/// <summary> /// Loads the module as data, finds relative virtual address (RVA) of the method and uses that to find the address in the target process /// </summary> /// <param name="module">The module we loaded</param> /// <param name="methodName">The method name in the module</param> /// <returns></returns> private static IntPtr FindExport(ProcessModule module, string methodName) { IntPtr hModule = IntPtr.Zero; try { // Load module into local process address space hModule = NM.LoadLibraryEx(module.FileName, IntPtr.Zero, NM.LoadLibraryExFlags.DontResolveDllReferences); if (hModule == IntPtr.Zero) { throw new Win32Exception(Marshal.GetLastWin32Error()); } // Get the address of the function in the module locally IntPtr pFunc = NM.GetProcAddress(hModule, methodName); if (pFunc == IntPtr.Zero) { throw new Win32Exception(Marshal.GetLastWin32Error()); } // Get RVA of export and add to base address of injected module IntPtr pExportAddr; if (IntPtr.Size == 8) { pExportAddr = new IntPtr(module.BaseAddress.ToInt64() + (pFunc.ToInt64() - hModule.ToInt64())); } else { pExportAddr = new IntPtr(module.BaseAddress.ToInt32() + (pFunc.ToInt32() - hModule.ToInt32())); } return(pExportAddr); } finally { if (hModule.ToInt64() != 0) { NM.FreeLibrary(hModule); } } }