> Technique · TLS Callback Anti-Analysis — pre-execution code via Thread-Local Storage callbacks_

~/packetpursuit $ cat /intel/techniques/tls-callback-anti-analysis.md

typetechniqueconfidencehighcreated2026-05-31updated2026-05-31anti-debugevasiondefense-evasionmsvcpetlsmitre-attck

tls-callback-anti-analysis

What It Does

On Windows, PE files can declare a Thread-Local Storage (TLS) directory. The loader walks the AddressOfCallBacks array and invokes each function pointer before the executable's normal entry point (main / WinMain). Malware uses this to execute anti-debug, anti-VM, or decryption logic before most EDR user-mode hooks are in place. Analysts debugging from entry0 or main entirely miss this code.

Detection / Fingerprint

  • PE32+ with IMAGE_DIRECTORY_ENTRY_TLS present (DataDirectory index 9).
  • AddressOfCallBacks is non-zero and points to an array of function pointer VAs in .rdata or .data.
  • Standard MSVC output has 0–2 TLS callbacks. Counts > 2 are suspicious; counts > 4 are strongly indicative of anti-analysis logic.
  • The callback functions are small (often < 64 bytes), do not reference CRT startup, and may call IsDebuggerPresent, NtQueryInformationProcess, or CheckRemoteDebugger.

Implementation Patterns Observed

Observed in 0b6a849a68a4 (single sample)

  • TLS directory at RVA 0x53bb80 (file offset 0x53bb80) inside .rdata.
  • AddressOfCallBacks = 0x1404f9338.
  • Array contains 8 entries — 4× typical compiler output.
  • Callbacks terminate with a 0x0 sentinel. ^[raw/analyses/0b6a849a68a48f7301c3459a7771378e458e2d5debce9376be350784c61b72b7/dump_tls.py]

Build toolchain pattern

  • MSVC __declspec(thread) or TlsAlloc does NOT produce this pattern. The callbacks are explicitly linked via .CRT$XLB / .CRT$XLC sections or by patching the TLS Directory at link time.
  • Some packers / crypters inject a TLS directory and callback array into a previously unprotected PE.

Reproduce on Your Own VMs

Toolchain: Visual Studio 2022, x64 Release, C++.

Steps:

  1. Create any C++ project.
  2. Add a .cpp with the TLS callback:
// tls_callback.cpp
#pragma comment(linker, "/INCLUDE:__tls_used")

#pragma section(".CRT$XLB", read)
extern "C" __declspec(allocate(".CRT$XLB"))
PIMAGE_TLS_CALLBACK TlsCallbackArray[] = {
    [](PVOID hModule, DWORD Reason, PVOID Reserved) {
        if (Reason == DLL_PROCESS_ATTACH) {
            // Pre-main code
            if (IsDebuggerPresent()) {
                ExitProcess(0xBAD);
            }
        }
    },
    nullptr  // sentinel
};
  1. Build with /guard:cf /GS /MT.
  2. Verify with rabin2 -I build\MyApp.exe — check havecode true, then inspect TLS directory.
  3. Set a breakpoint on TlsCallbackArray[0] before main. It fires first.

Verification step:

python3 -c "import pefile; pe = pefile.PE('build/MyApp.exe'); print([hex(c) for c in pe.DIRECTORY_ENTRY_TLS.struct.AddressOfCallBacks or []])"

Should show the callback VA, confirming linkage.

Defensive Countermeasures

  • EDR / hook timing: User-mode hooks placed at kernel32!LoadLibraryA, ntdll!NtCreateThread, etc. are installed after TLS callbacks execute. Kernel callbacks (PsSetCreateProcessNotifyRoutine) fire much earlier — but they lack user-mode context.
  • Detection rule: Alert on PE loads where pe.tls_callbacks > 2 and pe.tls_callbacks[>0] resolves to code inside .rdata or .text but outside the CRT main region.
  • Hunting: YARA for IMAGE_DIRECTORY_ENTRY_TLS with AddressOfCallBacks != 0 and NumberOfRvaAndSizes == 16.

Pages Where Observed

  • /intel/analyses/0b6a849a68a48f7301c3459a7771378e458e2d5debce9376be350784c61b72b7.html — 8-entry TLS array in 5.9 MB MSVC C++ PE32+, static-only analysis
  • unclassified-pe32plus — entity tracking samples with this pattern