How to load a base address for a fixed DLL

debugging DLL When there will be a thing more annoying, is the DLL loaded address is not very fixed (the default setting of the DLL base is always 0x10000000, multiple DLLs with the base address is loaded, the following will definitely be relocated), this gives a lot of debugging when the comparison results caused some trouble, There are two ways to solve this problem.
Method One: Directly modify the DLL file the imagebase in the PE header is an address that is unlikely to be occupied.
However, this method has a small limitation, that is, some files are verified, after changing the file there will be some problems, such as refuse to load and so on. In this case, the second method is necessary.

Method Two: Dynamically modify the load base of the DLL

Of course, the first thing to figure out is where the DLL's load base is determined.
Here is the DLL's loading process

kernel32! LoadLibraryA->kernel32! Loadlibraryexa->kernel32! LOADLIBRARYEXW->ntdll! Ldrloaddll->ntdll! Ldrploaddll->ntdll! Ldrpmapdll->ntdll! ldrpcreatedllsection->ntdll! Zwopenfile  // Open target file // Create map // map

The key is to map this step ~ function prototype as follows:

NTSTATUS   Zwmapviewofsection (    in HANDLE  sectionhandle, in    HANDLE  ProcessHandle, in out    PVOID   *baseaddress, in    ulong_ptr  zerobits, in    size_t  Commitsize, in Out    plarge_integer  sectionoffset  OPTIONAL, in out    psize_t  viewsize,    In Section_inherit  inheritdisposition, in    ulong  Allocationtype, in    ulong  Win32protect    );

The third parameter is the base address to be mapped, which is explained on MSDN:
BaseAddress
Pointer to a variable that receives the base address of the view. If the value of this parameter isn't NULL, the view is allocated starting at the specified virtual address rounded down t o The next 64-kilobyte address boundary.

That is, if this parameter is not NULL, the Zi is used as the base address backwards, while the system loads the DLL when the function is called when the parameter points to a value of 0, which is the self-allocated idle address
We only need to hook this function here, to determine that the target DLL at the time of loading, set the value is not NULL, so that it points to an unassigned fixed address, such as 0x60000000 or something ~
This hook can be done in ring3 or RING0, but ring3 words need to ensure that the hook DLL is loaded before the target DLL, so I simply ring0 the ~

if (Previousmode = = UserMode && is the target DLL) {  0x60000000;  the base address to fix }return Originalzwmapviewofsection (sectionhandle,processhandle,baseaddress ...);    

In the Zwmapviewofsection hook function to determine whether the target DLL, only one sectionhandle parameter can be used, But single from a sectionhandle Bad judge is which DLL (RING0 can directly take SectionObject.Segment.ControlArea.FilePointer to judge, more accurate), I use the method is Zwquerysection query this sentence Handle the Sectionimageinformation information, and then take imagefilesize to judge, this imagefilesize is the target DLL's real file size, this method ring3 and RING0 can be used, to judge the problem is not very large, But want to absolute accurate words or with zwcreatesection when the FileHandle combination judge better ~

How to load a base address for a fixed DLL