/// <summary> /// Given a module base address, resolve the address of a function by calling LdrGetProcedureAddress. /// </summary> /// <author>Ruben Boonen (@FuzzySec)</author> /// <param name="ModuleBase">A pointer to the base address where the module is loaded in the current process.</param> /// <param name="Ordinal">The ordinal number to search for (e.g. 0x136 -> ntdll!NtCreateThreadEx).</param> /// <returns>IntPtr for the desired function.</returns> public static IntPtr GetNativeExportAddress(IntPtr ModuleBase, short Ordinal) { IntPtr pFuncAddr = IntPtr.Zero; IntPtr pOrd = (IntPtr)Ordinal; Native.LdrGetProcedureAddress(ModuleBase, IntPtr.Zero, pOrd, ref pFuncAddr); return(pFuncAddr); }
/// <summary> /// Given a module base address, resolve the address of a function by calling LdrGetProcedureAddress. /// </summary> /// <author>Ruben Boonen (@FuzzySec)</author> /// <param name="ModuleBase">A pointer to the base address where the module is loaded in the current process.</param> /// <param name="ExportName">The name of the export to search for (e.g. "NtAlertResumeThread").</param> /// <returns>IntPtr for the desired function.</returns> public static IntPtr GetNativeExportAddress(IntPtr ModuleBase, string ExportName) { Data.Native.ANSI_STRING aFunc = new Data.Native.ANSI_STRING { Length = (ushort)ExportName.Length, MaximumLength = (ushort)(ExportName.Length + 2), Buffer = Marshal.StringToCoTaskMemAnsi(ExportName) }; IntPtr pAFunc = Marshal.AllocHGlobal(Marshal.SizeOf(aFunc)); Marshal.StructureToPtr(aFunc, pAFunc, true); IntPtr pFuncAddr = IntPtr.Zero; Native.LdrGetProcedureAddress(ModuleBase, pAFunc, IntPtr.Zero, ref pFuncAddr); Marshal.FreeHGlobal(pAFunc); return(pFuncAddr); }