From bf2043d018e94942e80d1e51113e5169ee76daeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Benjamin=20H=C3=B6glinger-Stelzer?= <nefarius@dhmx.at>
Date: Sat, 17 Jun 2023 20:23:48 +0200
Subject: [PATCH] Enhanced example

---
 Snippets/WDM/GetProcAddress.md | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/Snippets/WDM/GetProcAddress.md b/Snippets/WDM/GetProcAddress.md
index ecb13d0..c3f41a3 100644
--- a/Snippets/WDM/GetProcAddress.md
+++ b/Snippets/WDM/GetProcAddress.md
@@ -250,6 +250,16 @@ FindExportedFunctionAddress(
 ## Usage example
 
 ```c
+// prototype definition of function we wanna call dynamically
+typedef VOID(NTAPI* t_WppRecorderReplay)(
+    _In_ PVOID WppCb,
+    _In_ TRACEHANDLE WppTraceHandle,
+    _In_ ULONG EnableFlags,
+    _In_ UCHAR EnableLevel
+    );
+
+static t_WppRecorderReplay G_WppRecorderReplay = NULL;
+
 // full path to module of interest (CAUTION: must be loaded!)
 const STRING targetModuleName = RTL_CONSTANT_STRING("\\SystemRoot\\System32\\Drivers\\WppRecorder.sys");
 // exported function name
@@ -261,7 +271,10 @@ if (NT_SUCCESS(FindDriverBaseAddress(targetModuleName, &driverBaseAddress)))
 {
     if (NT_SUCCESS(FindExportedFunctionAddress(driverBaseAddress, functionName, &functionAddress)))
     {
-        // Found imp_WppRecorderReplay, you can now safely call "functionAddress"
+        // Found imp_WppRecorderReplay, you can now safely cast and call it
+        G_WppRecorderReplay = (t_WppRecorderReplay)functionAddress;
+
+        G_WppRecorderReplay(...);
     }
     else
     {