@Sarge, that is exactly why NTSC said hooking LoadLibrary would be usefull. Hook the procedure, check arguments. If program is trying to load "mytarget.dll" then call real LoadLibrary, and that is imagebase you need. Now, also send it to program. If its not one you need, then just send it to program. You can make new section for your code so all is executed in target context, but you have to write your code in "delta offset", meaning, relocatable in memory.
And a question from me to someone here. Maybe NTSC knows... How to gain write access to space of a loaded dll? Eg, user32 in win9x? In NT we can use VirtualProtect. In win9x there is an undocumented procedure i found in some source, that looks like was taked from yoda. It works, but i have problem when i want to write my code relocatable. Then, i need to GetProcAddress of that undocumented function. That function is VxDCall4. It has no real name so i cant get by name, and when i try to GetProcAddress by ordinal i get error
