问题
specifically i want to know if kernel32.dll load address can be different for two processes within the same session ? I want to use createremote thread so just wanted to know if kernel32 load address in remote process can be different from the injecting process in any scenario ?
回答1:
Kernel32.dll has the same base address on all processes to allow exactly what you'd like to do. Read: Why are certain DLLs required to be at the same base address system-wide?
回答2:
System DLLs are loaded at random addresses (ASLRed) for security reasons so that a remote attacker can't guess where bits of code on your system are living in memory (i.e. remote attackers can't guess pointers on your computer).
This happens once per boot, and hence kernel32 will be loaded at the same address in all processes across your system.
来源:https://stackoverflow.com/questions/6732680/can-we-rebase-kernel32-dll-such-that-load-address-is-different-for-two-process