pe中TLS(thread local storage)中函数的执行时机早于入口函数(entry point),

相关结构:

//

// Thread Local Storage

//

typedef VOID

(NTAPI *PIMAGE_TLS_CALLBACK) (

    PVOID DllHandle,

    DWORD Reason,

    PVOID Reserved

    );

typedef struct _IMAGE_TLS_DIRECTORY64 {

    ULONGLONG StartAddressOfRawData;

    ULONGLONG EndAddressOfRawData;

    ULONGLONG AddressOfIndex;         // PDWORD

    ULONGLONG AddressOfCallBacks;     // PIMAGE_TLS_CALLBACK *;

    DWORD SizeOfZeroFill;

    union {

        DWORD Characteristics;

        struct {

            DWORD Reserved0 : 20;

            DWORD Alignment : 4;

            DWORD Reserved1 : 8;

        } DUMMYSTRUCTNAME;

    } DUMMYUNIONNAME;

} IMAGE_TLS_DIRECTORY64;

typedef IMAGE_TLS_DIRECTORY64 * PIMAGE_TLS_DIRECTORY64;

typedef struct _IMAGE_TLS_DIRECTORY32 {

    DWORD   StartAddressOfRawData;

    DWORD   EndAddressOfRawData;

    DWORD   AddressOfIndex;             // PDWORD

    DWORD   AddressOfCallBacks;         // PIMAGE_TLS_CALLBACK *

    DWORD   SizeOfZeroFill;

    union {

        DWORD Characteristics;

        struct {

            DWORD Reserved0 : 20;

            DWORD Alignment : 4;

            DWORD Reserved1 : 8;

        } DUMMYSTRUCTNAME;

    } DUMMYUNIONNAME;

} IMAGE_TLS_DIRECTORY32;

typedef IMAGE_TLS_DIRECTORY32 * PIMAGE_TLS_DIRECTORY32;

例子:

#include <iostream>

#include <Windows.h>

//TLS回调函数测试

void NTAPI MY_TLS_CALLBACK(PVOID DllHandle, DWORD Reason, PVOID Reserved)

{

    printf("CALL TLS 1\n");

    switch (Reason)

    {

    case DLL_PROCESS_ATTACH:

        printf("DLL_PROCESS_ATTACH\ttls 1\n");

        break;

    case DLL_THREAD_ATTACH:

        printf("DLL_THREAD_ATTACH\ttls 1\n");

        break;

    case DLL_THREAD_DETACH:

        printf("DLL_THREAD_DETACH\ttls 1\n");

        break;

    case DLL_PROCESS_DETACH:

        //printf("DLL_PROCESS_DETACH\ttls 1\n");//进程结束时并没有输出,可能关闭了通道??

        break;

    }

}

void NTAPI MY_TLS_CALLBACK2(PVOID DllHandle, DWORD Reason, PVOID Reserved)

{

    printf("CALL TLS 2\n");

    switch (Reason)

    {

    case DLL_PROCESS_ATTACH:

        printf("DLL_PROCESS_ATTACH\ttls 2\n");

        break;

    case DLL_THREAD_ATTACH:

        printf("DLL_THREAD_ATTACH\ttls 2\n");

        break;

    case DLL_THREAD_DETACH:

        printf("DLL_THREAD_DETACH\ttls 2\n");

        break;

    case DLL_PROCESS_DETACH:

        //printf("DLL_PROCESS_DETACH\ttls 2\n");

        break;

    }

}

/*

#ifdef _M_AMD64

#pragma comment (linker, "/INCLUDE:_tls_used")

#pragma comment (linker, "/INCLUDE:p_tls_callback1")

#pragma const_seg(push)

#pragma const_seg(".CRT$XLX")

EXTERN_C const PIMAGE_TLS_CALLBACK p_tls_callback1[] = { MY_TLS_CALLBACK,MY_TLS_CALLBACK2,0 };

#pragma const_seg(pop)

#endif

#ifdef _M_IX86

#pragma comment (linker, "/INCLUDE:__tls_used")

#pragma comment (linker, "/INCLUDE:_p_tls_callback1")

#pragma const_seg(push)

#pragma const_seg(".CRT$XLX")

EXTERN_C const PIMAGE_TLS_CALLBACK p_tls_callback1[] = { MY_TLS_CALLBACK,MY_TLS_CALLBACK2,0 };

#pragma const_seg(pop)

#endif

*/

#ifdef _M_AMD64

#pragma comment(linker,"/INCLUDE:_tls_used")

#pragma const_seg(".CRT$XLX")

EXTERN_C const PIMAGE_TLS_CALLBACK p_tls_callback1[] = { MY_TLS_CALLBACK,MY_TLS_CALLBACK2,0 };

#pragma const_seg()

#endif

#ifdef _M_IX86

#pragma comment (linker, "/INCLUDE:__tls_used")

#pragma const_seg(".CRT$XLX")

EXTERN_C const PIMAGE_TLS_CALLBACK p_tls_callback1[] = { MY_TLS_CALLBACK,MY_TLS_CALLBACK2,0 };

#pragma const_seg()

