How do I debug an executable that uses TLS callbacks? It's my understanding that these run before my debugger will attach.
Asked
Active
Viewed 2,342 times
11
-
2The Internet Storm Center has a pretty good write up of how you can do this. – amccormack Mar 31 '13 at 01:24
2 Answers
8
either:
- patch a debug break (CC int3) or an infinite loop (EB FE jmp $) at the start of the TLS
- try to set a breakpoint as early as possible (like OllyDbg's Options/Events/Make first pause at/System Breakpoint), then set a breakpoint at the TLS' starts
- use a specific plugin, such as OllyAdvanced for OllyDbg.
Note that the conditions for TLS execution are tricky, and debugging might cause an otherwise ignored TLS to be executed.
Ange
- 6,694
- 3
- 28
- 62
1
If you are using IDA Pro, Ctrl-E (Windows shortcut https://www.hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf) it will show you entry point. You can directly jump to Main/start function.
LuckyB56
- 51
- 2
-
Igor is probably better equipped to comment on this, but TLS was one of the weaknesses in IDA at some point. – 0xC0000022L Apr 02 '13 at 14:49