On Sunday 04 July 2010 09:14:14 Илья Басин wrote:
2010/7/4 Marcus Meissner marcus@jet.franken.de
On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
One widely used dll injection technique is copying the dll path to the target process memory and calling CreateRemoteThread() using the address of LoadLibraryA as lpStartAddress. This relies on the fact that all processes have the same base address of kernel32.dll (and some other system dlls). On Wine only ntdll is always loaded to the same base address, so it's potentially possible to do the same for kernel32, right?
kernel32 is also loaded to the same base address.
(the Makefile has: EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000 )
Are you seeing otherwise?
int main() { HMODULE hKernel32 = GetModuleHandle("kernel32.dll"); printf("0x%8x\n", hKernel32); }
[il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7ede0000
Is this on Linux?