base addresses of kernel32

Sun Jul 4 04:22:59 CDT 2010

On Sunday 04 July 2010 09:14:14 Илья Басин wrote:
> 2010/7/4 Marcus Meissner <marcus at jet.franken.de>
>> On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
>>> One widely used dll injection technique is copying the dll path to
>>> the target process memory and calling CreateRemoteThread() using
>>> the address of LoadLibraryA as lpStartAddress. This relies on the
>>> fact that all processes have the same base address of kernel32.dll
>>> (and some other system dlls). On Wine only ntdll is always loaded
>>> to the same base address, so it's potentially possible to do the
>>> same for kernel32, right?
>>
>> kernel32 is also loaded to the same base address.
>>
>> (the Makefile has:
>> EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000
>> )
>>
>> Are you seeing otherwise?
>
> int main() {
>   HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
>   printf("0x%8x\n", hKernel32);
> }
>
> [il at IL winetest]$ wine a.exe
> 0x7edf0000
> [il at IL winetest]$ wine a.exe
> 0x7edf0000
> [il at IL winetest]$ wine a.exe
> 0x7ede0000

Is this on Linux?