[SOLVED]TLS Callback

Index > Windows > [SOLVED]TLS Callback

Author

Thread

Enko

Joined: 03 Apr 2007
Posts: 676
Location: Mar del Plata

Enko 23 Jul 2011, 20:03

I know that is possible to execute some code before the EntryPoint using the TLS Directory and defining a tls callback procedure.

The thing is, I read about it, but I can't find an example of how it should be done.
(
the documentation is hear 5.7
http://www.feishare.com/attachments/094_pecoff_v8.pdf
)
I never definded manually sections in fasm, and theres no macros for it, nor example)
Searching for tls callback, I find only debugging tutorial results.

It would be greate if someone has an example in fasm
Thanks a lot.

Last edited by Enko on 24 Jul 2011, 02:46; edited 1 time in total

23 Jul 2011, 20:03

vid
Verbosity in development

Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia

vid 23 Jul 2011, 23:15

In my ancient version of asm "minipad.asm" defines sections manually. "beer.asm" defines custom data directory, should that be needed (which IMO is more likely to be the case, than section)

23 Jul 2011, 23:15

Enko

Joined: 03 Apr 2007
Posts: 676
Location: Mar del Plata

Enko 24 Jul 2011, 01:26

This example?

Quote:

; Beer - example of tiny (one section) Win32 program

format PE GUI 4.0

data import

library kernel32,'KERNEL32.DLL',\
user32,'USER32.DLL',\
winmm,'WINMM.DLL'

import kernel32,\
ExitProcess,'ExitProcess'

import user32,\
MessageBoxA,'MessageBoxA'

import winmm,\
mciSendString,'mciSendStringA'

end data

edited:
Now I sea the diference... xD

data import
end data

is the same as

data 1
end data

?

Last edited by Enko on 24 Jul 2011, 02:58; edited 2 times in total

24 Jul 2011, 01:26

Enko

Joined: 03 Apr 2007
Posts: 676
Location: Mar del Plata

Enko 24 Jul 2011, 02:51

After Reading some stuff, I think I managed the job and got a valid example.

The new thing was, that the tsl callback fucntions executes 2 times.
Before the entrypoint and after ExitProcess.
So the same callback function will be called two times.

Code:


format PE GUI 4.0
entry start 

include '%fasminc%\win32a.inc'

section '.code' code readable executable 
start: 
  mov             [ExecOnExit],1
      invoke  MessageBox, 0, szHelloWorld, szHelloWorld, MB_OK
    invoke  ExitProcess, 0
      

section '.data' data readable writeable executable
        szTitle db 'Callback Msg', 0
      szHelloWorld db 'Hello World',0
   szCallback1 db 'This is the first tls callback function',0
        szCallback2 db 'this is the second tls callback function',0
       ExecOnExit      dd 0
        
    

my_callback1:
   ;this will be executed only on application start, befor entry point.
        mov             eax, [ExecOnExit] ;check if this is the callback on start app, or on exit.
  test    eax, eax
    jnz     @f
          invoke  MessageBox, 0, szCallback1, szTitle, MB_OK
@@:
       ret
my_callback2:
    ;this will be executed 2 times, on start and on exit the app.
       invoke  MessageBox, 0, szCallback2, szTitle, MB_OK
  ret



section '.tls' data readable writeable 
data 9 ;the tls directory is the 9nth directory entry.
      .RawDataStartVA dd 0
        .RawDataEndVA   dd 0
        .AddressofIndex dd adress_of_index
  .AddressofCallback dd adress_of_callback
    .SizeofZeroFill dd 0
        .Characteristic dd 0
        
    adress_of_index dd 0
        adress_of_callback dd my_callback1, my_callback2, 0
end data

section '.idata' import data readable writeable 

library kernel32,'kernel32.dll',\ 
      user32,'user32.dll',\ 
   msvcrt,'msvcrt.dll'

include '%fasminc%\api\kernel32.inc'
include '%fasminc%\api\user32.inc'
include '%fasminc%\api\msvcrt.inc'

24 Jul 2011, 02:51

Alphonso

Joined: 16 Jan 2007
Posts: 295

Alphonso 24 Jul 2011, 08:36

Tried this on VHP32 and both calls are executed before start and nothing afterward.

24 Jul 2011, 08:36

Enko

Joined: 03 Apr 2007
Posts: 676
Location: Mar del Plata

Enko 24 Jul 2011, 14:18

Alphonso wrote:

Tried this on VHP32 and both calls are executed before start and nothing afterward.

Strange... so why does my xp execut them after exitprocess too?

24 Jul 2011, 14:18

Alphonso

Joined: 16 Jan 2007
Posts: 295

Alphonso 24 Jul 2011, 15:31

Don't know. Never even knew about TLS until your post, so thanks for the knowledge.

Stranger still is...

