private static IntPtr GetModuleFunctionAddress(SafeProcessHandle processHandle, IntPtr moduleHandle, string functionName) { Interop.Kernel32.NtModuleInfo moduleInfo = GetModuleInfo(processHandle, moduleHandle); DataDirectory exportDirectory = GetExportDataDirectory(ReadPage(processHandle, moduleInfo.BaseOfDll), ImageDirectoryEntry.ImageDirectoryEntryExport); // Read and parse the export directory from the module. var exportTableAddress = moduleInfo.BaseOfDll + (int)exportDirectory.VirtualAddress; var exportTable = ReadPage(processHandle, exportTableAddress, (int)exportDirectory.Size); return(new IntPtr(moduleInfo.BaseOfDll.ToInt64() + GetFunctionAddressFromExportDirectory(exportTable, exportDirectory.VirtualAddress, functionName).ToInt64())); }
private static IntPtr GetModuleFunctionAddress(SafeProcessHandle processHandle, IntPtr moduleHandle, string functionName) { Interop.Kernel32.NtModuleInfo moduleInfo = GetModuleInfo(processHandle, moduleHandle); DataDirectory exportDirectory = ReadExportDataDirectory(ReadPage(processHandle, moduleInfo.BaseOfDll), 0); var exportTable = new byte[exportDirectory.Size]; var exportTableAddress = moduleInfo.BaseOfDll + (int)exportDirectory.Rva; if (!Interop.Kernel32.ReadProcessMemory( processHandle, exportTableAddress, exportTable, new UIntPtr((uint)exportTable.Length), out UIntPtr bytesRead) || bytesRead.ToUInt32() != exportTable.Length) { throw new Win32Exception($"Cannot read export table at {exportTableAddress.ToInt64()}"); } return(new IntPtr(moduleInfo.BaseOfDll.ToInt64() + GetAddressFromExportTable(exportTable, exportDirectory.Rva, functionName).ToInt64())); }