2010/7/4 Marcus Meissner <mar...@jet.franken.de>
> On Sun, Jul 04, 2010 at 10:04:01AM +0400, Илья Басин wrote:
> > One widely used dll injection technique is copying the dll path to the
> > target process memory and calling CreateRemoteThread() using the address
> of
> > LoadLibraryA as lpStartAddress. This relies on the fact that all
> processes
> > have the same base address of kernel32.dll (and some other system dlls).
> > On Wine only ntdll is always loaded to the same base address, so it's
> > potentially possible to do the same for kernel32, right?
>
> kernel32 is also loaded to the same base address.
>
> (the Makefile has:
> EXTRADLLFLAGS = -Wb,-F,KERNEL32.dll -Wl,--image-base,0x7b800000
> )
>
> Are you seeing otherwise?
>
> Ciao, Marcus
>
int main() {
HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
printf("0x%8x\n", hKernel32);
}
[...@il winetest]$ wine a.exe
0x7edf0000
[...@il winetest]$ wine a.exe
0x7edf0000
[...@il winetest]$ wine a.exe
0x7ede0000
