base addresses of kernel32
jjmckenzie51 at earthlink.net
Sun Jul 4 13:08:24 CDT 2010
Marcus Meissner wrote:
> On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
>> One widely used dll injection technique is copying the dll path to the
>> target process memory and calling CreateRemoteThread() using the address of
>> LoadLibraryA as lpStartAddress. This relies on the fact that all processes
>> have the same base address of kernel32.dll (and some other system dlls).
>> On Wine only ntdll is always loaded to the same base address, so it's
>> potentially possible to do the same for kernel32, right?
> kernel32 is also loaded to the same base address.
> (the Makefile has:
> EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000
Is there a good reason for this? Otherwise, this opens a security
vulnerability in Wine that does not exist in Windows....
More information about the wine-devel