/// <summary>
/// Loads the module as data, finds relative virtual address (RVA) of the method and uses that to find the address in the target process
/// </summary>
/// <param name="module">The module we loaded</param>
/// <param name="methodName">The method name in the module</param>
/// <returns></returns>
private static IntPtr FindExport(ProcessModule module, string methodName)
{
IntPtr hModule = IntPtr.Zero;
try
{
// Load module into local process address space
hModule = NM.LoadLibraryEx(module.FileName, IntPtr.Zero, NM.LoadLibraryExFlags.DontResolveDllReferences);
if (hModule == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// Get the address of the function in the module locally
IntPtr pFunc = NM.GetProcAddress(hModule, methodName);
if (pFunc == IntPtr.Zero)
{
throw new Win32Exception(Marshal.GetLastWin32Error());
}
// Get RVA of export and add to base address of injected module
IntPtr pExportAddr;
if (IntPtr.Size == 8)
{
pExportAddr = new IntPtr(module.BaseAddress.ToInt64() + (pFunc.ToInt64() - hModule.ToInt64()));
}
else
{
pExportAddr = new IntPtr(module.BaseAddress.ToInt32() + (pFunc.ToInt32() - hModule.ToInt32()));
}
return(pExportAddr);
}
finally
{
if (hModule.ToInt64() != 0)
{
NM.FreeLibrary(hModule);
}
}
}
