
NOTE
Many exploits favor the use of ntdll.dll and kernel32.dll as a trampoline for a
number of reasons.
1. Since Windows NT 4, every process has been required to load ntdll.dll
into its address space.
2. Kernel32.dll must be present in all Win32-based applications.
3. If ntdll.dll and kernel32.dll are not loaded to their preferred base
address, then the system will throw a hard error.
By using these two libraries in our example, we significantly improve the
chances that our return address corresponds to our desired opcodes.
Due to new features, security patches, and upgrades, a DLL may change with every
patch, service pack, or version of Windows. In order ...