From bbfc09d7377292d749ffb74f946890ac166dbe81 Mon Sep 17 00:00:00 2001
From: _xeroxz <xerox@back.engineering>
Date: Wed, 9 Dec 2020 09:14:15 +0000
Subject: [PATCH] Update README.md

---
 README.md | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d3b3c5d..d26b38c 100644
--- a/README.md
+++ b/README.md
@@ -31,4 +31,51 @@ and thus keep the PML4's synced.
 You can call functions that do not reference absolute addresses. This last sentence is pretty ambigous but in short, when the process is injected into another the space between the PML4E's
 is not the same (nor is the PML4E index the same).
 
-My suggestion is you call only small functions if you want to call functions. 
\ No newline at end of file
+My suggestion is you call only small functions if you want to call functions. 
+
+# Example
+
+Since all of the games memory is mapped into your process you can simply walk the games PEB for loaded modules. Here is an example of how to do that.
+
+```cpp
+auto get_module_base(vdm::vdm_ctx* v_ctx, nasa::injector_ctx* rinjector, 
+	std::uint32_t pid, const wchar_t* module_name) -> std::uintptr_t
+{
+	const auto ppeb = 
+		reinterpret_cast<PPEB>(
+			rinjector->translate(
+				reinterpret_cast<std::uintptr_t>(v_ctx->get_peb(pid))));
+
+	const auto ldr_data = 
+		reinterpret_cast<PPEB_LDR_DATA>(
+			rinjector->translate(reinterpret_cast<std::uintptr_t>(ppeb->Ldr)));
+
+	auto current_entry = 
+		reinterpret_cast<LIST_ENTRY*>(
+			rinjector->translate(reinterpret_cast<std::uintptr_t>(
+				ldr_data->InMemoryOrderModuleList.Flink)));
+
+	const auto list_head = &ldr_data->InMemoryOrderModuleList;
+	while (current_entry != list_head)
+	{
+		const auto current_entry_data =
+			reinterpret_cast<PLDR_DATA_TABLE_ENTRY>(
+				reinterpret_cast<std::uintptr_t>(current_entry) - sizeof LIST_ENTRY);
+
+		const auto entry_module_name =
+			reinterpret_cast<const wchar_t*>(
+				rinjector->translate(
+					reinterpret_cast<std::uintptr_t>(
+						reinterpret_cast<PUNICODE_STRING>(
+							reinterpret_cast<std::uintptr_t>(
+								&current_entry_data->FullDllName) + sizeof UNICODE_STRING)->Buffer)));
+
+		if (!_wcsicmp(entry_module_name, module_name))
+			return reinterpret_cast<std::uintptr_t>(current_entry_data->DllBase);
+
+		current_entry = reinterpret_cast<LIST_ENTRY*>(
+			rinjector->translate(reinterpret_cast<std::uintptr_t>(current_entry->Flink)));
+	}
+	return {};
+}
+```
\ No newline at end of file