#endif

DWORD WINAPI MyThreadFunction(LPVOID lpParam) {

    int nb = *(int*)lpParam;

    for (int i = 0; i < nb; ++i) {

        printf("number: %d\n", i);

        Sleep(1000);

    }

    return 1;

}

int main()

{

    std::cout << "Hello World!\n";

    DWORD dwThreadId=0;

    int number = 3;

    HANDLE hThread= CreateThread(

        NULL,                   // default security attributes

        0,                      // use default stack size

        MyThreadFunction,       // thread function name

        &number,          // argument to thread function

        0,                      // use default creation flags

        &dwThreadId);   // returns the thread identifier

    getchar();

}

输出:

《逆向工程核心原理》——TLS回调函数的更多相关文章

  1. 通过TLS回调函数的反调试

    下面是TLS数据结构的定义 typedef struct _IMAGE_TLS_DIRECTORY { DWORD StartAddressOfRawData; DWORD EndAddressOfR ...

  2. TLS回调函数

    @author: dlive TLS (Thread Local Storage 线程局部存储 )回调函数常用于反调试. TLS回调函数的调用运行要先于EP代码执行,该特性使它可以作为一种反调试技术使 ...

  3. TLS回调函数以及反调试简单使用

    TLS回调函数以及反调试简单使用 0x00  TLS介绍 TLS(Thread Local Storage,线程局部储存),主要用于给线程独立的传值,由于线程不拥有进程的资源,所以几个同一进程的几个线 ...

  4. Mina、Netty、Twisted一起学(九):异步IO和回调函数

    用过JavaScript或者jQuery的同学都知道,JavaScript特别是jQuery中存在大量的回调函数,例如Ajax.jQuery的动画等. $.get(url, function() { ...

  5. 小兔JS教程(三)-- 彻底攻略JS回调函数

    这一讲来谈谈回调函数. 其实一句话就能概括这个东西: 回调函数就是把一个函数当做参数,传入另一个函数中.传进去的目的仅仅是为了在某个时刻去执行它. 如果不执行,那么你传一个函数进去干嘛呢? 就比如说对 ...

  6. 嵌入式&iOS:回调函数(C)与block(OC)传 参/函数 对比

    C的回调函数: callBack.h 1).声明一个doSomeThingCount函数,参数为一个(无返回值,1个int参数的)函数. void DSTCount(void(*CallBack)(i ...

  7. 嵌入式&iOS:回调函数(C)与block(OC)回调对比

    学了OC的block,再写C的回调函数有点别扭,对比下区别,回忆记录下. C的回调函数: callBack.h 1).定义一个回调函数的参数数量.类型. typedef void (*CallBack ...

  8. 理解 JavaScript 回调函数并使用

    JavaScript中,函数是一等(first-class)对象:也就是说,函数是 Object 类型并且可以像其他一等对象(String,Array,Number等)一样使用.它们可以"保 ...

  9. 关于js的回调函数的一点看法

    算了一下又有好几个月没写博客了,最近在忙公司android的项目,所以也就很少抽时间来写些东西了.刚闲下来,我就翻了翻之前看的东西.做了android之后更加感觉到手机端开发的重要性,现在做nativ ...

随机推荐

  1. POJ 2923 Relocation(状压DP)题解

    题意:有2辆车运货,每次同时出发,n(<10),各自装货容量c1 c2,问最少运几次运完. 思路:n比较小,打表打出所有能运的组合方式,用背包求出是否能一次运走.然后状压DP运的顺序. 代码: ...

  2. Prettier All In One

    Prettier All In One .prettierrc.js / .prettierrc / .prettierrc.json module.exports = { singleQuote: ...

  3. pure CSS3 实现三角形icon的方法

    pure CSS3 实现三角形icon的方法 border: color+transparent transform : rotate() /rotateZ() ? 使用 实体字符"◆&qu ...

  4. SwiftUI All In One

    SwiftUI All In One SwiftUI SwiftUI is an innovative, exceptionally simple way to build user interfac ...

  5. React useEffect in depth

    React useEffect in depth useEffect class DogInfo extends React.Component { controller = null state = ...

  6. node.js delete directory & file system

    node.js delete directory & file system delete a not empty directory https://nodejs.org/api/fs.ht ...

  7. how to install zoom meeting app in macOS

    how to install zoom meeting app in macOS https://support.zoom.us/hc/zh-cn/articles/203020795-如何在Mac上 ...

  8. BTC暴涨市值仅次于亚马逊,NGK推出新人助力空投,直接免费送VAST!

    数据显示,在谷歌搜索中,关键词"BTC"的全球搜索指数在过去一周达到满值100点.特斯拉"加持"下,比特币重启暴涨模式,最高报价48126美金单价,非小号数据显 ...

  9. vue最好的ssr服务器渲染框架

    vue和angular js.react三大框架非常好用,现在大部分人都使用了这三大框架进行开发. 但是vue这些框架到目前位置,大部分还是用来做管理后台,用来做移动端.而官网网站却很少用他们来开发. ...

  10. C++算法代码——选举学生会

    题目来自:https://www.luogu.com.cn/problem/P1271 题目描述 学校正在选举学生会成员,有 n(n\le 999)n(n≤999) 名候选人,每名候选人编号分别从 1 ...