evaluator
January 10th, 2009, 03:20
(drop from blog)
i found code in NTDLL, where flags tested in module-list
Code:
cmp edx,ecx
je . --1
and b,[edx+025],0EF
test b,[edx+025],040 << this test flag is present for NTDLL & KERNEL32
je . --2
mov edx,[edx]
jmps . --3
@2:
and then IF this DLL has EntryPoint, counter increases!
BTW! USER32 has not EP.. but others loaded with USER32 have..
so if this counter reterns NULL, then TLS-callback will NOT called
RESUME:
TLS-callback will called if there will any DLL (except NTDLL & KERNEL32) wilth EntryPoint
APPENDIX:
but also TLS-callback will be called on ExitProcess, if at runtime will be loaded & present
such like DLL;