When a process is running, it is possible to change the results of the call to GetProcAddress API, for the exported functions of a module along with modifying the export's offsets and name at runtime.

For example, the offset of kernel32.dll's function VirtualAlloc can be change to the offset of another function. When VirtualAlloc is called (after getting its …