![[C#] Getting absolute address of function exported by module (inside of process)](https://www.ownedcore.com/forums/images/styles/OwnedCoreFX/addimg/menu4.svg)
This code snippet can be useful in case of code caving. It helps to get absolute address of any exported module function inside of external process memory (any directx or kernel functions). BlackMagic class (named wow) is used here to retrieve all process modules and for mem reading. Example:
uint OpenMutexA=FindFuncAdress("kernel32.dll", "OpenMutexA");
Code:public uint FindFuncAdress(string moduleName, string functionName) { uint moduleAdress=0; //get module adress to find function in foreach (ProcessModule pm in wow.Modules) if (pm.ModuleName == moduleName) { moduleAdress = (uint)pm.BaseAddress; break; } if (moduleAdress != 0) { uint ptr=wow.ReadUInt(moduleAdress+0x3c); //skip ms-dos header ptr = wow.ReadUInt(moduleAdress + ptr + 0x78);//go to export table int count = wow.ReadInt(moduleAdress + ptr + 0x18);//export function count uint nameTable = wow.ReadUInt(moduleAdress + ptr + 0x20);//table names adress int funcIndex = -1; for (int i = 0; i < count; i++) //iterate throught name table to find all functions { uint currentNamePtr = wow.ReadUInt(moduleAdress+ nameTable +(uint) i * 4); string currentName = wow.ReadASCIIString(moduleAdress + currentNamePtr, 64); if (currentName == functionName) { funcIndex = i; break; } //found our function } if (funcIndex == -1) { throw new Exception(functionName + " not found in module"); return 0; } //no matches uint ordinalsTable = wow.ReadUInt(moduleAdress + ptr + 0x24) + moduleAdress;//get ordinals array adress and rebase it int ordinalNumber = wow.ReadShort(ordinalsTable + (uint)funcIndex * 2); uint relativeTable = wow.ReadUInt(moduleAdress + ptr + 0x1c) + moduleAdress;//get RVA array uint functionAdress = wow.ReadUInt(relativeTable + (uint)ordinalNumber * 4) + moduleAdress;//get function ptr and rebase it return functionAdress; } else { throw new Exception(moduleName+" not found"); return 0; } }
![[C#] Getting absolute address of function exported by module (inside of process)](https://www.ownedcore.com/forums/./ocpbanners/1/3/9/6/9/4/8/75c6d6a8b5c4e6fceef2f0cb6c82c558.png)
![[C#] Getting absolute address of function exported by module (inside of process)](https://www.ownedcore.com/assets/mm/images/wits.png "TradeSafe Middleman")
![[C#] Getting absolute address of function exported by module (inside of process)](https://www.ownedcore.com/forums/images/styles/OwnedCoreFX/addimg/wicc.png "CoreCoins")
Shout-Out
User Tag List
Results 1 to 1 of 1
-
10-20-2012 #1
Contributor
- Reputation
- 83
- Join Date
- Aug 2011
- Posts
- 117
- Thanks G/R
- 0/5
- Trade Feedback
- 2 (100%)
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
[C#] Getting absolute address of function exported by module (inside of process)
Last edited by Empted; 10-20-2012 at 02:22 PM.
![[C#] Getting absolute address of function exported by module (inside of process)](https://www.ownedcore.com/images/ba/g/b2.gif)
Reply With QuoteSimilar Threads
-
[HELP]Anyone get the address of functions in UI element VTable?
By AGPS in forum Diablo 3 Memory EditingReplies: 0Last Post: 05-20-2013, 10:40 PM -
Getting the address with cheat engine no longer works?
By burningman222 in forum Diablo 3 Memory EditingReplies: 0Last Post: 10-14-2012, 08:52 AM -
Problem getting base address / pointer read
By wootpeng in forum Diablo 3 Memory EditingReplies: 8Last Post: 07-06-2012, 05:33 PM -
Can I get some help on .NPC export?
By Ebon in forum World of Warcraft Emulator ServersReplies: 3Last Post: 11-22-2007, 09:12 PM
-
OwnedCore Forums
casino news World of Warcraft Pokemon GO MMO Overwatch RTS Casino reviews www.planet-casino.com lucky 8 lucky8 no deposit codes bc game bc game lucky8 -
casino
Casino Gambling Online casinos Casino en ligne bc game bc game bc game no deposit bonus codes roobet Top 10 Casinos Casino reviews Bitcoin casino Paypal Casino Lucky8 1xbit heycasino Why does paypal always Offering service/Account Paypal help 1k emails to phish Pishing Site Help Chinese scammer MSN's [HELP] Just scammed an How hard is it to What is the chance that -
CoreCoins
CoreCoins CoreCoins FAQ Shout-Out Banner Ads -
My OwnedCore
My Profile Notifications Settings Buy CoreCoins About Us
Privacy Policy | Cookie Policy | Terms | Contact Us
Available Payment Methods:-
![[C#] Getting absolute address of function exported by module (inside of process)](https://www.ownedcore.com/images/paybutton/paypal.png)
![[C#] Getting absolute address of function exported by module (inside of process)](https://www.ownedcore.com/images/paybutton/skrill.png)
![[C#] Getting absolute address of function exported by module (inside of process)](https://www.ownedcore.com/images/paybutton/payop.png)
-
Casino
Free casino games | shuffle | stake | stake | stake | Aviator game casino | shuffle | stake | polish | iLucki Casino | shuffle | shuffle | shuffle | stake | freebet tanpa | shuffle | shuffle | shuffle | CryptoRoyal Casino | shuffle | shuffle | shuffle | MRQ Casino | stake | shuffle | shuffle | shuffle | russian | Shuffle Casino | shuffle | Bitstarz Tournament | stake | this url | Instant Payout Methods | shuffle | shuffle | stake | shuffle | stake | shuffle | Blockchain gambling | mystake | Top 5 canadian online casinos 2025 | stake | here | stake | shuffle | stake | stake | shuffle | HashLucky Casino | shuffle | Mirax Casino | casino | this | stake | stake | shuffle | shuffle