GET /api/techniques/69/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "TLS Callback",
    "category": [
        "https://search.unprotect.it/api/categories/3/"
    ],
    "description": "Most debuggers start at the program entry point as defined by the PE header. A TLS callback can be used to execute code before the entry point and therefore run secretly in a debugger.\r\n\r\nThis technique can be used to detect that the process is being debugged and thus terminate the process instead to continue execution.",
    "resources": "https://resources.infosecinstitute.com/debugging-tls-callbacks/#gref\r\nhttps://isc.sans.edu/diary/How+Malware+Defends+Itself+Using+TLS+Callback+Functions/6655",
    "tags": "tls callback",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/2/",
            "author": "https://search.unprotect.it/api/snippet_authors/2/",
            "technique": "https://search.unprotect.it/api/techniques/69/",
            "description": "",
            "plain_code": "#include \"windows.h\"\r\n#include <stdio.h>\r\n\r\nvoid NTAPI __stdcall TLSCallbacks(PVOID DllHandle, DWORD dwReason, PVOID Reserved);\r\n\r\n#ifdef _M_IX86\r\n#pragma comment (linker, \"/INCLUDE:__tls_used\")\r\n#pragma comment (linker, \"/INCLUDE:__tls_callback\")\r\n#else\r\n#pragma comment (linker, \"/INCLUDE:_tls_used\")\r\n#pragma comment (linker, \"/INCLUDE:_tls_callback\")\r\n#endif\r\nEXTERN_C\r\n#ifdef _M_X64\r\n#pragma const_seg (\".CRT$XLB\")\r\nconst\r\n#else\r\n#pragma data_seg (\".CRT$XLB\")\r\n#endif\r\n\r\nPIMAGE_TLS_CALLBACK _tls_callback = TLSCallbacks;\r\n#pragma data_seg ()\r\n#pragma const_seg ()\r\n\r\nvoid NTAPI __stdcall TLSCallbacks(PVOID DllHandle, DWORD dwReason, PVOID Reserved)\r\n{\r\n\tMessageBox(nullptr, \"TLS Callback\", \"\", 0);\r\n\tExitProcess(0);\r\n}\r\n\r\nint main(int argc, char* argv[])\r\n{\r\n\tprintf(\"Main function!\");\r\n}"
        }
    ],
    "detection_rules": [
        {
            "type": "https://search.unprotect.it/api/detection_rule_categories/1/",
            "name": "detect_tlscallback",
            "rule": "rule detect_tlscallback {\r\n    meta:\r\n        description = \"Simple rule to detect tls callback as anti-debug.\"\r\n        author = \"Thomas Roccia | @fr0gger_\"\r\n    strings:\r\n        $str1 = \"TLS_CALLBACK\" nocase\r\n        $str2 = \"TLScallback\" nocase\r\n    condition:\r\n        uint32(uint32(0x3C)) == 0x4550 and any of them\r\n}"
        }
    ]
}