TLS回调函数

TLS在逆向工程的应用

参考:逆向工程核心原理

文档介绍

线程本地存储 - Win32 apps | Microsoft Learn

使用线程本地存储 - Win32 apps | Microsoft Learn

【原创】反调试实战系列二 TLS反调试+CheckRemoteDebuggerPresent原理 - 吾爱破解 - 52pojie.cn

TLS Table

typedef struct _IMAGE_TLS_DIRECTORY64 {
    ULONGLONG StartAddressOfRawData;
    ULONGLONG EndAddressOfRawData;
    ULONGLONG AddressOfIndex;         // PDWORD
    ULONGLONG AddressOfCallBacks;     // PIMAGE_TLS_CALLBACK *;
    DWORD SizeOfZeroFill;
    union {
        DWORD Characteristics;
        struct {
            DWORD Reserved0 : 20;
            DWORD Alignment : 4;
            DWORD Reserved1 : 8;
        } DUMMYSTRUCTNAME;
    } DUMMYUNIONNAME;

} IMAGE_TLS_DIRECTORY64;

typedef IMAGE_TLS_DIRECTORY64 * PIMAGE_TLS_DIRECTORY64;

typedef struct _IMAGE_TLS_DIRECTORY32 {
    DWORD   StartAddressOfRawData;
    DWORD   EndAddressOfRawData;
    DWORD   AddressOfIndex;             // PDWORD
    DWORD   AddressOfCallBacks;         // 对于逆向最为重要,指向TLS回调函数地址(VA)的数组,以NULL值结束
    DWORD   SizeOfZeroFill;
    union {
        DWORD Characteristics;
        struct {
            DWORD Reserved0 : 20;
            DWORD Alignment : 4;
            DWORD Reserved1 : 8;
        } DUMMYSTRUCTNAME;
    } DUMMYUNIONNAME;

} IMAGE_TLS_DIRECTORY32;

位于数据目录项第10项.

TLS 回调函数

进程启动前,系统会直接调用AddressOfCallBacks数组的函数.

事实上,TLS回调函数在启动进程和结束进程时都会被调用,共两次.

typedef VOID
(NTAPI *PIMAGE_TLS_CALLBACK) (
    PVOID DllHandle,//模块句柄,或者说加载地址
    DWORD Reason,   //调用原因
    PVOID Reserved  //保留参数
    );

根据书中的例子,调用原因和时机是直接成因果的.

DLL_PROCESS_ATTACH在main函数之前调用,为1

DLL_THREAD_ATTACH在创建用户线程前调用,为2

DLL_THREAD_DETACH你懂的,为3

DLL_PROCESS_ATTACH你懂的,为0

逆向经验

可以在导出表看到