if you dump the whole user address space of the running program - every dll will be right in the place and it's very easy to analyze the file like this. btw, there is a trap. windows allows to load dll before exe file. just set base address of exe like 77F40000h (FIXED, no relocations to be sure) and load dll (statically linked or dynamically called - never mind) with normal base address. as result: your dll and most of system dlls will be loaded bellow (lower addresses) the analyzed program. and how we're supposed to load this dump into IDA Pro?! She suggests that the first PE-header belongs to the main program, but in our case this is a dll!!! no way to analyze this dump without addition scripts and plug-ins (you might use this trick to protect something). btw, speaking of load_nonbinary_file() we can do almost everything. for example: load exe and sys-drivers (as you know, many protections use drivers to fight with hackers, and I don't want to load exe and sys into different IDA Pro bases, I want to have them in one base and load_nonbinary_file() allows to do this, more of that, it allows to load PE and ELF files into the same database, coz, it selects loader for every loaded file, despite the previous one). if you ask: for a what I need to have PE and ELF in one base, I tell you: I found a bug in the program ported from Linux to Windows and did wonder if it possible to write universal system-independed exploit, so, I had to work with PE and ELF files at the same time and eventually I found the solution.
