base addresses of kernel32

James McKenzie jjmckenzie51 at
Sun Jul 4 13:08:24 CDT 2010

Marcus Meissner wrote:
> On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
>> One widely used dll injection technique is copying the dll path to the
>> target process memory and calling CreateRemoteThread() using the address of
>> LoadLibraryA as lpStartAddress. This relies on the fact that all processes
>> have the same base address of kernel32.dll (and some other system dlls).
>> On Wine only ntdll is always loaded to the same base address, so it's
>> potentially possible to do the same for kernel32, right?
> kernel32 is also loaded to the same base address.
> (the Makefile has:
> EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000
> )
Is there a good reason for this?  Otherwise, this opens a security 
vulnerability in Wine that does not exist in Windows....

James McKenzie

More information about the wine-devel mailing list