RemoteTLSCallbackInjection – Utilizing TLS Callbacks To Execute A Payload Without Spawning Any Threads In A Remote Process
Quick Links
Related Maldev Academy Modules
New Module 34: TLS Callbacks For Anti-Debugging
New Module 35: Threadless Injection
Implementation Steps
The PoC follows these steps:
- Create a suspended process using the
CreateProcessViaWinAPIsWfunction (i.e.RuntimeBroker.exe). - Fetch the remote process image base address followed by reading the process’s PE headers.
- Fetch an address to a TLS callback function.
- Patch a fixed shellcode (i.e. g_FixedShellcode) with runtime-retrieved values. This shellcode is responsible for restoring both original bytes and memory permission of the TLS callback function’s address.
- Inject both shellcodes:
g_FixedShellcodeand the main payload. - Patch the TLS callback function’s address and replace it with the address of our injected payload.
- Resume process.
The g_FixedShellcode shellcode will then make sure that the main payload executes only once by restoring the original TLS callback’s original address before calling the main payload. A TLS callback can execute multiple times across the lifespan of a process, therefore it is important to control the number of times the payload is triggered by restoring the original code path execution to the original TLS callback function.
Demo
The following image shows our implementation, RemoteTLSCallbackInjection.exe, spawning a cmd.exe as its main payload.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
