base addresses of kernel32
James McKenzie
jjmckenzie51 at earthlink.net
Sun Jul 4 13:08:24 CDT 2010
Marcus Meissner wrote:
> On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
>
>> One widely used dll injection technique is copying the dll path to the
>> target process memory and calling CreateRemoteThread() using the address of
>> LoadLibraryA as lpStartAddress. This relies on the fact that all processes
>> have the same base address of kernel32.dll (and some other system dlls).
>> On Wine only ntdll is always loaded to the same base address, so it's
>> potentially possible to do the same for kernel32, right?
>>
>
> kernel32 is also loaded to the same base address.
>
> (the Makefile has:
> EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000
> )
>
Is there a good reason for this? Otherwise, this opens a security
vulnerability in Wine that does not exist in Windows....
James McKenzie
More information about the wine-devel
mailing list