I was reading about the DLL injection technique, and I had this question in mind.
Let us assume we want to inject a DLL into a destination process in Windows 7 which has ASLR enabled for kernel32.dll
So any piece of the injected code can't use any winapi or any system call since the address of let's say loadLibrary function in the injector code will differ from the address loadLibrary in the destination process, Won't it ?
So such a call to CreateRemoteThread
won't work:
CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32,
"LoadLibraryA" ),
pLibRemote,
0,
NULL );
::WaitForSingleObject( hThread, INFINITE );
Correct me if I am wrong in this reasoning.
No, I believe that is incorrect. The addresses of modules like
kernel32.dll
are randomized when the machine boots but are the same for all processes.