[Kiuhnm]

Hi,
there are at least 3 ways to inject a dll in another process from Ring 3 (and then modify the IAT):
a) modify the registry,
b) use SetWindowsHookEx,
c) use CreateRemoteThread (or RtlCreateUserThread)

Regarding method c), can I assume that Kernel32.dll is loaded at the same base address in each memory context?

[EP_X0FF]

If ASLR is present then on next reboot it will be different address.

[Kiuhnm]

What I'm asking is whether I can assume that each process sees Kernel32.dll loaded at the same address (i.e. in a shared area) in all Windows versions.

[xdeadcode]

Kiuhnm,

As EP_XOFF mentioned before, ASLR is randomizing base addresses of loaded images during system boot.
For answer to your question please look at: http://msdn.microsoft.com/en-us/library/bb430720.aspx and http://stackoverflow.com/questions/8568 ... -injection.

[Brock]

Even with ASLR enabled system modules such as ntdll.dll and kernel32.dll will still all have the same imagebase address from process to process after rebooting. The imagebase address changes but it's still the same virtual address in each individual process. Safest way is to dynamically determine the base address in the target process. I think a lot of people confuse this with each process has these shared DLLs loaded at different places from the next process, this is incorrect.

[Kiuhnm]

Even with ASLR enabled system modules such as ntdll.dll and kernel32.dll will still all have the same imagebase address from process to process after rebooting. The imagebase address changes but it's still the same virtual address in each individual process. Safest way is to dynamically determine the base address in the target process. I think a lot of people confuse this with each process has these shared DLLs loaded at different places from the next process, this is incorrect.

Now that I think of it, the fact that ASLR computes the base addresses at boot time, confirms that these addresses are system-wide. Anyway, it's easy to inject code+data instead of just data.