winapi - Would ASLR cause friction for the address with DLL injection?

Question

Welcome To Ask or Share your Answers For Others

winapi - Would ASLR cause friction for the address with DLL injection?

posted Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

winapi - Would ASLR cause friction for the address with DLL injection?

I was reading about the DLL injection technique, and I had this question in mind.

Let us assume we want to inject a DLL into a destination process in Windows 7 which has ASLR enabled for kernel32.dll

So any piece of the injected code can't use any winapi or any system call since the address of let's say loadLibrary function in the injector code will differ from the address loadLibrary in the destination process, Won't it ?

So such a call to CreateRemoteThread won't work:

CreateRemoteThread(hProcess,
                   NULL,
                   0,
                   (LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32,
                                                             "LoadLibraryA" ),
                   pLibRemote,
                   0,
                   NULL );

::WaitForSingleObject( hThread, INFINITE );

Correct me if I am wrong in this reasoning.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-23T21:35:25+0000

No, I believe that is incorrect. The addresses of modules like kernel32.dll are randomized when the machine boots but are the same for all processes.

Categories

winapi - Would ASLR cause friction for the address with DLL injection?

winapi - Would ASLR cause friction for the address with DLL injection?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags