DWORD dwLoadLibrary = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
When I go to the returned address in OllyDbg I can see that this address points to the code which jumps to the real address of LoadLibraryA. I want to get the real address of LoadLibraryA which doesn't change because kernel32.dll is loaded at the same location in every process and also I would like to know why GetProcAddress doesn't return the real address.
You are getting the "real" address of kernel32.LoadLibraryA, as GetProcAddress() returns the real address. It is just that the implementation of kernel32.LoadLibrayA has moved from kernel32.dll to kernelbase.dll, and as a result kernel32.LoadLibraryA simply consists of a single instruction:
jmp dword ptr[kernelbase.LoadLibraryA]
If you look at more functions in kernel32.dll, many of them also have this same pattern:
kernel32.somefunc:
jmp [kernelbase.somefunc]
This is the "real" address of LoadLibraryA. The jump instruction is there for tools to put an indirection there. They would swap the destination address of that jump with something else, pointing to the hook, and jump to the original location after executing the hook to actually execute the function.
How do you know it is not the real address of LoadLibraryA? Maybe try WinDbg instead?
On my Windows 8 system GetProcAddress(x, "LoadLibraryA") returns a function that begins with the normal mov edi,edi hotpatch reservation (and the rest of the function) but that does not mean that it can't start with a jump in other versions.
(DWORD)for pointer even if you decide coding only for 32-bit platform (what is strange). useDWORD_PTRinstead orvoid*– RbMm