Would ASLR cause friction for the address with DLL injection?

2.1k views Asked by At

I was reading about the DLL injection technique, and I had this question in mind.

Let us assume we want to inject a DLL into a destination process in Windows 7 which has ASLR enabled for kernel32.dll

So any piece of the injected code can't use any winapi or any system call since the address of let's say loadLibrary function in the injector code will differ from the address loadLibrary in the destination process, Won't it ?

So such a call to CreateRemoteThread won't work:

CreateRemoteThread(hProcess,
                   NULL,
                   0,
                   (LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32,
                                                             "LoadLibraryA" ),
                   pLibRemote,
                   0,
                   NULL );

::WaitForSingleObject( hThread, INFINITE );

Correct me if I am wrong in this reasoning.

2

There are 2 answers

7
hmjd On BEST ANSWER

No, I believe that is incorrect. The addresses of modules like kernel32.dll are randomized when the machine boots but are the same for all processes.

0
Tulio150 On

he can use GetModuleHandle (and GetProcAddress) directly, FROM THE INJECTOR'S IMPORT TABLE, which will redirect to a call to GetModuleHandle ON KERNEL32, to get the Address of LoadLibraryA ON KERNEL32, that can be used on any process

if he passed the hardcoded LoadLibraryA's address directly, he would be passind the address of LoadLibraryA ON THE INJECTOR'S IMPORT TABLE, which is not the same on the target process

one may ask: "why it doesn't translate the import table instead of calling GetModuleHandle and GetProcAddress?". The import table is just a table of pointers obtained by the executable loader using THE SAME GetModuleHandle and GetProcAddress (actually not the same, but similar)