DWORD dwLoadLibrary = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
When I go to the returned address in OllyDbg I can see that this address points to the code which jumps to the real address of LoadLibraryA. I want to get the real address of LoadLibraryA which doesn't change because kernel32.dll is loaded at the same location in every process and also I would like to know why GetProcAddress doesn't return the real address.
You are getting the "real" address of kernel32.LoadLibraryA
, as GetProcAddress()
returns the real address. It is just that the implementation of kernel32.LoadLibrayA
has moved from kernel32.dll
to kernelbase.dll
, and as a result kernel32.LoadLibraryA
simply consists of a single instruction:
jmp dword ptr[kernelbase.LoadLibraryA]
If you look at more functions in kernel32.dll
, many of them also have this same pattern:
kernel32.somefunc:
jmp [kernelbase.somefunc]