Question

所以我有一个在单独的dll中实现的tls回调，我想检索线程附加入口信息，例如入口点，参数等

void NTAPI on_tls_callback(LPVOID dll, DWORD reason, LPVOID reserved)
{
    if (reason == DLL_THREAD_ATTACH)
    {
        //obtain thread info
    }           
}



#pragma comment (linker, "/INCLUDE:__tls_used")
#pragma comment (linker, "/INCLUDE:__xl_b")
#pragma data_seg(".CRT$XLB")
EXTERN_C

PIMAGE_TLS_CALLBACK _xl_b = on_tls_callback;
#pragma data_seg()

我在这里读到有可能 How can DLL injection be detected?

Answer 1

好吧，经过一些进一步的研究，我找到了一种方法 Thread EntryPoint in TLS callback as AntiDebug technique

typedef NTSTATUS
(NTAPI*NtQueryInformationThread_t)(
IN HANDLE ThreadHandle,
IN THREADINFOCLASS ThreadInformationClass,
OUT PVOID ThreadInformation,
IN ULONG ThreadInformationLength,
OUT PULONG ReturnLength OPTIONAL
);

void NTAPI on_tls_callback(LPVOID dll, DWORD reason, LPVOID reserved)
{

    if (reason == DLL_THREAD_ATTACH)
    {
        DWORD startAddress = 0;
        NtQueryInformationThread_t pNtQueryInformationThread = 
 reinterpret_cast<NtQueryInformationThread_t>(GetProcAddress(
            GetModuleHandle("ntdll.dll"), "NtQueryInformationThread"));
        pNtQueryInformationThread(GetCurrentThread(), THREADINFOCLASS(9), 
 &startAddress, sizeof(startAddress), nullptr);

        }           
}



#pragma comment (linker, "/INCLUDE:__tls_used")
#pragma comment (linker, "/INCLUDE:__xl_b")
#pragma data_seg(".CRT$XLB")
EXTERN_C

PIMAGE_TLS_CALLBACK _xl_b = on_tls_callback;
#pragma data_seg()

从tls回调获取线程信息

1 个答案: