Can anyone explain me how to properly obtain a function address from a PE image and then call that function with a delegate? I found a good piece code googling around that loads exports from a DLL library, but it only get function names out of it... so I modified it as follows:
[DllImport("ImageHlp", CallingConvention = CallingConvention.Winapi), SuppressUnmanagedCodeSecurity]
public static extern bool MapAndLoad(string imageName, string dllPath, out LOADED_IMAGE loadedImage, bool dotDll, bool readOnly);
public static IntPtr CustomGetProcAddress(string modulePath, string moduleProc)
LOADED_IMAGE loadedImage;
if (MapAndLoad(modulePath, null, out loadedImage, true, true))
return GetAddr(loadedImage, moduleProc);
return IntPtr.Zero;
private static IntPtr GetAddr(LOADED_IMAGE loadedImage, string moduleProc)
var hMod = (void*)loadedImage.MappedAddress;
if (hMod != null)
uint size;
var pExportDir = (IMAGE_EXPORT_DIRECTORY*)ImageDirectoryEntryToData(
out size);
uint* pFuncNames = (uint*)RvaToVa(loadedImage, pExportDir->AddressOfNames);
ushort* pFuncOrdinals = (ushort*)RvaToVa(loadedImage, pExportDir->AddressOfNameOrdinals);
uint* pFuncAddr = (uint*)RvaToVa(loadedImage, pExportDir->AddressOfFunctions);
for (uint i = 0; i < pExportDir->NumberOfNames; i++)
uint funcNameRva = pFuncNames[i];
if (funcNameRva != 0)
char* funcName = (char*)RvaToVa(loadedImage, funcNameRva);
string name = Marshal.PtrToStringAnsi((IntPtr)funcName);
if (name == wantedFunction)
return addr = new IntPtr(*(uint*)(pFuncAddr + (*pFuncOrdinals * 4)));
return IntPtr.Zero;
I'm sure I'm quote close to the solution... but I always get AccessViolationException (when I use wrong pointers) or InvalidFunctionPointerInDelegate and PInvokeStackImbalance (when I try to cast the pointer to a delegate using Marshal.GetDelegateForFunctionPointer and then execute it). I tried everything but I can't make it work (I already pulled out the correct address of the function I'm looking for using LoadLibrary and GetProcAddress... so I can compare the results, but I don't want to use those functions).
[EDIT] I found another example, but I'm not sure it can do what I'm looking for:
You can't do that. The MapAndLoad
and function from the ImageHlp
library only loads a PE file into memory as a data file so it can be examined. It does not run through all of the logic of the Windows loader does when it loads a DLL to make it executable (RVA fixups, etc.).
If you want to load a DLL, find a function by name, and get an callable pointer to it, you use LoadLibrary
and GetProcAddress
. Those functions where designed to do exactly what you are looking trying to do.