Category: Uncategorized

Xavier’s diary entry “Abusing DLLs EntryPoint for the Fun” inspired me to do some tests with TLS Callbacks and DLLs.

TLS stands for Thread Local Storage. TLS Callbacks are an execution mechanism in Windows PE files that lets code run automatically when a process or thread starts, before the program’s normal entry point is reached. I’ve done tests in the past with EXEs and TLS Callbacks, but never with DLLs.

In Windows, TLS is used to give each thread its own copy of certain variables. To support this, the PE format has a TLS directory (IMAGE_TLS_DIRECTORY) that describes:

• Where TLS data is stored
• How large it is
• A list of callback functions

My pecheck.py tool lists TLS callbacks:

I used the following code for a DLL with a TLS callback:

#include 

// Declare TLS callback section
#pragma section(".CRT$XLB", read)

// TLS callback function
void NTAPI MyTlsCallback(PVOID hModule, DWORD dwReason, PVOID pReserved)
{
    if (dwReason == DLL_PROCESS_ATTACH)
    {
        MessageBoxA(NULL, "TLS Callback fired", "TLS", MB_OK);
    }
}

// Force linker to include TLS directory symbol
#ifdef _WIN64
#pragma comment(linker, "/INCLUDE:_tls_used")
#pragma comment(linker, "/INCLUDE:tls_callback_func")
#else
#pragma comment(linker, "/INCLUDE:__tls_used")
#pragma comment(linker, "/INCLUDE:_tls_callback_func")
#endif

// Place pointer in TLS callback section (extern "C" prevents mangling)
extern "C" __declspec(allocate(".CRT$XLB"))
PIMAGE_TLS_CALLBACK tls_callback_func = MyTlsCallback;

// Standard DllMain
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    if (ul_reason_for_call == DLL_PROCESS_ATTACH)
        MessageBoxA(NULL, "DllMain fired", "DllMain", MB_OK);
    return TRUE;
}

And compiled it with Visual Studio C++:

cl /nologo /EHsc /LD tls_dll.cpp user32.lib

I used rundll32 to load the DLL.

The callback function got executed:

before the DllMain function:

This is something to take into account when performing static analysis: next to looking at DllMain and exported functions, look also at TLS callbacks (if any).

And it’s also important when performing dynamic analysis: when using a debugger, make sure to check how it is configured:

This debugger is configured to break on TLS callbacks: thus these callbacks will not execute unbeknownst to you.

 

Didier Stevens

Senior handler

blog.DidierStevens.com

The South African government has dismissed accusations by the US that it harassed and intimidated American officials during a raid on a centre processing applications by white South Africans for refugee status in the US.

Tuesday’s raid saw seven Kenyans expelled from South Africa for working in the country illegally.

The US accused South Africa of publishing the passport details of its officials, saying this was “unacceptable” and warning of “severe consequences”.

But South Africa has denied this, saying it treats “matters of data security with the utmost seriousness”.

The US is offering asylum status to members of South Africa’s Afrikaner community as it says the community is facing persecution. South Africa’s government has rejected the claims.

President Donald Trump’s administration has reduced its yearly intake of refugees from around the world from 125,000 to 7,500, but says it will prioritise Afrikaners, who are mostly descendants of Dutch and French settlers.

Tensions between the two countries has risen since Trump took office.

After the raid on the processing centre, South Africa expressed concern that foreign officials appeared to have coordinated with undocumented workers and said it had reached out to the US and Kenya to resolve the matter.

In a statement issued on Thursday, the US State Department said it condemned “in the strongest terms the South African government’s recent detention of US officials performing their duties to provide humanitarian support to Afrikaners”.

It did not providence any evidence to back up its accusation that South Africa had released the passport information of its officials.

South Africa’s home affairs department described these accusations as “unsubstantiated”.

“South Africa treats all matters of data security with the utmost seriousness and operates under stringent legal and diplomatic protocols,” it said in a statement.

It had previously said that no US officials were arrested and the operation was not at a diplomatic site.

It said the Kenyans had applied for work permits, which had been denied.

The US has not addressed this directly but said it had “worked to operate the refugee program within the confines of the law”.

Trump has claimed that Afrikaners are being subjected to a “genocide” in South Africa, even though there is no evidence that white farmers are more likely to be killed than their black counterparts.

He offered Afrikaners refugee status earlier this year after South African President Cyril Ramaphosa signed a law allowing the government to seize land without compensation in rare instances.

A first group of about 50 people flew to the US on a chartered plane – it is not clear how many others have moved, or are in the process of applying.

Because of the legacy of the racist apartheid system, the majority of privately owned farmland in South Africa is owned by the white community and South Africa’s government is under pressure to provide more land to black farmers. However, it stresses that no land has yet been seized under the new law.

South Africa has repeatedly tried to mend fences with the Trump administration, most famously when Ramaphosa led a high-level delegation to the White House earlier this year.

However, this backfired when Trump ambushed him with images, videos and news reports allegedly showing that the government was persecuting white people.

Last month, the US boycotted the G20 summit in South Africa and has said it would not invite South African officials to its meetings since it took over the leadership of the grouping of the world’s biggest economies.

Additional reporting by Khanyisile Ngcobo in Johannesburg

Sharif Osman Hadi’s Facebook page