Blackbone icon indicating copy to clipboard operation
Blackbone copied to clipboard

Published 20 hours ago verified publisher icon DarthTon

help in crash when trying to manage static tls

Open adevelopcr opened this issue 6 years ago • 2 comments

I'm trying to improve your manual tls static and from pe format on microsoft : "The loader assigns the value of the TLS index to the place that was indicated by the Address of Index field." and in the description of tls directory structure : "Address of Index : The location to receive the TLS index, which the loader assigns. This location is in an ordinary data section, so it can be given a symbolic name that is accessible to the program "

so what I understood is : I should make a tls index and store the data in it the write this index to the address of index in tls directory (IMAGE_TLS_DIRECTORY.AddressOfIndex) so the loaded dll will try to retrieve an index from this address and will get the index I made then get the data stored in the index

there is another thing and it's : your method in blackbone works only for the thread that DllMain would start execution in I think I can resolve this by using TlsAlloc in the description of it on microsoft site : "Allocates a thread local storage (TLS) index. Any thread of the process can subsequently use this index to store and retrieve values that are local to the thread, because each thread receives its own slot for the index."

finally this is what I wrote :

           uintptr_t sizeOfTlData = tlsdir->EndAddressOfRawData - tlsdir->StartAddressOfRawData;
	                               unsigned char *tls_buffer = (unsigned char*)VirtualAlloc(0,sizeOfTlData,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	                               memcpy(tls_buffer,&tlsdir->StartAddressOfRawData, sizeOfTlData);
	                               dwIndex = TlsAlloc(); // get an index that the dll will use
	                               TlsSetValue(dwIndex, tls_buffer); // write the tls raw data in the index
	                               cout << "got a tls index with value " << dwIndex << endl;
                           *(DWORD*)(tlsdir->AddressOfIndex) = dwIndex; // the loaded dll will retrieve the index from this address

but when I call DllMain I immediately get an access violation at 0x0000000000000004

adevelopcr avatar Jun 18 '18 16:06 adevelopcr

@DarthTon

adevelopcr avatar Jun 18 '18 20:06 adevelopcr

tlsdir->AddressOfIndex is a static TLS index. You are confusing it with dynamic one. Static index serves as an offset into TEB::ThreadLocalStoragePointer

DarthTon avatar Jul 25 '18 09:07 DarthTon