flat assembler
Message board for the users of flat assembler.

Index > Windows > [SOLVED]TLS Callback

Author
Thread Post new topic Reply to topic
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
I know that is possible to execute some code before the EntryPoint using the TLS Directory and defining a tls callback procedure.

The thing is, I read about it, but I can't find an example of how it should be done.
(
the documentation is hear 5.7
http://www.feishare.com/attachments/094_pecoff_v8.pdf
)
I never definded manually sections in fasm, and theres no macros for it, nor example)
Searching for tls callback, I find only debugging tutorial results.

It would be greate if someone has an example in fasm
Thanks a lot.


Last edited by Enko on 24 Jul 2011, 02:46; edited 1 time in total
Post 23 Jul 2011, 20:03
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
In my ancient version of asm "minipad.asm" defines sections manually. "beer.asm" defines custom data directory, should that be needed (which IMO is more likely to be the case, than section)
Post 23 Jul 2011, 23:15
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
This example?
Quote:



; Beer - example of tiny (one section) Win32 program

format PE GUI 4.0


data import

library kernel32,'KERNEL32.DLL',\
user32,'USER32.DLL',\
winmm,'WINMM.DLL'

import kernel32,\
ExitProcess,'ExitProcess'

import user32,\
MessageBoxA,'MessageBoxA'

import winmm,\
mciSendString,'mciSendStringA'

end data



edited:
Now I sea the diference... xD

data import
end data

is the same as

data 1
end data

?


Last edited by Enko on 24 Jul 2011, 02:58; edited 2 times in total
Post 24 Jul 2011, 01:26
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
After Reading some stuff, I think I managed the job and got a valid example.

The new thing was, that the tsl callback fucntions executes 2 times.
Before the entrypoint and after ExitProcess.
So the same callback function will be called two times.
Code:

format PE GUI 4.0
entry start 

include '%fasminc%\win32a.inc'

section '.code' code readable executable 
start: 
  mov             [ExecOnExit],1
      invoke  MessageBox, 0, szHelloWorld, szHelloWorld, MB_OK
    invoke  ExitProcess, 0
      

section '.data' data readable writeable executable
        szTitle db 'Callback Msg', 0
      szHelloWorld db 'Hello World',0
   szCallback1 db 'This is the first tls callback function',0
        szCallback2 db 'this is the second tls callback function',0
       ExecOnExit      dd 0
        
    

my_callback1:
   ;this will be executed only on application start, befor entry point.
        mov             eax, [ExecOnExit] ;check if this is the callback on start app, or on exit.
  test    eax, eax
    jnz     @f
          invoke  MessageBox, 0, szCallback1, szTitle, MB_OK
@@:
       ret
my_callback2:
    ;this will be executed 2 times, on start and on exit the app.
       invoke  MessageBox, 0, szCallback2, szTitle, MB_OK
  ret



section '.tls' data readable writeable 
data 9 ;the tls directory is the 9nth directory entry.
      .RawDataStartVA dd 0
        .RawDataEndVA   dd 0
        .AddressofIndex dd adress_of_index
  .AddressofCallback dd adress_of_callback
    .SizeofZeroFill dd 0
        .Characteristic dd 0
        
    adress_of_index dd 0
        adress_of_callback dd my_callback1, my_callback2, 0
end data

section '.idata' import data readable writeable 

library kernel32,'kernel32.dll',\ 
      user32,'user32.dll',\ 
   msvcrt,'msvcrt.dll'

include '%fasminc%\api\kernel32.inc'
include '%fasminc%\api\user32.inc'
include '%fasminc%\api\msvcrt.inc'

    
Post 24 Jul 2011, 02:51
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Tried this on VHP32 and both calls are executed before start and nothing afterward.
Post 24 Jul 2011, 08:36
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
Alphonso wrote:
Tried this on VHP32 and both calls are executed before start and nothing afterward.

Strange... so why does my xp execut them after exitprocess too?
Post 24 Jul 2011, 14:18
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Don't know. Never even knew about TLS until your post, so thanks for the knowledge.

