base addresses of kernel32

Илья Басин basinilya at gmail.com
Sun Jul 4 02:14:14 CDT 2010


2010/7/4 Marcus Meissner <marcus at jet.franken.de>

> On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
> > One widely used dll injection technique is copying the dll path to the
> > target process memory and calling CreateRemoteThread() using the address
> of
> > LoadLibraryA as lpStartAddress. This relies on the fact that all
> processes
> > have the same base address of kernel32.dll (and some other system dlls).
> > On Wine only ntdll is always loaded to the same base address, so it's
> > potentially possible to do the same for kernel32, right?
>
> kernel32 is also loaded to the same base address.
>
> (the Makefile has:
> EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000
> )
>
> Are you seeing otherwise?
>
> Ciao, Marcus
>
int main() {
  HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
  printf("0x%8x\n", hKernel32);
}

[il at IL winetest]$ wine a.exe
0x7edf0000
[il at IL winetest]$ wine a.exe
0x7edf0000
[il at IL winetest]$ wine a.exe
0x7ede0000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20100704/cdebb526/attachment.htm>


More information about the wine-devel mailing list