Last review: Sept 15,2025

TLS callbacks

TLS (Thread Local Storage) callbacks are functions that execute when a thread is created in a process. The section that stores these callbacks can be retrieved from the IMAGE_DIRECTORY_ENTRY_TLS directory. This section is represented by the following structure:

CPP

typedef struct _IMAGE_TLS_DIRECTORY64 {
    ULONGLONG   StartAddressOfRawData;
    ULONGLONG   EndAddressOfRawData;
    ULONGLONG   AddressOfIndex;
    ULONGLONG   AddressOfCallBacks;
    DWORD       SizeOfZeroFill;
    DWORD       Characteristics;
} IMAGE_TLS_DIRECTORY64, *PIMAGE_TLS_DIRECTORY64;

typedef IMAGE_TLS_DIRECTORY64           IMAGE_TLS_DIRECTORY;
typedef PIMAGE_TLS_DIRECTORY64          PIMAGE_TLS_DIRECTORY;

The most important field in this structure is AddressOfCallBacks, which points to a table containing the addresses of the callbacks. Once found, they simply need to be executed using the following prototype:

CPP

void(NTAPI * callback_func)(PVOID DllHandle, DWORD dwReason, PVOID) = (void(NTAPI*)(PVOID, DWORD, PVOID)) (callback_va);
callback_func(modulePtr, DLL_PROCESS_ATTACH, NULL);

← Previous Next →

TLS callbacks ​

TLS callbacks