經過TLS回調函數的反調試

下面是TLS數據結構的定義

typedef struct _IMAGE_TLS_DIRECTORY
{
          DWORD StartAddressOfRawData;
          DWORD EndAddressOfRawData;
          DWORD AddressOfIndex;
          DWORD AddressOfCallBacks;  //PIMAGE_TLS_CALLBACK*
          DWORD SizeOfZeroFill;
          DWORD Characteristics;
}IMAGE_TLS_DIRECTORY;

AddressOfCallBacks是一個數組，表示能夠有多個TLS回調函數，所謂的TLS回調函數，就是當建立/終止進程的線程時會自動調用的執行的函數。

建立進程的主線程也會自動調用回調函數，且其調用執行先於EP代碼，反調試技術利用的就是TLS回調函數這一特性。

回調函數定義以下

typedef VOID 
(NTAPI *PIMAGE_TLS_CALLBACK)(
         PVOID DllHandle,
         DOWRD Reason,  //DLL_PROCESS_ATTACH,DLL_THREAD_ATTACH,DLL_THREAD_DETACH,DLL_PROCESS_DETACH
         PVOID Reserved
); 

進程調用main前，已註冊的TLS回調函數會被調用執行，此時Reason爲DLL_PROCESS_ATTACH

以後建立線程，結束線程，進程結束都會調用TLS回調函數，進程週期內TLS回調函數會被調用4次。

 

#include "stdafx.h"
#include<windows.h>
#include "tlhelp32.h"


#pragma comment(linker, "/INCLUDE:__tls_used")
VOID NTAPI TLS_CALLBACK(PVOID DllHandle,DWORD Reason,DWORD Reserved)
{
    DWORD Flag;
    __asm{
        mov eax,fs:[0x30]
        movzx eax,BYTE PTR DS:[eax+2]  //PEB.BingDebugged
        mov Flag,eax
    }
    if(Flag==1)
    {
        MessageBox(NULL,L"Error",L"Error",1);
        ULONG nProcessID = 0;
        HWND  hFindWindow = FindWindow(NULL,L"OLLYDBG");
        ::GetWindowThreadProcessId( hFindWindow, &nProcessID );
        HANDLE hProcessHandle = ::OpenProcess( PROCESS_TERMINATE, FALSE,nProcessID );
        TerminateProcess( hProcessHandle, 4 );
        ExitProcess(0);
    }
    else
    {
        MessageBox(NULL,L"OK",L"OK",1);
    }
}


#pragma  data_seg(".CRT$XLX")
    PIMAGE_TLS_CALLBACK pTLS_CALLBACKs[] ={(PIMAGE_TLS_CALLBACK)TLS_CALLBACK,0};
#pragma data_seg()


int _tmain(int argc, _TCHAR* argv[])
{
    MessageBox(NULL,L"HelloWorld",L"Exit",1);
}

這裏就是利用TLS回調函數檢測是否處於調試狀態