Understanding the PE+ File Format - Part 4: Entry Points and TLS Callbacks

In Part 4, we focus on the PE+ file format's entry points, specifically the AddressOfEntryPoint and TLS callbacks. The video covers how to find the AddressOfEntryPoint, its role, and entry points' precedence. It also explains locating the IMAGE_TLS_DIRECTORY, enumerating TLS callbacks, and the tools used, including Hiew and an IDAPython script, due to IDA's limitations in viewing these details directly. The session wraps up with a demonstration on dumping TLS entry points for all loaded modules, providing insights into analyzing these crucial elements without unnecessary complexity.

Table of Contents:

00:04 - Introduction
00:24 - PE entrypoints are detected by IDA but only for the input file
01:15 - Inspecting entry points of running processes
01:44 - Starting from the image base / IMAGE_DOS_HEADER
02:16 - Importing the needed standard types (from the Windows SDK headers / TIL)
02:51 - Applying the needed structures
03:11 - Locating the "AddressOfEntryPoint"
03:42 - Understanding entry points precedence
04:36 - Locating the TLS data directory
06:49 - Interpreting the IMAGE_TLS_DIRECTORY
07:56 - IMAGE_TLS_DIRECTORY.AddressOfCallbacks are already relocated
08:33 - Enumerating the TLS callbacks entry points
09:16 - TLS callback prototype is the same as DllMain prototype
09:43 - No built-in in way in IDA to see entry points and TLS callbacks
10:06 - Using Hiew to inspect the TLS callbacks
10:55 - IDAPython script to discover entry points
14:02 - Dumping all TLS entry points for all loaded modules
14:22 - Testing the script
15:11 - NTDLL has no entry point
16:07 - Recap

Resources: