Hiding Code Behind Thread-Local Storage - Reverse Engineering TLS Callbacks

preview_player
Показать описание
In this video we'll see how to execute code before the entry point of the application and before the main function and confuse some debuggers along the way. Let's begin.

PoC code:

Analysis tools:

- Immunity debugger
- CFF Explorer
- LordPE
- IDA Pro
- Visual studio IDE

---------------------------------------------------------------------------------------------------

If you liked this video and you want to learn hands-on how to analyse malware, with real samples and practical exercises, find us on Udemy :

---------------------------------------------------------------------------------------------------

Want to support us continue to make great content? Buy us a coffee :

Thank you 🙏
  1. Reversing Hub
  2. TLS Callbacks
  3. Reverse Engineering
  4. Malware
  5. IDA Pro
  6. Immunity Debugger
Рекомендации по теме
Hiding Code Behind 0:11:30

Hiding Code Behind Thread-Local Storage - Reverse Engineering TLS Callbacks

Thread Local Storage 0:02:42

Thread Local Storage

C++ : How 0:00:52

C++ : How to allocate thread local storage?

thread_local Variables in 0:08:38

thread_local Variables in C++. Why useful? How do they work?

Thread local storage 0:02:48

Thread local storage design pattern

2013 Day2P13 LoB: 0:14:16

2013 Day2P13 LoB: Thread Local Storage (TLS)

.NET Parallel Programming 0:03:41

.NET Parallel Programming | Thread Local Storage | 5.3

C++ Bonus [034] 0:06:27

C++ Bonus [034] - thread_local

Malware Minute -- 0:01:01

Malware Minute -- Catching TLS Callbacks

Reverse engineering - 0:08:18

Reverse engineering - Hide code behind GCC constructors

Thread Local Storage 0:12:11

Thread Local Storage in Windows [PER]

Welcome to Thread 0:00:06

Welcome to Thread local

Windows : Thread-local 0:01:16

Windows : Thread-local storage in kernel mode?

Windows : Thread 0:01:36

Windows : Thread local storage / Windows

Java Thread Locals 0:31:09

Java Thread Locals - A complete Tutorial

The HARDEST part 0:00:28

The HARDEST part about programming 🤦‍♂️ #code #programming #technology #tech #software #developer...

millionaires store cash 0:00:10

millionaires store cash secret compartment drawer | secret safe | hidden shelf#shorts #secretlocker

How MOSQUES Will 0:00:15

How MOSQUES Will Look In 10 YEARS!☪️😱❌ #islam #muslim #mosque #ramadan #shorts

Android and Java 0:13:36

Android and Java Concurrency: The Thread-Specific Storage Pattern (Part 1)

Nesting 'If Statements' 0:01:00

Nesting 'If Statements' Is Bad. Do This Instead.

Be sure to 0:00:32

Be sure to remember this Tip and Trick. How to connect to a PPR pipe without an adapter? #shorts

C++ Thread Local 0:16:54

C++ Thread Local Storage

Bedsheet Hack #Bedsheet 0:00:19

Bedsheet Hack #Bedsheet #Hack

Developer Last Expression 0:00:28

Developer Last Expression 😂 #shorts #developer #ytshorts #uiux #python #flutterdevelopment

Комментарии
Автор

Hello. The first thing I would like to tell you is that I love your channel and it is a shame not to see more of your content about reversing today. I have a question related to TLS; A packer adds its own tls callbacks, those calls are in a new section called .rdata00. I have reached the OEP, rebuilt the IAT, and dumped the file. Then from cff I have deleted all the sections of the packer, except rdata00 because it contains the TLS. The problem is that the original TLS are in rdata, if I delete rdata00 I have to redirect the calls to rdata but I don't know how to locate the original tls. At some point are the original rdata tls called from the rdata00 packer section? Sorry if I don't know how to explain better, I'm just an amateur.

djpuxo
Автор

thank you for the video. Was really useful.

muffinberg
Автор

Didnt know women did this kind of stuff, what made you interested in this?

moviesynopsis