Results 1 to 4 of 4

Thread: TLS callbacks

  1. #1

    TLS callbacks

    Do I have to link with user32.dll to use them? As I discovered during playing with my code, if I remove user32 imports, the callback is not invoked. Is that true or I am missing something? It's damn hard to find any comprehensive reference on this subject...
    Vulnerant omnes, ultima necat.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Hi omega_red,

    I don't know why you'd specifically have to include user32.dll. Any TLS callbacks are called through ntdll!LdrpRunInitializeRoutines during normal process initialization. There shouldn't be any dependancy on user32.dll any more than at any other time. Maybe PIMAGE_TLS_DIRECTORY32 is being affected in some other way by any modifications you're making?

    Checking my references I noticed this, maybe there truly is a bug...

    I know what's written in books (TLS works for statically modules only). Therefore I wrote what new I found. I wrote nothing about (dynamic) loading. Just create simple .exe (it means static module) with TLS callbacks that imports from kernel32.dll only, run it on XP+ (kernel32.dll is preloaded and inited) and you will see that the callbacks are not called (because all modules (kernel32.dll, resp. ntdll.dll) were already inited. There's a logical bug in LdrpRunInitializeRoutines.

    Comment: Refer to Matt Pietrek pseudocode. TLS callbacks are executed when implicitly loaded DLLs are initialized. In theory kernel32.dll should be sufficient, the usual InLoadOrderModuleList after ntdll.dll goes kernel32.dll, user32.dll, etc.


  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Actually I don't find there's any bug with not having User32.dll declared or used, when compiling a skeleton TLS callback in either MASM or MSVC++. A simple breakpoint will prove the callback is working. There *is* a bug with MSVC++6 in that it compiles the TLS directory with a wrong pointer, but that is easily fixed.

    For what it's worth here's a small TLS callback .exe example in MASM with a few references on the subject.

    Attached Files Attached Files

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    (drop from blog)
    i found code in NTDLL, where flags tested in module-list
    cmp         edx,ecx
    je         . --1
    and         b,[edx+025],0EF
    test        b,[edx+025],040 << this test flag is present for NTDLL & KERNEL32
    je         . --2
    mov         edx,[edx]
    jmps       . --3

    and then IF this DLL has EntryPoint, counter increases!
    BTW! USER32 has not EP.. but others loaded with USER32 have..

    so if this counter reterns NULL, then TLS-callback will NOT called

    TLS-callback will called if there will any DLL (except NTDLL & KERNEL32) wilth EntryPoint

    but also TLS-callback will be called on ExitProcess, if at runtime will be loaded & present
    such like DLL;
    Last edited by evaluator; January 10th, 2009 at 03:25.

Similar Threads

  1. # dynamic TLS callbacks instead of SEH
    By nezumi-lab in forum Blogs Forum
    Replies: 1
    Last Post: January 12th, 2009, 04:39
  2. # TLS callbacks w/o USER32 (part III)
    By nezumi-lab in forum Blogs Forum
    Replies: 3
    Last Post: January 9th, 2009, 15:29
  3. # TLS callbacks w/o USER32 (part II)
    By nezumi-lab in forum Blogs Forum
    Replies: 0
    Last Post: January 8th, 2009, 14:22
  4. IDA and TLS callbacks
    By nezumi-lab in forum Blogs Forum
    Replies: 0
    Last Post: January 7th, 2009, 01:35
  5. Self-modifying TLS callbacks
    By OpenRCE_omega_red in forum Blogs Forum
    Replies: 4
    Last Post: April 16th, 2008, 12:28


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts