March 18, 2020
As promised, we will adapt our previous code grab an exported function directly from memory.
Serious advantage of this technique:
We don’t have to use CreateToolHelp32Snapshot anymore to enumerate modules and catch target module base address. We don’t need to parse PE Header from disk anymore, we will parse PE Header directly from memory. Notice, it is still necessary to use LoadLibrary API to load desired DLL in memory.
March 15, 2020
This very small snippet is an adaptation of the previously released unit > UntEnumDLLExport.pas with just one goal, retrieve an exported function address by its name from any DLL (both 32 and 64bit).
This adaptation is also interesting because it remove the need of having both heavy units Generics.Collections and SysUtils to have a smaller binary.
Finally it is also quite interesting for tweaking our GetProcAddress alternative (you will find here) and only have the necesarry code.
March 14, 2020
In the past two days, I released examples about how to enumerate DLL export table through the PE Header.
We will see one concreate example of using the UntEnumDLLExport.pas library to dynamically load API without using the famous Windows API > GetProcAddress()
This technique is quite known and often used by some Malware, to mask which API’s they are dynamically loading and avoid Antivirus detection.
To do so, we still need to use LoadLibrary() first to load a DLL in memory and retrieve it address, then iterate through loaded DLL export table and catch target function address.