Stranger still is...
Code:
format PE GUI 4.0
entry start

include '%fasminc%\win32a.inc'

section '.data' data readable
start:
        invoke  MessageBox, 0, szHelloWorld, szHelloWorld, MB_OK
        invoke  ExitProcess, 0

section '.data' data readable writeable
        szTitle db 'Callback Msg', 0
        szHelloWorld db 'Hello World',0
        szCallback1 db 'This is the first tls callback function',0
        szCallback2 db 'this is the second tls callback function',0

section '.tls' data readable writeable
data 9 ;the tls directory is the 9nth directory entry.
        .RawDataStartVA dd 0
        .RawDataEndVA   dd 0
        .AddressofIndex dd adress_of_index
        .AddressofCallback dd adress_of_callback
        .SizeofZeroFill dd 0
        .Characteristic dd 0
        
        adress_of_index dd 0
        adress_of_callback dd my_callback1, my_callback2, 0

my_callback1:
        invoke  MessageBox, 0, szCallback1, szTitle, MB_OK
        ret
my_callback2:
        invoke  MessageBox, 0, szCallback2, szTitle, MB_OK
        ret
end data

section '.idata' import data readable writeable 

library kernel32,'kernel32.dll',\ 
        user32,'user32.dll'

include '%fasminc%\api\kernel32.inc'
include '%fasminc%\api\user32.inc'    
still works without the executable flag. Seems a little naughty.



Even
Code:
format PE GUI 4.0
entry start

include '%fasminc%\win32a.inc'

section '.data' data readable
start:

        invoke  MessageBox, 0, szHelloWorld, szHelloWorld, MB_OK
        invoke  ExitProcess, 0

        szHelloWorld db 'Hello World',0


section '.idata' import data readable

library kernel32,'kernel32.dll',\ 
        user32,'user32.dll'

include '%fasminc%\api\kernel32.inc'
include '%fasminc%\api\user32.inc'
                                         
executes without the executable/code flag set too. Shocked
Post 24 Jul 2011, 15:31
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
The code should work properly without the flag, I used it becouse for me, it executed 2 times, one on start and other on exit.

So the flag is set to true, when we entry the EP, so this way, TLS callback is executed after exitprocess, but it won't do anything.

I Thinks its the nromal behavior of the tls, to execut on entry and on exit.
Post 25 Jul 2011, 13:46
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7756
Location: Kraków, Poland
Tomasz Grysztar
Alphonso wrote:
[...] executes without the executable/code flag set too. Shocked
Change the format line to:
Code:
format PE GUI 4.0 NX    
and if your CPU is modern enough, you should get appropriate behavior.

Unfortunately with older processors page-level protection for "executable" attribute was not possible, and because of that many Win32 applications and libraries did not care to obey the "executable" flag. For this reason I had to implement "NX" setting as an additional flag, and not make it the default setting for fasm-generated PEs.
Post 25 Jul 2011, 17:29
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Tomasz Grysztar wrote:
Alphonso wrote:
[...] executes without the executable/code flag set too. Shocked
Change the format line to:
Code:
format PE GUI 4.0 NX    
and if your CPU is modern enough, you should get appropriate behavior.

Unfortunately with older processors page-level protection for "executable" attribute was not possible, and because of that many Win32 applications and libraries did not care to obey the "executable" flag. For this reason I had to implement "NX" setting as an additional flag, and not make it the default setting for fasm-generated PEs.


So what does the "NX" do? Does it apply to PEs with TLS only ?
Post 25 Jul 2011, 17:58
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
Tomasz Grysztar wrote:
if your CPU is modern enough, you should get appropriate behavior.


Seems the OS has to be modern too. With a C2D and HW DEP enabled it still executes on VHP32SP2 with NX set! W7SP1 spits the dummy though at the main code section with a 0xC0000005 but will silently ignore the TLS section it seems, that is the TLS will not raise an exception but also will not execute.

Maybe Vista considers it non-essential whereas W7 doesn't, lol idk.


Last edited by Alphonso on 25 Jul 2011, 19:08; edited 2 times in total
Post 25 Jul 2011, 18:52
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
typedef wrote:
Does it apply to PEs with TLS only ?
No. No eXecute bit should AFAIK apply to all sections.
Post 25 Jul 2011, 18:56
View user's profile Send private message Reply with quote
Madis731



Joined: 25 Sep 2003
Posts: 2140
Location: Estonia
Madis731
You can enable NX in the BIOS and it must be a capability of the CPU and also your OS must support it. It kind of works like virtualization: CPU+BIOS+OS.
Post 10 Aug 2011, 05:25
View user's profile Send private message Visit poster's website Yahoo Messenger MSN Messenger Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.