On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote: > One widely used dll injection technique is copying the dll path to the > target process memory and calling CreateRemoteThread() using the address of > LoadLibraryA as lpStartAddress. This relies on the fact that all processes > have the same base address of kernel32.dll (and some other system dlls). > On Wine only ntdll is always loaded to the same base address, so it's > potentially possible to do the same for kernel32, right?
kernel32 is also loaded to the same base address. (the Makefile has: EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000 ) Are you seeing otherwise? Ciao, Marcus
