH )
  {
    MessageBox(NULL, "Debugger Owned!", "TLS Callback", MB_OK);
//blabla

  sa7ori     August 11, 2008 10:37.02 CDT
tweaker, Ilfak had a great blog post about this a few years back that included a zip file with compilable source... http://www.hexblog.com/2005/10/tls_callbacks.html

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...
djnemo on:
Nov/17
Kernel debugger vs user mod...
acel on:
Nov/14
Kernel debugger vs user mod...
pedram on:
Dec/21
frida.github.io: scriptable...
capadleman on:
Jun/19
Using NtCreateThreadEx for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit