I was reading about the DLL injection technique, and I had this question in mind.
Let us assume we want to inject a DLL into a destination process in Windows 7 which has ASLR enabled for kernel32.dll
So any piece of the injected code can't use any winapi or any system call since the address of let's say loadLibrary function in the injector code will differ from the address loadLibrary in the destination process, Won't it ?
So such a call to CreateRemoteThread
won't work:
CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32,
"LoadLibraryA" ),
pLibRemote,
0,
NULL );
::WaitForSingleObject( hThread, INFINITE );
Correct me if I am wrong in this reasoning.
No, I believe that is incorrect. The addresses of modules like
kernel32.dll
are randomized when the machine boots but are the same for all processes.he can use GetModuleHandle (and GetProcAddress) directly, FROM THE INJECTOR'S IMPORT TABLE, which will redirect to a call to GetModuleHandle ON KERNEL32, to get the Address of LoadLibraryA ON KERNEL32, that can be used on any process
if he passed the hardcoded LoadLibraryA's address directly, he would be passind the address of LoadLibraryA ON THE INJECTOR'S IMPORT TABLE, which is not the same on the target process
one may ask: "why it doesn't translate the import table instead of calling GetModuleHandle and GetProcAddress?". The import table is just a table of pointers obtained by the executable loader using THE SAME GetModuleHandle and GetProcAddress (actually not the same, but similar)