Code:

format PE GUI 4.0
entry start

include '%fasminc%\win32a.inc'

section '.data' data readable
start:
        invoke  MessageBox, 0, szHelloWorld, szHelloWorld, MB_OK
        invoke  ExitProcess, 0

section '.data' data readable writeable
        szTitle db 'Callback Msg', 0
        szHelloWorld db 'Hello World',0
        szCallback1 db 'This is the first tls callback function',0
        szCallback2 db 'this is the second tls callback function',0

section '.tls' data readable writeable
data 9 ;the tls directory is the 9nth directory entry.
        .RawDataStartVA dd 0
        .RawDataEndVA   dd 0
        .AddressofIndex dd adress_of_index
        .AddressofCallback dd adress_of_callback
        .SizeofZeroFill dd 0
        .Characteristic dd 0
        
        adress_of_index dd 0
        adress_of_callback dd my_callback1, my_callback2, 0

my_callback1:
        invoke  MessageBox, 0, szCallback1, szTitle, MB_OK
        ret
my_callback2:
        invoke  MessageBox, 0, szCallback2, szTitle, MB_OK
        ret
end data

section '.idata' import data readable writeable 

library kernel32,'kernel32.dll',\ 
        user32,'user32.dll'

include '%fasminc%\api\kernel32.inc'
include '%fasminc%\api\user32.inc'

still works without the executable flag. Seems a little naughty.

Even

Code:

format PE GUI 4.0
entry start

include '%fasminc%\win32a.inc'

section '.data' data readable
start:

        invoke  MessageBox, 0, szHelloWorld, szHelloWorld, MB_OK
        invoke  ExitProcess, 0

        szHelloWorld db 'Hello World',0


section '.idata' import data readable

library kernel32,'kernel32.dll',\ 
        user32,'user32.dll'

include '%fasminc%\api\kernel32.inc'
include '%fasminc%\api\user32.inc'

executes without the executable/code flag set too. Shocked

24 Jul 2011, 15:31

Enko

Joined: 03 Apr 2007
Posts: 676
Location: Mar del Plata

Enko 25 Jul 2011, 13:46

The code should work properly without the flag, I used it becouse for me, it executed 2 times, one on start and other on exit.

So the flag is set to true, when we entry the EP, so this way, TLS callback is executed after exitprocess, but it won't do anything.

I Thinks its the nromal behavior of the tls, to execut on entry and on exit.

25 Jul 2011, 13:46

Tomasz Grysztar

Joined: 16 Jun 2003
Posts: 8390
Location: Kraków, Poland

Tomasz Grysztar 25 Jul 2011, 17:29

Alphonso wrote:

[...] executes without the executable/code flag set too.

Change the format line to:

Code:

format PE GUI 4.0 NX

and if your CPU is modern enough, you should get appropriate behavior.

Unfortunately with older processors page-level protection for "executable" attribute was not possible, and because of that many Win32 applications and libraries did not care to obey the "executable" flag. For this reason I had to implement "NX" setting as an additional flag, and not make it the default setting for fasm-generated PEs.

25 Jul 2011, 17:29

typedef

Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

typedef 25 Jul 2011, 17:58

Tomasz Grysztar wrote:

Alphonso wrote:
[...] executes without the executable/code flag set too.
Change the format line to:
Code:
format PE GUI 4.0 NX    
and if your CPU is modern enough, you should get appropriate behavior.

Unfortunately with older processors page-level protection for "executable" attribute was not possible, and because of that many Win32 applications and libraries did not care to obey the "executable" flag. For this reason I had to implement "NX" setting as an additional flag, and not make it the default setting for fasm-generated PEs.

So what does the "NX" do? Does it apply to PEs with TLS only ?

25 Jul 2011, 17:58

Alphonso

Joined: 16 Jan 2007
Posts: 295

Alphonso 25 Jul 2011, 18:52

Tomasz Grysztar wrote:

if your CPU is modern enough, you should get appropriate behavior.

Seems the OS has to be modern too. With a C2D and HW DEP enabled it still executes on VHP32SP2 with NX set! W7SP1 spits the dummy though at the main code section with a 0xC0000005 but will silently ignore the TLS section it seems, that is the TLS will not raise an exception but also will not execute.

Maybe Vista considers it non-essential whereas W7 doesn't, lol idk.

Last edited by Alphonso on 25 Jul 2011, 19:08; edited 2 times in total

25 Jul 2011, 18:52

Alphonso

Joined: 16 Jan 2007
Posts: 295

Alphonso 25 Jul 2011, 18:56

typedef wrote:

Does it apply to PEs with TLS only ?

No. No eXecute bit should AFAIK apply to all sections.

25 Jul 2011, 18:56

Madis731

Joined: 25 Sep 2003
Posts: 2139
Location: Estonia

Madis731 10 Aug 2011, 05:25

You can enable NX in the BIOS and it must be a capability of the CPU and also your OS must support it. It kind of works like virtualization: CPU+BIOS+OS.

10 Aug 2011, 05:25

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum