ULONG GetFunctionAddress ( IN ULONG FirstFeature, IN ULONG SecondFeature, IN ULONG ThirdFeature, IN ULONG FourthFeature ) { NTSTATUS NtStatus=STATUS_SEVERITY_SUCCESS; ULONG SystemInformationLength=0; ULONG Index=0; ULONG Loop=0; ULONG ModuleBegin=0; ULONG ModuleFinish=0; PULONG SystemInformationBuffer=NULL; PSYSTEM_MODULE_INFORMATION SystemModulePointer=NULL; ULONG Value=0; ZwQuerySystemInformation(SystemModuleInformation,NULL,0,&SystemInformationLength); SystemInformationBuffer=ExAllocatePool(PagedPool,SystemInformationLength); if (SystemInformationBuffer==NULL) { return NtStatus; } NtStatus=ZwQuerySystemInformation ( SystemModuleInformation, SystemInformationBuffer, SystemInformationLength, NULL ); if (!NT_SUCCESS(NtStatus)) { ExFreePool(SystemInformationBuffer); return NtStatus; } if (MmIsAddressValid(SystemInformationBuffer)==False) { ExFreePool(SystemInformationBuffer); return NtStatus; } SystemModulePointer=(PSYSTEM_MODULE_INFORMATION)(SystemInformationBuffer+1); for (Index=0;Index<*(ULONG*)SystemInformationBuffer;Index++) { ModuleBegin=(ULONG)SystemModulePointer[Index].Base; ModuleFinish=(ULONG)SystemModulePointer[Index].Base+SystemModulePointer[Index].Size; for (Loop=ModuleBeginAddress;Loop<ModuleFinishAddress;Loop++) { if ( *(ULONG*)(Loop+0)==FirstFeature&& *(ULONG*)(Loop+4)==SecondFeature&& *(ULONG*)(Loop+8)==ThirdFeature&& *(ULONG*)(Loop+12)==FourthFeature ) { Value=Loop; } } } ExFreePool(SystemInformationBuffer); return Value; }