the story ("http://nezumi-lab.org/blog/?p=15") had a continue. read this:
Peter Ferrie> The requirement is not user32.dll, just a DLL
Peter Ferrie> that imports from kernel32.dll. I changed tls-nousr.exe
Peter Ferrie> to import from kernel31.dll instead of kernel32.dll.
Peter Ferrie> I created a kernel31.dll that imports from kernel32.dll
Peter Ferrie> the LoadLibraryA and GetProcAddress, and also exports them.
Peter Ferrie> The TLS code runs normally in that case.
Peter Ferrie> For the OllyDbg case, maybe a plug-in called LoadLibrary(”kernel32″
Peter Ferrie>from inside the process. It’s probably some reference counting thing.
yeah, right. I figured out that the MSVCR71.dll is suitable as well (see my previous post ("http://nezumi-lab.org/blog/?p=43")), just not changed the subject. anyway, it’s a bug of XP/S2K3 and eventually we found a workaround for it.

I wonder if Vista is buggy or it has been fixed there? guys! if you have Vista under your hands, plz, run the examples ("http://nezumi-lab.org/ffh/TLS-nousr.zip") and tell us the result. thanks!



http://nezumi-lab.org/blog/?p=51

I've seen this behaviour a few years ago, seems I was right.
http://www.woodmann.com/forum/showthread.php?t=7762

this EXEs are very non-standart.. (includes also DOGs)
let's make more normal exe_amples

i found code in NTDLL, where flags tested in module-list




@2:
and then IF this DLL has EntryPoint, counter increases!
BTW! USER32 has not EP.. but others loaded with USER32 have..

so if this counter reterns NULL, then TLS-callback will NOT called

RESUME:
TLS-callback will called if there will any DLL (except NTDLL & KERNEL32) wilth EntryPoint

APPENDIX:
but also TLS-callback will be called on ExitProcess, if at runtime will be loaded & present
such like DLL;