├── IsDebuggerPresentAPI ├── IsDebuggerPresent.h ├── IsDebuggerPresentAPI.cpp ├── IsDebuggerPresentAPI.vcxproj ├── IsDebuggerPresentAPI.vcxproj.filters ├── IsDebuggerPresentAPI.vcxproj.user └── README.md ├── LICENSE ├── NtGlobalFlag ├── NtGlobalFlag.sln ├── NtGlobalFlag │ ├── AntiDBG.asm │ ├── NtGlobalFlag.cpp │ ├── NtGlobalFlag.vcxproj │ ├── NtGlobalFlag.vcxproj.filters │ ├── antidebug.h │ └── main.cpp └── README.md ├── README.md └── TLS_callbacks ├── TLS_callbacks.sln └── TLS_callbacks ├── TLS_callback.h ├── TLS_callbacks.cpp ├── TLS_callbacks.vcxproj ├── TLS_callbacks.vcxproj.filters └── TLS_callbacks.vcxproj.user /IsDebuggerPresentAPI/IsDebuggerPresent.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | BOOL IsDebuggerPresentAPI(); -------------------------------------------------------------------------------- /IsDebuggerPresentAPI/IsDebuggerPresentAPI.cpp: -------------------------------------------------------------------------------- 1 | // IsDebuggerPresentAPI.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include 5 | #include 6 | #include "IsDebuggerPresent.h" 7 | 8 | BOOL 9 | IsDebuggerPresentAPI( 10 | VOID 11 | ) 12 | /*++ 13 | 14 | Routine Description: 15 | 16 | Calls the IsDebuggerPresent() API. This function is part of the 17 | Win32 Debugging API and it returns TRUE if a user mode debugger 18 | is present. Internally, it simply returns the value of the 19 | PEB->BeingDebugged flag. 20 | 21 | Arguments: 22 | 23 | None 24 | 25 | Return Value: 26 | 27 | TRUE - if debugger was detected 28 | FALSE - otherwise 29 | --*/ 30 | { 31 | return IsDebuggerPresent(); 32 | } 33 | 34 | int main() { 35 | if (IsDebuggerPresent()) { 36 | ExitProcess(0); 37 | } 38 | else { 39 | printf("Do some evil things !"); 40 | } 41 | } 42 | 43 | -------------------------------------------------------------------------------- /IsDebuggerPresentAPI/IsDebuggerPresentAPI.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {9435259f-2729-4d5b-8391-a9b0db31d1c7} 25 | IsDebuggerPresentAPI 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | false 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | -------------------------------------------------------------------------------- /IsDebuggerPresentAPI/IsDebuggerPresentAPI.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /IsDebuggerPresentAPI/IsDebuggerPresentAPI.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /IsDebuggerPresentAPI/README.md: -------------------------------------------------------------------------------- 1 | ### Complexity Low 2 | 3 | 4 | # Description 5 | 6 | One of the most widely used anti-debugging techniques is called IsDebuggerPresent(), this simple API call used so oftenly by malware developers because it’s relatively easy to use. 7 | 8 | The function kernel32!IsDebuggerPresent() determines whether the current process is being debugged by a user-mode debugger such as x64dbg. Generally, the function only checks the BeingDebugged flag of the Process Environment Block (PEB), if the BeingDebugged flag is true then malware exits itself without executing any malicious functions. 9 | 10 | **Example of Assembly Code** 11 | 12 | ![1](https://user-images.githubusercontent.com/42712921/183047524-b90d3331-7f3a-4409-b183-d5716971c9df.PNG) 13 | 14 | 15 | ![2](https://user-images.githubusercontent.com/42712921/183048001-122e005e-0d4c-4142-a582-337d54d0b5c7.png) 16 | 17 | 18 | # Reversing Technique (Tips & Tricks) 19 | 20 | In order to perform a Reverse Engineering on this example, we write a dummy application to understand the anti-debugging technique itself and tips for malware analysts on how to defeat that. 21 | 22 | We can examine the compiled dummy application on IDA pro, it can show us the basic usage of IsDebuggerPresent() API, we can read that Assembly code as; if this application is debugging then go to the ExitProcess function else do some evil things. 23 | 24 | ![6](https://user-images.githubusercontent.com/42712921/183048940-1fe8a3a4-b9db-45e1-832e-3dc0992c0ed4.PNG) 25 | 26 | So the question is how to evade that anti-debug check and continue the execution. After setting breakpoint on IsDebuggerPresent() API, we can step through and examine the RAX register on the debugger, we can clearly see that it stores a boolean data which is 1 (True). 27 | 28 | ![7](https://user-images.githubusercontent.com/42712921/183051053-b03b1adf-a85f-4df1-83bc-5cf0f262e01e.PNG) 29 | 30 | Remember, kernel32!IsDebuggerPresent() is looking for the BeingDebugged flag inside the PEB Structure, that flag only has true or false data which is boolean, if we can set this RAX data to 0 we can easily evade this anti-debugging. 31 | 32 | 33 | ![9](https://user-images.githubusercontent.com/42712921/183051132-f1b998f3-b4f3-4c3a-aeb9-6e65e33e29ea.PNG) 34 | 35 | After setting the RAX to 0, we can now execute the code. 36 | 37 | 38 | 39 | https://user-images.githubusercontent.com/42712921/183051452-28811640-6a72-4e75-96de-f7213d7a030e.mp4 40 | 41 | 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Arda Büyükkaya 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /NtGlobalFlag/NtGlobalFlag.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.2.32630.192 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NtGlobalFlag", "NtGlobalFlag\NtGlobalFlag.vcxproj", "{11C98684-F94A-410D-B83C-97677683135D}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {11C98684-F94A-410D-B83C-97677683135D}.Debug|x64.ActiveCfg = Debug|x64 17 | {11C98684-F94A-410D-B83C-97677683135D}.Debug|x64.Build.0 = Debug|x64 18 | {11C98684-F94A-410D-B83C-97677683135D}.Debug|x86.ActiveCfg = Debug|Win32 19 | {11C98684-F94A-410D-B83C-97677683135D}.Debug|x86.Build.0 = Debug|Win32 20 | {11C98684-F94A-410D-B83C-97677683135D}.Release|x64.ActiveCfg = Release|x64 21 | {11C98684-F94A-410D-B83C-97677683135D}.Release|x64.Build.0 = Release|x64 22 | {11C98684-F94A-410D-B83C-97677683135D}.Release|x86.ActiveCfg = Release|Win32 23 | {11C98684-F94A-410D-B83C-97677683135D}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {5DF7AA72-A666-4AF4-AA70-4848F8C9DE4D} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /NtGlobalFlag/NtGlobalFlag/AntiDBG.asm: -------------------------------------------------------------------------------- 1 | _TEXT SEGMENT 2 | 3 | ; The PUBLIC modifier will make your function visible and callable outside 4 | 5 | PUBLIC NtGlobalFlagx64 6 | 7 | 8 | NtGlobalFlagx64 PROC 9 | xor rax, rax ; clear eax 10 | mov rax, gs:[60h] ; Reference start of the PEB 11 | mov rax, [rax + 0BCh] ; PEB+0xBC points to NtGlobalFlag 12 | and rax, 70h ; check three flags 13 | ret ; return flag value into 'rax' which puts into 'found' 14 | NtGlobalFlagx64 ENDP 15 | 16 | 17 | 18 | 19 | _TEXT ENDS 20 | 21 | END -------------------------------------------------------------------------------- /NtGlobalFlag/NtGlobalFlag/NtGlobalFlag.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "antidebug.h" 4 | 5 | #define SHOW_DEBUG_MESSAGES 6 | 7 | void DBG_MSG(WORD dbg_code, const char* message) 8 | { 9 | #ifdef SHOW_DEBUG_MESSAGES 10 | printf("[MSG-0x%X]: %s\n", dbg_code, message); 11 | MessageBoxA(NULL, message, "GAME OVER!", 0); 12 | #endif 13 | } 14 | 15 | 16 | /* 17 | * Want to inspect the value of something in the PEB? Launch WinDBG, 18 | * Attach to, or launch a process and run this command: 19 | * dt ntdll!