This is a good place to point out the differences between application programming and injected function programming. If you take a close look at beforeEncode, you’ll notice that there are no calls to library functions. This is because the injected function has no idea what libraries were loaded by the underlying application. Ghost gets around this problem by finding the addresses of required functions during ZwMapViewOfSection and passing these addresses to the injected function in the IN_PROCESS_DATA structure. Unfortunately, the functions pointed to by IN_PROCESS_DATA will not be able to use the local variables defined within injected functions, so pass parameters must be by value; or if by reference, the reference must also be an address passed within the IN_PROCESS_DATA structure.