# XP/S2K3 fails to process TLS w/o USER32
Posted in anti-AV, anti-dbg, bugs, win32 on 01/01/2009 05:54 am by kpncXP and later does not execute TLS callbacks if USER32 is not loaded. this is undocumented feature that is not mentioned in the MS PE Specification and W2K does not request USER32 to process TLS callbacks, so it’s definitely a bug of XP/S2K3. just a few anti-viruses emulate TLS callbacks (Kaspersky and NOD32), but they don’t know this bug, so there is a way to bypass them. some worms have started to use this trickā¦
# download paper and POCs