The LoadLibrary function in kernel32.dll can be used to dynamically load a dll, but how is LoadLibrary itself located? To find it we would need to know the address where the dictionary for kernel32.dll is, and the ordinal of the LoadLibrary call. Even if LoadLibrary is statically linked, what if its linked ordinal is different than in the linked version? I assume there is some way to locate kernel32.dll.
As I recall there is a structure called PEB which can be located by the offset of the FS register and the address of kernel32.dll is one of the fields in the PEB, but I am not 100% sure about that. What is the easiest approach to doing a "boostrap" access of kernel32.dll functions?
