I've read almost all of yours (very very good!) tuts about loader, oraculum etc... but I didn't find the solution to my problem, probably only becuase I can't see it...
However I took a shot of my memory from Olly to explain better my problem. If I have this kind of situation:
Code:
...
00400000 00001000 dotNetPr PE header Imag R RWE
00401000 00045000 dotNetPr .text code Imag R RWE
00446000 00014000 dotNetPr .rdata imports Imag R RWE
0045A000 000DA000 dotNetPr .data data Imag R RWE
00534000 00083000 dotNetPr .rsrc resources Imag R RWE
005C0000 00009000 Map R E R E
00680000 00002000 Map R E R E
00690000 00103000 Map R R
007A0000 00138000 Map R E R E
00AA0000 00010000 Priv RW RW
00EA0000 00001000 Priv RW RW
00EB0000 00010000 Priv RW RW
00EC0000 00002000 Map RW RW
00ED0000 00001000 Map RW RW
00EE0000 00002000 Priv RW
00EF0000 00001000 Priv RW RW
00F30000 0001C000 Priv RW RW
00F78000 00031000> Here is the MSIL to eventually patch Priv RW RW
01030000 00001000 Priv RW RW
01230000 0013E000 Priv RW RW
0146E000 00001000 Priv RW Guar RW
0146F000 00001000 stack of thr Priv RW Guar RW
01470000 0013E000 Priv RW RW
015B0000 00001000 Priv RW RW
015B2000 00001000 Priv RW RW
015BA000 00003000 Priv RW RW
015C0000 00001000 Priv RW RW
015C2000 00004000 Priv RW RW
015CA000 00001000 Priv RW RW
015CC000 00001000 Priv RW RW
015D0000 00002000 Priv RW
015E0000 0000D000 Priv RW RW
015F0000 00010000 Priv RW
056EE000 00001000> And here is the native code once compiled Priv RW Guar RW
056EF000 00001000 stack of thr Priv RW Guar RW
056F0000 00091000 Priv RW RW
0588D000 00001000 Priv RW Guar RW
0588E000 00002000 stack of thr Priv RW Guar RW
05890000 00010000 Priv RW
058A0000 00003000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CharInfo.nlp
058B0000 00008000 Priv RW RW
058BA000 00001000 Priv RW RW
058BC000 00001000 Priv RW RW
058C0000 00002000 Priv RW
058D0000 0001A000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\culture.nlp
058F0000 00006000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\sorttbls.nlp
05900000 00041000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\sortkey.nlp
05950000 00002000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\l_intl.nlp
05960000 00001000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\l_except.nlp
05970000 00003000 Priv RW
05980000 00014000 Priv RW RW
059AE000 00009000 Priv RW RW
05A80000 00010000 Priv RW RW
05A90000 00037000 Map RW RW
05AD0000 00002000 Priv RW
05AE0000 00010000 Priv RW RW
...
How can I say if these memory sections would be the same for all OS and all PC and if not where I can found infos about these addresses at runtime?
Thanks again