_PEB @$peb -r 20 | * Want more info on NtGlobalFlag? See these resources: 21 | * https://www.aldeid.com/wiki/PEB-Process-Environment-Block/NtGlobalFlag 22 | * https://www.geoffchappell.com/studies/windows/win32/ntdll/api/rtl/regutil/getntglobalflags.htm 23 | */ 24 | void NtGlobalFlag(void) 25 | { 26 | BOOL found = FALSE; 27 | 28 | #ifdef _WIN64 29 | found = NtGlobalFlagx64(); 30 | #else 31 | _asm 32 | { 33 | xor eax, eax; // clear eax 34 | mov eax, fs: [0x30] ; // Reference start of the PEB 35 | mov eax, [eax + 0x68]; // PEB+0x68 points to NtGlobalFlag 36 | and eax, 0x00000070; // check three flags: 37 | // FLG_HEAP_ENABLE_TAIL_CHECK (0x10) 38 | // FLG_HEAP_ENABLE_FREE_CHECK (0x20) 39 | // FLG_HEAP_VALIDATE_PARAMETERS (0x40) 40 | mov found, eax; // Copy result into 'found' 41 | } 42 | #endif 43 | 44 | if (found) 45 | { 46 | DBG_MSG(DBG_NTGLOBALFLAGPEB, "Caught by NtGlobalFlag check!"); 47 | exit(DBG_NTGLOBALFLAGPEB); 48 | } 49 | } 50 | 51 | -------------------------------------------------------------------------------- /NtGlobalFlag/NtGlobalFlag/NtGlobalFlag.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {11c98684-f94a-410d-b83c-97677683135d} 25 | NtGlobalFlag 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | Level3 77 | true 78 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 79 | true 80 | 81 | 82 | Console 83 | true 84 | 85 | 86 | 87 | 88 | Level3 89 | true 90 | true 91 | true 92 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 93 | true 94 | 95 | 96 | Console 97 | true 98 | true 99 | true 100 | 101 | 102 | 103 | 104 | Level3 105 | true 106 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 107 | true 108 | 109 | 110 | Console 111 | true 112 | 113 | 114 | 115 | 116 | Level3 117 | true 118 | true 119 | true 120 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 121 | true 122 | 123 | 124 | Console 125 | true 126 | true 127 | false 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | Document 140 | 141 | 142 | 143 | 144 | 145 | 146 | -------------------------------------------------------------------------------- /NtGlobalFlag/NtGlobalFlag/NtGlobalFlag.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | Source Files 23 | 24 | 25 | 26 | 27 | Header Files 28 | 29 | 30 | 31 | 32 | Header Files 33 | 34 | 35 | -------------------------------------------------------------------------------- /NtGlobalFlag/NtGlobalFlag/antidebug.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | // Error Codes 8 | enum DBG_CATCH 9 | { 10 | DBG_NONE = 0x0000, 11 | 12 | // Memory Codes (0x1000 range) 13 | DBG_BEINGEBUGGEDPEB = 0x1000, 14 | DBG_CHECKREMOTEDEBUGGERPRESENT = 0x1001, 15 | DBG_ISDEBUGGERPRESENT = 0x1002, 16 | DBG_NTGLOBALFLAGPEB = 0x1003, 17 | DBG_NTQUERYINFORMATIONPROCESS = 0x1004, 18 | DBG_FINDWINDOW = 0x1005, 19 | DBG_OUTPUTDEBUGSTRING = 0x1006, 20 | DBG_NTSETINFORMATIONTHREAD = 0x1007, 21 | DBG_DEBUGACTIVEPROCESS = 0x1008, 22 | DBG_PROCESSFILENAME = 0x1009, 23 | 24 | // CPU Codes (0x2000 range) 25 | DBG_HARDWAREDEBUGREGISTERS = 0x2000, 26 | DBG_MOVSS = 0x2001, 27 | 28 | // Timing Codes (0x3000 range) 29 | DBG_RDTSC = 0x3000, 30 | DBG_QUERYPERFORMANCECOUNTER = 0x3001, 31 | DBG_GETTICKCOUNT = 0x3002, 32 | 33 | // Exception Codes (0x4000 range) 34 | DBG_CLOSEHANDLEEXCEPTION = 0x4000, 35 | DBG_SINGLESTEPEXCEPTION = 0x4001, 36 | DBG_INT3CC = 0x4002, 37 | DBG_PREFIXHOP = 0x4003, 38 | }; 39 | 40 | // Debugging messages 41 | void DBG_MSG(WORD dbg_code, char* message); 42 | 43 | 44 | #ifdef _WIN64 45 | extern "C" 46 | { 47 | int NtGlobalFlagx64(void); 48 | }; 49 | #endif 50 | 51 | // Memory 52 | 53 | void NtGlobalFlag(void); 54 | -------------------------------------------------------------------------------- /NtGlobalFlag/NtGlobalFlag/main.cpp: -------------------------------------------------------------------------------- 1 | #include "antidebug.h" 2 | 3 | int main(int argc, char* argv[]) 4 | { 5 | 6 | NtGlobalFlag(); 7 | 8 | MessageBoxA(NULL, "Congratulations! You made it!", "You Win!", 0); 9 | 10 | return 0; 11 | } -------------------------------------------------------------------------------- /NtGlobalFlag/README.md: -------------------------------------------------------------------------------- 1 | ### Complexity Low 2 | 3 | # Description 4 | 5 | NtGlobalFlag is a similar technique like IsDebuggerPresent, because both of them read values from PEB Structure to detect if the Software is debugged or not. NtGlobalFlag is also located in the PEB Structure, when the process is being debugged the NtGlobalFlag is set to 0x70. 6 | 7 | Below picture from WinDBG is showing the PEB Structure when the Software is being debugged : 8 | 9 | ![2](https://user-images.githubusercontent.com/42712921/184474254-a11ad572-9a06-4b98-82a7-9ab74074a5f7.PNG) 10 | 11 | We developed our Software to show a error message then exit itself, whenever the NtGlobalFlag equal to 0x70 : 12 | 13 | ![1](https://user-images.githubusercontent.com/42712921/184474306-7daf0fd9-d19f-4190-b035-0f64a641e1b5.PNG) 14 | 15 | ## Reversing Technique (Tips & Tricks) 16 | 17 | In order to evade this Anti Debugging technique, we can use a similar tactic just like on IsDebuggerPresent or we can hide our PEB Structure while debugging on x64DBG, I will show both of them 18 | 19 | NULL the RAX : 20 | 21 | After setting breakpoint at the return (ret) of the Anti debugging function, we can now step over to ret then change the RAX data to 0, this will evade the Anti Debugging technique which is same as like IsDebuggerPresent one 22 | 23 | 24 | ![RAX](https://user-images.githubusercontent.com/42712921/184475907-d5a027dd-8493-4bba-952a-04e5825fbef7.PNG) 25 | 26 | Change the value from RAX register (x64) 27 | 28 | ![NULL](https://user-images.githubusercontent.com/42712921/184475892-90fb5583-7972-40a9-90d7-1004327ac3b1.PNG) 29 | 30 | After the execution we can see it beat the Anti Debugging : 31 | 32 | 33 | ![wİN](https://user-images.githubusercontent.com/42712921/184475933-c59c7c58-5857-437c-8cd9-04ac11a1b573.PNG) 34 | 35 | 36 | We can also able to automate this process by an awesome feature of x64DBG, it help us to hide our PEB Structure which means, debugged software no longer read data from PEB 37 | ![Animation](https://user-images.githubusercontent.com/42712921/184476023-46a9bec2-8eb5-4f97-b4b1-9b0d4107686b.gif) 38 | 39 | 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Antidebug 2 | Defeating Anti-Debugging Techniques for Malware Analysis 3 | -------------------------------------------------------------------------------- /TLS_callbacks/TLS_callbacks.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.2.32630.192 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TLS_callbacks", "TLS_callbacks\TLS_callbacks.vcxproj", "{7B379FB2-975F-4E69-A87D-3410BE7425F6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {7B379FB2-975F-4E69-A87D-3410BE7425F6}.Debug|x64.ActiveCfg = Debug|x64 17 | {7B379FB2-975F-4E69-A87D-3410BE7425F6}.Debug|x64.Build.0 = Debug|x64 18 | {7B379FB2-975F-4E69-A87D-3410BE7425F6}.Debug|x86.ActiveCfg = Debug|Win32 19 | {7B379FB2-975F-4E69-A87D-3410BE7425F6}.Debug|x86.Build.0 = Debug|Win32 20 | {7B379FB2-975F-4E69-A87D-3410BE7425F6}.Release|x64.ActiveCfg = Release|x64 21 | {7B379FB2-975F-4E69-A87D-3410BE7425F6}.Release|x64.Build.0 = Release|x64 22 | {7B379FB2-975F-4E69-A87D-3410BE7425F6}.Release|x86.ActiveCfg = Release|Win32 23 | {7B379FB2-975F-4E69-A87D-3410BE7425F6}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {5764D74F-7576-45AE-99A4-4CF5FBEB02A8} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /TLS_callbacks/TLS_callbacks/TLS_callback.