header image

Self-modifying TLS callbacks [OpenRCE import]

Simple yet not widely known trick. If your PE image has TLS callbacks, these callbacks can alter TLS table while executing. That means you can have one callback at the start, but if this callback adds some other callbacks, those will execute as well. There are few interesting possibilities, because PE loader doesn’t cache TLS table at the beginning of image load. 🙂

Sample code

Asm code Show

~ by omeg on April 8, 2008.

assembly, code, windows internals

Leave a Reply