Get Ordinal8 function address

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
Forum rules
Post Reply
whynotregister
Posts: 147
Joined: 05 Nov 2016, 22:42

Get Ordinal8 function address

03 Nov 2018, 03:29

Process, Exist, "svchost.exe"
hKernel32RemoteProcess := GetModulesBaseAddrByName(ErrorLevel, "kernel32.dll")
hKernel32 := DllCall("GetModuleHandle", "Str", "kernel32.dll")
WriteProcessMemoryAddr := DllCall("GetProcAddress", "UInt", hKernel32, "Str", "WriteProcessMemory", "UInt")
WriteProcessMemoryAddrRemoteProcess := hKernel32RemoteProcess + WriteProcessMemoryAddr - hKernel32
MsgBox, % format("0x{:X}", WriteProcessMemoryAddrRemoteProcess)

GetModulesBaseAddrByName(pid, DllName)
{
static TH32CS_SNAPMODULE = 8, INVALID_HANDLE_VALUE = -1
VarSetCapacity(MODULEENTRY32, 1064, 0)
NumPut(1064, MODULEENTRY32)

hSnapshot := DllCall("CreateToolhelp32Snapshot", "UInt", TH32CS_SNAPMODULE, "UInt", pid)
if (hSnapshot == INVALID_HANDLE_VALUE)
return false

if (DllCall("Module32First", "UInt", hSnapshot, "UInt", &MODULEENTRY32))
{
pszModule := &MODULEENTRY32 + 32
if (DllCall("lstrcmpi", "Str", DllName, "UInt", pszModule) == 0)
{
DllCall("CloseHandle", "UInt", hSnapshot)
return NumGet(MODULEENTRY32, 20)
}

while (DllCall("Module32Next", "UInt", hSnapshot, "UInt", &MODULEENTRY32))
{
if (DllCall("lstrcmpi", "Str", DllName, "UInt", pszModule) == 0)
{
DllCall("CloseHandle", "UInt", hSnapshot)
return NumGet(MODULEENTRY32, 20)
}
}
}
DllCall("CloseHandle", "UInt", hSnapshot)
return false
}

can use the above code to get the address of a particular function in the process.
however Ordinal8 address of ntdll can not be imported.
Is there a problem with the code above? Or need another way?
Top
Post Reply

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: ItsHypers, Joey5 and 282 guests