How Malware Defends Itself Using TLS Callback Functions
[left]Malware authors employ numerous and creative techniques to protect their executables
from reverse-engineering. The arsenal includes an anti-debugging technique called TLS
callback. The approach is not new, yet it is not widely understood by malware analysts,
so I'd like to describe in this note. (Thanks to Christian Wojner from CERt.at for his
insights regarding this topic!)
What is TLS?
According to Microsoft, Thread Local Storage (TLS) is a mechanism that allows Microsoft
Windows to define data objects that are not automatic (stack) variables, yet are "local
to each individual thread that runs the code. Thus, each thread can maintain a different
value for a variable declared by using TLS." This information is stored in the PE header.
(Windows uses the PE header to store meta information about the executable to load and run
the progrem.)
A programmer can define TLS callback functions, which were designed mainly to initialize
and clear TLS data objects. From the malware author's perspective, the beauty of TLS
callbacks is that Windows executes these functions before execuding code at the traditional
start of the program.
How Can TLS Callbacks Confuse Debuggers and Analysts?
Analysts often examine the a malicious program's code by starting with the instructions
located at the Entry Point of the executable. The Entry Point is a field in the PE header
that stores the address of the "first" instruction in the program that Windows is supposed
to execute; debuggers typically take us to that instruction after loading the executable.
TLS callback functions allow malware authors to execute malicious code before the debugger
has a chance to pause at the traditional Entry Point. This allows malware to infect the system
or disable the debugger before the analyst has a chance to look at the sample's code.
Consider the TLS callback technique employed by the Nadnadzzz bot about a year ago. If you load
the bot's executable into OllyDbg, you expect to have the debugger pause at its entry point.
Instead, OllyDbg seems to immediately say that the process terminated. What happened? You just
infected yourself!
The problem is that before OllyDbg had a chance to pause at the traditional Entry Point instruction,
it executed a TLS callback function.
[/left]
