Merge pull request #71 from LordNoteworthy/Noteworthy

add TLS callback trick
ayoubfaouzi · Jan 11, 2017 · 742228a · 742228a
2 parents a3b594c + 383795e
commit 742228a
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-##Al-Khaser v0.65
+##Al-Khaser v0.66
 
 ![Logo](https://www.mindmeister.com/files/avatars/0035/8332/original/avatar.jpg)
 
@@ -29,7 +29,6 @@ It performs a bunch of nowadays malwares tricks and the goal is to see if you st
 You can download the last stable release [here](https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser.exe?raw=true).
 
 
-
 ## Possible uses
 
 - You are making an anti-debug plugin and you want to check its effectiveness.
@@ -38,6 +37,7 @@ You can download the last stable release [here](https://github.com/LordNoteworth
 
 Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.
 
+
 ## Features
 ### Anti-debugging attacks
 - IsDebuggerPresent
@@ -64,6 +64,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 - Parent Process (Explorer.exe)
 - SeDebugPrivilege (Csrss.exe)
 - NtYieldExecution / SwitchToThread
+- TLS callbacks
 
 ### Anti-Dumping
 - Erase PE header from memory

diff --git a/al-khaser.exe b/al-khaser.exe
diff --git a/al-khaser/Anti Debug/TLS_callbacks.cpp b/al-khaser/Anti Debug/TLS_callbacks.cpp
@@ -0,0 +1,44 @@
+#include "TLS_callbacks.h"
+
+// The Tread Local Storage (TLS) callback is called before the execution of the EntryPoint of the application
+// Malware takes advantages to perform anti-debug and anti-vm checks.
+// Their could be more than one callback, and sometimes, inside one call back, one can create one in the fly.
+
+VOID  WINAPI tls_callback(PVOID hModule, DWORD dwReason, PVOID pContext)
+{
+	if (dwReason == DLL_THREAD_ATTACH)
+	{
+		// This will be loaded in each DLL thread attach
+		// MessageBox(0, _T("I am running from a TLS callbacks, did you see that?"), _T("DLL_THREAD_ATTACH"), 0);
+	}
+
+	if (dwReason == DLL_PROCESS_ATTACH)
+	{
+		MessageBox(0, _T("I am running from a TLS callbacks, did you see that?"), _T("DLL_PROCESS_ATTACH"), 0);
+	}
+}
+
+#ifdef _WIN64
+	#pragma comment (linker, "/INCLUDE:_tls_used")
+	#pragma comment (linker, "/INCLUDE:tls_callback_func")
+#else
+	#pragma comment (linker, "/INCLUDE:__tls_used")
+	#pragma comment (linker, "/INCLUDE:_tls_callback_func")
+#endif
+
+
+#ifdef _WIN64
+	#pragma const_seg(".CRT$XLF")
+	EXTERN_C const
+#else
+	#pragma data_seg(".CRT$XLF")
+	EXTERN_C
+#endif
+
+PIMAGE_TLS_CALLBACK tls_callback_func = tls_callback;
+
+#ifdef _WIN64
+	#pragma const_seg()
+#else
+	#pragma data_seg()
+#endif //_WIN64
diff --git a/al-khaser/Anti Debug/TLS_callbacks.h b/al-khaser/Anti Debug/TLS_callbacks.h
@@ -0,0 +1,4 @@
+#include <Windows.h>
+#include <tchar.h>
+
+VOID  WINAPI tls_callback(PVOID hModule, DWORD dwReason, PVOID pContext);
diff --git a/al-khaser/Shared/Main.h b/al-khaser/Shared/Main.h
@@ -25,6 +25,7 @@
 #include "..\Anti Debug\NtQueryObject_ObjectInformation.h"
 #include "..\Anti Debug\NtYieldExecution.h"
 #include "..\Anti Debug\SetHandleInformation_API.h"
+#include "..\Anti Debug\TLS_callbacks.h"
 
 /* Anti dumping headers */
 #include "..\Anti Dump\ErasePEHeaderFromMemory.h"

diff --git a/al-khaser/al-khaser.vcxproj b/al-khaser/al-khaser.vcxproj
@@ -184,6 +184,7 @@
     <ClCompile Include="Anti Debug\SeDebugPrivilege.cpp" />
     <ClCompile Include="Anti Debug\SetHandleInformation_API.cpp" />
     <ClCompile Include="Anti Debug\SoftwareBreakpoints.cpp" />
+    <ClCompile Include="Anti Debug\TLS_callbacks.cpp" />
     <ClCompile Include="Anti Debug\UnhandledExceptionFilter_Handler.cpp" />
     <ClCompile Include="Anti Dump\ErasePEHeaderFromMemory.cpp" />
     <ClCompile Include="Anti Dump\SizeOfImage.cpp" />
@@ -231,6 +232,7 @@
     <ClInclude Include="Anti Debug\SeDebugPrivilege.h" />
     <ClInclude Include="Anti Debug\SetHandleInformation_API.h" />
     <ClInclude Include="Anti Debug\SoftwareBreakpoints.h" />
+    <ClInclude Include="Anti Debug\TLS_callbacks.h" />
     <ClInclude Include="Anti Debug\UnhandledExceptionFilter_Handler.h" />
     <ClInclude Include="Anti Dump\ErasePEHeaderFromMemory.h" />
     <ClInclude Include="Anti Dump\SizeOfImage.h" />

diff --git a/al-khaser/al-khaser.vcxproj.filters b/al-khaser/al-khaser.vcxproj.filters
@@ -210,6 +210,9 @@
     <ClCompile Include="Shared\log.cpp">
       <Filter>Shared\Source</Filter>
     </ClCompile>
+    <ClCompile Include="Anti Debug\TLS_callbacks.cpp">
+      <Filter>Anti Debug\Source</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Shared\VersionHelpers.h">
@@ -356,6 +359,9 @@
     <ClInclude Include="Shared\log.h">
       <Filter>Shared\Header</Filter>
     </ClInclude>
+    <ClInclude Include="Anti Debug\TLS_callbacks.h">
+      <Filter>Anti Debug\Header</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <MASM Include="Anti Debug\int2d_x64.asm">