One widely used dll injection technique is copying the dll path to the target process memory and calling CreateRemoteThread() using the address of LoadLibraryA as lpStartAddress. This relies on the fact that all processes have the same base address of kernel32.dll (and some other system dlls). On Wine only ntdll is always loaded to the same base address, so it's potentially possible to do the same for kernel32, right?
On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
One widely used dll injection technique is copying the dll path to the target process memory and calling CreateRemoteThread() using the address of LoadLibraryA as lpStartAddress. This relies on the fact that all processes have the same base address of kernel32.dll (and some other system dlls). On Wine only ntdll is always loaded to the same base address, so it's potentially possible to do the same for kernel32, right?
kernel32 is also loaded to the same base address.
(the Makefile has: EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000 )
Are you seeing otherwise?
Ciao, Marcus
2010/7/4 Marcus Meissner marcus@jet.franken.de
On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
One widely used dll injection technique is copying the dll path to the target process memory and calling CreateRemoteThread() using the address
of
LoadLibraryA as lpStartAddress. This relies on the fact that all
processes
have the same base address of kernel32.dll (and some other system dlls). On Wine only ntdll is always loaded to the same base address, so it's potentially possible to do the same for kernel32, right?
kernel32 is also loaded to the same base address.
(the Makefile has: EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000 )
Are you seeing otherwise?
Ciao, Marcus
int main() { HMODULE hKernel32 = GetModuleHandle("kernel32.dll"); printf("0x%8x\n", hKernel32); }
[il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7ede0000
On Sunday 04 July 2010 09:14:14 Илья Басин wrote:
2010/7/4 Marcus Meissner marcus@jet.franken.de
On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
One widely used dll injection technique is copying the dll path to the target process memory and calling CreateRemoteThread() using the address of LoadLibraryA as lpStartAddress. This relies on the fact that all processes have the same base address of kernel32.dll (and some other system dlls). On Wine only ntdll is always loaded to the same base address, so it's potentially possible to do the same for kernel32, right?
kernel32 is also loaded to the same base address.
(the Makefile has: EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000 )
Are you seeing otherwise?
int main() { HMODULE hKernel32 = GetModuleHandle("kernel32.dll"); printf("0x%8x\n", hKernel32); }
[il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7ede0000
Is this on Linux?
int main() { HMODULE hKernel32 = GetModuleHandle("kernel32.dll"); printf("0x%8x\n", hKernel32); }
[il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7ede0000
TC> Is this on Linux?
yes
On Sunday 04 July 2010 12:10:36 Ilya Basin wrote:
int main() { HMODULE hKernel32 = GetModuleHandle("kernel32.dll"); printf("0x%8x\n", hKernel32); }
[il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7edf0000 [il@IL winetest]$ wine a.exe 0x7ede0000
Is this on Linux?
yes
In that case you should check if you have prelink installed and then configure and build wine.
TC> In that case you should check if you have prelink installed and TC> then configure and build wine.
Kinda works. kernel32 and user32 seem to be on their places. I Wonder why our package maintainers didn't mark prelink as makedepends. Maybe it's not 100% reliable? For example if one of the wine's dependencies, say, libpthread or libc gets updated?
On 07/05/2010 11:53 AM, Ilya Basin wrote:
I Wonder why our package maintainers didn't mark prelink as makedepends.
Report that as a bug to your distro.
Maybe it's not 100% reliable?
It is 100% reliable, if prelink works of course.
For example if one of the wine's dependencies, say, libpthread or libc gets updated?
That doesn't matter. Prelink alters library itself to indicate required load address. And Wine makes sure the lover 2GB address space is reserved so nothing else can be loaded there.
Vitaliy.
Marcus Meissner wrote:
On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
One widely used dll injection technique is copying the dll path to the target process memory and calling CreateRemoteThread() using the address of LoadLibraryA as lpStartAddress. This relies on the fact that all processes have the same base address of kernel32.dll (and some other system dlls). On Wine only ntdll is always loaded to the same base address, so it's potentially possible to do the same for kernel32, right?
kernel32 is also loaded to the same base address.
(the Makefile has: EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000 )
Is there a good reason for this? Otherwise, this opens a security vulnerability in Wine that does not exist in Windows....
James McKenzie
-
Ilya Basin -
James McKenzie -
Marcus Meissner -
Tijl Coosemans -
Vitaliy Margolen -
Илья Басин