TLSCheck is a Volatility3 plugin designed to detect and analyze Thread Local Storage (TLS) callbacks in memory dumps. TLS callbacks are often abused by malware authors to execute code before the main entry point, making them a critical area for security analysis. This plugin helps security analysts identify and examine such callbacks, supporting both 32-bit and 64-bit processes.
- Comprehensive TLS Detection: Identifies TLS callbacks in process memory
- Multi-Architecture Support: Works with both 32-bit and 64-bit processes
- Advanced Disassembly: Provides detailed disassembly of callback routines
- Suspicious Pattern Detection: Includes built-in detection for suspicious instruction sequences
- YARA Integration: Supports custom YARA rules for enhanced detection
- Color-Coded Output: Improves readability and analysis efficiency
- Detailed Process Information: Dis 8684 plays process details, memory offsets, and architectural information
- Volatility3 Framework
- Python 3.6 or higher
- Required Python packages:
- pefile
- capstone
- yara-python
- colorama (optional, for colored output)
- Ensure Volatility3 is installed and properly configured
- Install required dependencies:
pip install pefile capstone yara-python
- Place the plugin file in your Volatility3 plugins directory:
cp tlscheck.py <volatility3_installation_path>/volatility3/plugins/windows/
Basic usage:
vol -f <memory_dump> windows.tlscheckWith optional parameters:
vol -f <memory_dump> windows.tlscheck --pid <process_id> --disasm-bytes 128 --scan-suspicious --yara-file rules.yar --regex "pattern"--pid: Filter analysis to specific process ID(s)--disasm-bytes: Number of bytes to disassemble (default: 64)--scan-suspicious: Enable suspicious instruction detection--yara-file: Path to custom YARA rules file--regex: Custom regex pattern to match against disassembled instructions
----------------------------------------------------------------
TLS-Callback Found in Process: example.exe (PID: 1234)
Address range: 0x7ff123456000 - 0x7ff123456040
----------------------------------------------------------------
[Hex dump and disassembly output]
----------------------------------------------------------------
[*] Potentially Suspicious Instruction(s) Identified:
[SUSPICIOUS]: mov eax, dword ptr [eax + ebx] - Suspicious dynamic memory access
----------------------------------------------------------------
The plugin includes detection for various suspicious patterns including:
- Dynamic memory access patterns
- Suspicious control flow modifications
- Stack/heap manipulation
- Anti-debugging techniques
- Code injection patterns
- API hooking attempts
- And more...
- Needs more robust detection rules to reduce false positives
- Could benefit from additional heuristics for malware family identification
- Performance optimization for large memory dumps
- Enhanced reporting capabilities
- Integration with other analysis tools
Contributions are welcome! Please feel free to submit pull requests or create issues for bugs and feature requests.
This project is licensed under the Volatility Foundation Individual Contributor Licensing Agreement.
- Kartik N. Iyer (kartikiyerr23@proton.me)
- Parag H. Rughani (parag.rughani@gmail.com)
- Volatility Foundation for the fantastic memory forensics framework
- The security community for continuous feedback and support