What are TLS Callbacks and How to Find Them!
Вставка
- Опубліковано 18 вер 2024
- We continue to explore the PE file format in this video by investigating TLS (thread local storage) callbacks.
🔥 Join this channel to get access to perks:
/ @jstrosch
TLS callbacks are used by malware authors to execute code before the main entry point of the program. This technique is primarily used as an anti-debugging technique, allowing malware to execute before the debugger takes control at the programs entry. How prevalent is this technique still? We'll explore that as well in this video using Yara, as well as use MalCat and 010 editor to look at the internal structures of a PE file that support TLS callbacks.
Yaraify Link and Yara rule name - (pe_detect_tls_callbacks): yaraify.abuse....
MSDN: unprotect.it/t...
Sample code: unprotect.it/t...
Cybersecurity, reverse engineering, malware analysis and ethical hacking content!
🎓 Courses on Pluralsight 👉🏻 www.pluralsigh...
🌶️ UA-cam 👉🏻 Like, Comment & Subscribe!
🙏🏻 Support my work 👉🏻 / joshstroschein
🌎 Follow me 👉🏻 / jstrosch , / joshstroschein
⚙️ Tinker with me on Github 👉🏻 github.com/jst...
🤝 Join the Discord community and more 👉🏻 www.thecyberye...
1:30 Definition of TLS on MSDN
2:58 TLS Structure Definition
3:48 Our Sample Program
5:27 Identifying TLS Callbacks in 010
7:40 Finding the First Callback in 010
10:00 TLS Callbacks in IDA Pro
11:13 Switching to Malcat
12:19 Why Do We Need to Know This?
12:54 How Prevalent are TLS Callbacks? Investigating with Yara
13:49 Expanding our Search with Yaraify
15:03 Investigating Recent Examples
Applause, applause and more applause, your videos are brilliant, you are in another league. Total genius
Thank you so much 😀 🙏
Awesome work, Dr Josh, I liked your content! Thank you for your effort
Glad you enjoyed it!
Thank you for sharing now I know more than before
Awesome to hear! That's the goal 😁
Awesome video.
Thanks! 🙏
God's work🙏🏽🙏🏽
Thank you 🙏