> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1055-process-injection/thread-local-storage.md).

# Thread Local Storage

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevated privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.

TLS call back injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within process' memory space using other Process Injection techniques such as Process Hollowing.

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection since the execution is masked under a legitimate process.

**Example**

Thread Local Storage callbacks are mechanisms provided by the Windows Loader to allow programs to perform initilisation tasks that are thread specific when a process starts. What is interesting about TLS callbacks is that they are executed **before the entry point of the application**, so before the main() function. This is problematic for a couple of reason:

·         Debuggers usually stop at the main function, thus missing any extra TLS code

·         Disassemblers and static analysis tools first present the main function, again leading to possibly hidden code.

To use these we need to declare the prototype

![](/files/-MRhvwsTVH6nVYVZKQ9k)

Callbacks are defined like this:

![](/files/-MRhvxpK_n-OqOBa6sZR)

Now let me show the sample code

![](/files/-MRhvyiH9xGAH9Pazdzi)

We see above that we declared the TLS Callback and we have our main function below, once executed the main function will never get executed becvause of the ExitProcess() in the TLSCallback declaration, of course we can remove this and have it print in the console, but in here will just demonstrate the TLS and then have it terminate as what it's meant to do.

![](/files/-MRhvzaydeCkQbkw0n0m)

Once we hit Ok, the process simply terminate as intended

![](/files/-MRhw-plFQGBxaNF4m0C)

We see above that the main section of the code where it just supposed to print some text in the console didn't execute since our TLS callback was the first to execute and terminate the process before reaching the main section

There were samples where these TLSCallbacks would execute even before loading onto a debugger

![](/files/-MRhw0wIl2sESZJqkg3q)

I couldn't replicate this but it's good to be aware of.

References:

{% embed url="<https://gist.github.com/dennisfischer/525003173637929adeea#file-tls-callback-cpp>" %}

{% embed url="<https://github.com/reversinghub/TLS-PoC>" %}

[Hiding Code Behind Thread-Local Storage - Reverse Engineering TLS Callbacks](https://www.youtube.com/watch?v=mZMCxhLkS4g)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1055-process-injection/thread-local-storage.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