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | static volatile HANDLE tls_callback_thread_event = 0; 4 | static volatile HANDLE tls_callback_process_event = 0; 5 | static volatile UINT32 tls_callback_thread_data = 0; 6 | static volatile UINT32 tls_callback_process_data = 0; 7 | 8 | VOID WINAPI tls_callback(PVOID hModule, DWORD dwReason, PVOID pContext); 9 | BOOL TLSCallbackThread(); 10 | BOOL TLSCallbackProcess(); -------------------------------------------------------------------------------- /TLS_callbacks/TLS_callbacks/TLS_callbacks.cpp: -------------------------------------------------------------------------------- 1 | #include "windows.h" 2 | #include 3 | 4 | void NTAPI __stdcall TLSCallbacks(PVOID DllHandle, DWORD dwReason, PVOID Reserved); 5 | //linker spec 6 | #ifdef _M_IX86 7 | #pragma comment (linker, "/INCLUDE:__tls_used") 8 | #pragma comment (linker, "/INCLUDE:__tls_callback") 9 | #else 10 | #pragma comment (linker, "/INCLUDE:_tls_used") 11 | #pragma comment (linker, "/INCLUDE:_tls_callback") 12 | #endif 13 | EXTERN_C 14 | #ifdef _M_X64 15 | #pragma const_seg (".CRT$XLB") 16 | const 17 | #else 18 | #pragma data_seg (".CRT$XLB") 19 | #endif 20 | //end linker 21 | 22 | //tls import 23 | PIMAGE_TLS_CALLBACK _tls_callback = TLSCallbacks; 24 | #pragma data_seg () 25 | #pragma const_seg () 26 | //end 27 | // tls declaration 28 | void NTAPI __stdcall TLSCallbacks(PVOID DllHandle, DWORD dwReason, PVOID Reserved) 29 | { 30 | MessageBox(nullptr, L"TLS Callback before main", L"Hello Debugger", 0); 31 | ExitProcess(0); 32 | } 33 | 34 | // end declaration 35 | 36 | int main(int argc, char* argv[]) 37 | { 38 | printf("Main Function is never executed"); 39 | } -------------------------------------------------------------------------------- /TLS_callbacks/TLS_callbacks/TLS_callbacks.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {7b379fb2-975f-4e69-a87d-3410be7425f6} 25 | TLScallbacks 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v143 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v143 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v143 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v143 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | true 77 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 78 | true 79 | stdcpp17 80 | NotUsing 81 | 82 | 83 | Console 84 | true 85 | 86 | 87 | 88 | 89 | Level3 90 | true 91 | true 92 | true 93 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 94 | true 95 | stdcpp17 96 | NotUsing 97 | 98 | 99 | Console 100 | true 101 | true 102 | true 103 | 104 | 105 | 106 | 107 | Level3 108 | true 109 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 110 | true 111 | stdcpp17 112 | NotUsing 113 | 114 | 115 | Console 116 | true 117 | 118 | 119 | 120 | 121 | Level3 122 | true 123 | true 124 | true 125 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 126 | true 127 | stdcpp17 128 | NotUsing 129 | 130 | 131 | Console 132 | true 133 | true 134 | true 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | -------------------------------------------------------------------------------- /TLS_callbacks/TLS_callbacks/TLS_callbacks.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /TLS_callbacks/TLS_callbacks/TLS_callbacks.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | --------------------------------------------------------------------------------