base addresses of kernel32

Илья Басин basinilya at gmail.com
Sun Jul 4 01:04:01 CDT 2010


One widely used dll injection technique is copying the dll path to the
target process memory and calling CreateRemoteThread() using the address of
LoadLibraryA as lpStartAddress. This relies on the fact that all processes
have the same base address of kernel32.dll (and some other system dlls).
On Wine only ntdll is always loaded to the same base address, so it's
potentially possible to do the same for kernel32, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20100704/cd36aabf/attachment.htm>


More information about the wine-devel mailing list