private static IntPtr GetModuleFunctionAddress(SafeProcessHandle processHandle, IntPtr moduleHandle, string functionName)
{
Interop.Kernel32.NtModuleInfo moduleInfo = GetModuleInfo(processHandle, moduleHandle);
DataDirectory exportDirectory =
GetExportDataDirectory(ReadPage(processHandle, moduleInfo.BaseOfDll), ImageDirectoryEntry.ImageDirectoryEntryExport);
// Read and parse the export directory from the module.
var exportTableAddress = moduleInfo.BaseOfDll + (int)exportDirectory.VirtualAddress;
var exportTable = ReadPage(processHandle, exportTableAddress, (int)exportDirectory.Size);
return(new IntPtr(moduleInfo.BaseOfDll.ToInt64() +
GetFunctionAddressFromExportDirectory(exportTable, exportDirectory.VirtualAddress, functionName).ToInt64()));
}
private static IntPtr GetModuleFunctionAddress(SafeProcessHandle processHandle, IntPtr moduleHandle, string functionName)
{
Interop.Kernel32.NtModuleInfo moduleInfo = GetModuleInfo(processHandle, moduleHandle);
DataDirectory exportDirectory = ReadExportDataDirectory(ReadPage(processHandle, moduleInfo.BaseOfDll), 0);
var exportTable = new byte[exportDirectory.Size];
var exportTableAddress = moduleInfo.BaseOfDll + (int)exportDirectory.Rva;
if (!Interop.Kernel32.ReadProcessMemory(
processHandle,
exportTableAddress,
exportTable,
new UIntPtr((uint)exportTable.Length),
out UIntPtr bytesRead) || bytesRead.ToUInt32() != exportTable.Length)
{
throw new Win32Exception($"Cannot read export table at {exportTableAddress.ToInt64()}");
}
return(new IntPtr(moduleInfo.BaseOfDll.ToInt64() +
GetAddressFromExportTable(exportTable, exportDirectory.Rva, functionName).ToInt64()));
}