.svg)
.svg)
Thread Local Storage (TLS) Callback Injection is a stealthy process injection technique that adversaries use to execute malicious code before the main entry point of a program runs. This technique takes advantage of TLS callbacks, which are functions that Windows executes automatically when a thread is created. By injecting malicious code into a process' TLS callback, attackers can achieve early execution, often before security solutions start monitoring the process.
In this blog post, we explain the T1055.005 Thread Local Storage technique of the MITRE ATT&CK® framework and explore how adversaries employ Thread Local Storage (TLS) Callback Injection with real-world attack examples in detail.
|
|
What is Thread Local Storage?
Thread Local Storage is a sophisticated programming mechanism that provides each thread in a multi-threaded application with its own private data storage area. Think of it like giving each worker (thread) their own private locker (storage space) where they can keep their personal tools and materials, rather than having to share everything from a common toolbox. The OS uses TLS callbacks to initialize and clean up data used by threads. These callbacks are functions that the OS calls when a thread is created or terminated.
When a process starts, the operating system allocates a TLS directory for that process. This directory acts like a map, helping threads locate their private storage areas. Each thread receives its own set of TLS slots, which are essentially indexed storage locations. The beauty of this system is that even though multiple threads might access what appears to be the same global variable, they're actually accessing their own private copies stored in their respective TLS slots.
Windows operating system implements TLS through several key structures:
- Thread Environment Block (TEB) contains a pointer to the thread's TLS array.
- The TLS array holds pointers to the actual TLS data blocks.
- The PE file's TLS directory contains initialization data and callback addresses.
The operating system executes TLS callbacks at specific times during thread and process lifecycle:
- When a process is starting (before the main entry point)
- When a new thread is created
- When a thread is terminating
- When a process is shutting down
This callback system ensures proper initialization and cleanup of thread-specific resources.
Adversary Use of Thread Local Storage
Attackers use TLS callbacks to inject and execute malicious code at the start of a program's execution or whenever a new thread is created. Here's how TLS callback injection typically works:
-
Select Target Application: The attacker chooses a target application that they want to inject code into. This application should preferably have TLS callbacks or be modified to include them.
-
Analyze or Modify TLS Directory: If the target application does not already use TLS callbacks, the attacker modifies the PE file of the application to include a TLS directory. This entails altering the PE header and possibly adding new sections to the file. If the target application already utilizes TLS, the attacker can hook or replace existing TLS callbacks with malicious ones.
-
Write Malicious Callback: The attacker writes a malicious TLS callback function. This function should be designed to perform whatever malicious activities the attacker desires, such as setting up a backdoor or executing a payload.
-
Inject Malicious Callback: Using a tool or exploit, the attacker injects the address of the malicious callback into the TLS callback table of the target application. This can involve directly modifying the binary on disk or in memory to point to the attacker's code rather than legitimate initialization functions.
-
Execute Target Application: Upon execution of the target application, the Windows Loader processes the PE file and executes all TLS callbacks before reaching the main entry point of the application or whenever a new thread that uses TLS is created.
-
Callback Execution: When the malicious TLS callback is executed, it runs the attacker's code within the context of the application's process. This activation occurs in the early stages of the program's start-up, often making the injected code one of the first things to run.
Note that Process Hollowing can be used to manipulate TLS callbacks by allocating and writing to specific offsets within a process memory space.
In February 2024, Strela Stealer was reported to use TLS callback injection to inject ringsbeef.dll [1]. This malicious DLL is designed to steal Outlook and Thunderbird data from compromised systems.
References
[1] R. Gatenby, "Strela Stealer [IR/Malware Analysis]," Feb. 25, 2024. Available: https://ventdrop.github.io/posts/strelastealer
Share this:
