Would ASLR cause friction for the address with DLL

2020-02-12 14:28发布

I was reading about the DLL injection technique, and I had this question in mind.

Let us assume we want to inject a DLL into a destination process in Windows 7 which has ASLR enabled for kernel32.dll

So any piece of the injected code can't use any winapi or any system call since the address of let's say loadLibrary function in the injector code will differ from the address loadLibrary in the destination process, Won't it ?

So such a call to CreateRemoteThread won't work:

CreateRemoteThread(hProcess,
                   NULL,
                   0,
                   (LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32,
                                                             "LoadLibraryA" ),
                   pLibRemote,
                   0,
                   NULL );

::WaitForSingleObject( hThread, INFINITE );

Correct me if I am wrong in this reasoning.

2条回答
Anthone
2楼-- · 2020-02-12 14:40

No, I believe that is incorrect. The addresses of modules like kernel32.dll are randomized when the machine boots but are the same for all processes.

查看更多
Ridiculous、
3楼-- · 2020-02-12 14:44

he can use GetModuleHandle (and GetProcAddress) directly, FROM THE INJECTOR'S IMPORT TABLE, which will redirect to a call to GetModuleHandle ON KERNEL32, to get the Address of LoadLibraryA ON KERNEL32, that can be used on any process

if he passed the hardcoded LoadLibraryA's address directly, he would be passind the address of LoadLibraryA ON THE INJECTOR'S IMPORT TABLE, which is not the same on the target process

one may ask: "why it doesn't translate the import table instead of calling GetModuleHandle and GetProcAddress?". The import table is just a table of pointers obtained by the executable loader using THE SAME GetModuleHandle and GetProcAddress (actually not the same, but similar)

查看更多
登录 后发表回答