I have a little problem with loading DLL functions..
Is any way to load function by index and not by a name...
For example index of LoadLibrary in Kernel32 is about 0226h.
Im able to load this by using name in GetProcAddress.. its easy..
But when I have only known index of this function..How could I load it ? :confused:

Thanks for help..
Posted on 2001-09-10 15:53:20 by Marty
From win32.hlp

The GetProcAddress function returns the address of the specified exported dynamic-link library (DLL) function.

FARPROC GetProcAddress(

HMODULE hModule, // handle to DLL module
LPCSTR lpProcName // name of function



Identifies the DLL module that contains the function. The LoadLibrary or GetModuleHandle function returns this handle.


Points to a null-terminated string containing the function name, or specifies the function's ordinal value . If this parameter is an ordinal value, it must be in the low-order word; the high-order word must be zero.

If you don't use GetProcAddress you'll have to scan the DLL's exports on memory manually. That's not a hard thing to do. If you need some source code let me know.
Anyway, GetProcAddress will make it :)

Posted on 2001-09-10 16:10:14 by latigo

Are you able to show me your source code. Ill be very happy !!!

thank you
Posted on 2001-09-11 04:24:03 by Marty

this is straight out of the MASM32 example code,

; -------------------
; Direct call the DLL
; -------------------
jmp @F
libName db "tstdll.dll",0
FuncName db "TestProc",0

invoke LoadLibrary,ADDR libName
mov hLib, eax

invoke GetProcAddress,hLib,ADDR FuncName
call eax

invoke FreeLibrary,hLib

Its in the EXAMPLE1\DLL\CALLDLL directory.


Posted on 2001-09-11 04:35:58 by hutch--
Ok here's the source code (binaries included)
The code you are interested in is inside 'injected.asm'
Basically this is a program that will inject a 'Nag Screen' inside any PE exe..
To do this i literally inject some code into the host PE which will resolve all the needed APIs at runtime. Since the windows PE loader does NOT resolve the API addresses i need i have to scan the memory manually in search for the resolved function addresses.
I hope this was clear :)
Yes, this kind of code is VERY Virii like, but you know, virus writers have develope exquisite techniques :)
If you need more help understanding the code (apart from being a little bit advanced it's a complete mess) just let me know :)

But remember, you can still load a function by its ordinal !!

Bye !

Posted on 2001-09-11 12:08:40 by latigo
Thank you,

Im going to try this.. I will call you when some mistakes or problems will be happened..:alright:
Posted on 2001-09-11 14:09:54 by Marty

Very Good code !!!
So..When we returned we were talking about using LoadLibrary by a ordinal number..
How can I use that ?

You said: "it must be in the low-order word; the high-order word must be zero."

I tried this..but this wasnt work..
Have you idea how could I use that ??

LoadLibrary, eax, addr nameoffunction

eax ...handle, thats right
addr nameoffunct... it must be changed by ordinal number..
is it right ?? :)

But how ????? :confused:

thanks for my terrible questions
Posted on 2001-09-11 17:10:58 by Marty