2010/7/4 Marcus Meissner <marcus@jet.franken.de>
On Sun, Jul 04, 2010 at 10:04:01AM +0400, éÌØÑ âÁÓÉÎ wrote:
> One widely used dll injection technique is copying the dll path to the
> target process memory and calling CreateRemoteThread() using the address of
> LoadLibraryA as lpStartAddress. This relies on the fact that all processes
> have the same base address of kernel32.dll (and some other system dlls).
> On Wine only ntdll is always loaded to the same base address, so it's
> potentially possible to do the same for kernel32, right?

kernel32 is also loaded to the same base address.

(the Makefile has:
EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000
)

Are you seeing otherwise?

Ciao, Marcus
int main() {
š HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
š printf("0x%8x\n", hKernel32);
}

[il@IL winetest]$ wine a.exe
0x7edf0000
[il@IL winetest]$ wine a.exe
0x7edf0000
[il@IL winetest]$ wine a.exe
0x7ede0000