Assembly Language for Beginners

(nextflipdebug2) #1

6.2. THREAD LOCAL STORAGE


__declspec( thread ) uint32_t rand_state;


void my_srand (uint32_t init)
{
rand_state=init;
}


void NTAPI tls_callback(PVOID a, DWORD dwReason, PVOID b)
{
my_srand (GetTickCount());
}


#pragma data_seg(".CRT$XLB")
PIMAGE_TLS_CALLBACK p_thread_callback = tls_callback;
#pragma data_seg()


int my_rand ()
{
rand_state=rand_state*RNG_a;
rand_state=rand_state+RNG_c;
return rand_state & 0x7fff;
}


int main()
{
// rand_state is already initialized at the moment (using GetTickCount())
printf ("%d\n", my_rand());
};


Let’s see it in IDA:


Listing 6.17: Optimizing MSVC 2013

.text:00401020 TlsCallback_0 proc near ; DATA XREF: .rdata:TlsCallbacks
.text:00401020 call ds:GetTickCount
.text:00401026 push eax
.text:00401027 call my_srand
.text:0040102C pop ecx
.text:0040102D retn 0Ch
.text:0040102D TlsCallback_0 endp


...


.rdata:004020C0 TlsCallbacks dd offset TlsCallback_0 ; DATA XREF: .rdata:TlsCallbacks_ptr


...


.rdata:00402118 TlsDirectory dd offset TlsStart
.rdata:0040211C TlsEnd_ptr dd offset TlsEnd
.rdata:00402120 TlsIndex_ptr dd offset TlsIndex
.rdata:00402124 TlsCallbacks_ptr dd offset TlsCallbacks
.rdata:00402128 TlsSizeOfZeroFill dd 0
.rdata:0040212C TlsCharacteristics dd 300000h


TLS callback functions are sometimes used in unpacking routines to obscure their processing.


Some people may be confused and be in the dark that some code executed right before theOEP^4.


Linux


Here is how a thread-local global variable is declared in GCC:


__thread uint32_t rand_state=1234;


This is not the standard C/C++ modifier, but a rather GCC-specific one^5.


(^4) Original Entry Point
(^5) http://go.yurichev.com/17062

Free download pdf