Hooking EndScene

Hey guys, umm i was trying to hook endscene using detours and i used a method that i hooked many other functions with before but it just doesnt seem to work.
Here is what i have:

Code:

DWORD ThreadID;
LPDIRECT3DDEVICE9 pDEVICE;
D3DCOLOR fontRed = D3DCOLOR_ARGB(255, 255, 0, 0);
Hacks hack;

HRESULT (APIENTRY *oEndScene)(LPDIRECT3DDEVICE9 pDevice);

HRESULT APIENTRY dEndScene(LPDIRECT3DDEVICE9 pDevice)
{
    DrawBorderBox(50, 50, 200 , 200, 10, fontRed, pDevice);

    return oEndScene(pDevice);
}

void APIENTRY HookAPI(LPVOID param)
{
    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)
    {
        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));
    }
};

bool __stdcall DllMain(HINSTANCE hinst,  DWORD _Reason, _In_opt_ LPVOID _Reserved)
{
    DisableThreadLibraryCalls(hinst);

    CreateThread(0,0,(LPTHREAD_START_ROUTINE)HookAPI,0,0,&ThreadID);

    return true;
}

void Hacks::DrawBorderBox( int x, int y, int w, int h, int thickness, D3DCOLOR Colour, IDirect3DDevice9 *pDevice)
{
    //Top horiz line
    DrawFilledRect( x, y, w, thickness,  Colour, pDevice );
    //Left vertical line
    DrawFilledRect( x, y, thickness, h, Colour, pDevice );
    //right vertical line
    DrawFilledRect( (x + w), y, thickness, h, Colour, pDevice );
    //bottom horiz line
    DrawFilledRect( x, y + h, w+thickness, thickness, Colour, pDevice );
}

//We receive the 2-D Coordinates the colour and the device we want to use to draw those colours with
void Hacks::DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)
{
    //We create our rectangle to draw on screen
    D3DRECT BarRect = { x, y, x + w, y + h };
    //We clear that portion of the screen and display our rectangle
    dev->Clear(1, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, 0, 0);
}

I have no idea y this code does not seem to work
Please help me 
Thanks,
Konsowa.

Answer:

What learn_more said..

You would have to do something on the lines of Create a Device and get the EndScene address or you could retrieve it with a Byte Pattern such as

Code C++

Patterns.AddPattern( "DirectX9 VirtualTable",      (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx", NULL, "d3d9.dll" );

Functions.MemoryCopy( &Renderer_DX9.m_VTable, (void*)( Patterns.FindPatternByName( "DirectX9 VirtualTable" ).m_Address + 2 ), 4 );
void APIENTRY HookAPI(LPVOID param)
{
    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)
    {
        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));
    }
};

that code not retrieve correct EndScene address because EndScene not exported in d3d9.dll

try this:

Code:

bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask==‘x‘ && *pData!=*bMask )
            return false;

    return (*szMask) == NULL;
}
DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i < dwLen; i++)
        if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);

    return 0;
}

DWORD EndSceneaddy;
void APIENTRY HookAPI(LPVOID param)
{
    DWORD* vtbl = 0;
    DWORD table = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000,     (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
    memcpy(&vtbl, (void*)(table+2), 4);
    EndSceneaddy = vtbl[42];
    if (Endsceneaddy)
    {
        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));
    }

}

it‘s a different way of doing the same,
but that is not going to work with GetProcAddress either,
if you want the addresses of these functions you will have to create a dummy dx device, and get them from the vtable (more than enough examples around for that)

They are virtual functions which is why they aren‘t exported.
You can also do a simple vtable hook on them depending on A/C.

I love that question 

Seems you can‘t do a straight up VMT hook so explore other hook methods of functions to hook. If we all said here is our undetected hook for a game it would then become detected. It all depends on game and A/C used so you need to get creative and come up with your own.

时间: 2024-10-01 07:46:37

Hooking EndScene的相关文章

Citrix API Hooking

API Hooking是一项实用的Windows的系统编程技术,应用领域十分广泛,在桌面虚拟化技术兴起之前,主要应用于屏幕取词.网络防火墙以及病毒木马等安全领域.但是在桌面虚拟化兴起之后,因为桌面虚拟化架构的原因,需要大量截获同时重定向一些操作,大量采用API Hooking技术实现. 一.API Hooking技术框架 术语"Hooking"是一种控制特定代码段的执行的基础技术.它提供了一种简单的机制,使得不需要源代码就能轻易地改变操作系统的行为.Citrix使用Hooking技术提

Windows API Hooking in Python

catalogue 0. 相关基础知识 1. Deviare API Hook Overview 2. 使用ctypes调用Windows API 3. pydbg 4. winappdbg 5. dll injection 6. process monitor with WMI 7. sobek-hids 0.  相关基础知识 0x1: Python 程序和 C 程序的整合 为了节省软件开发成本,软件开发人员希望能够缩短的软件的开发时间,希望能够在短时间内开发出稳定的产品.Python 功能强

spring之Hooking to bean life cycles

spring之Hooking to bean life cycles Often, in enterprise application development, developers will want to plug in some extra functionality to be executed just after the construction and before the destruction of a business service. Spring provides mul

安卓动态调试七种武器之离别钩 – Hooking(下)

0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的,人是活的,如果能搞懂工具的原理再结合上自身的经验,你也可以创造出属于自己的调试武器.因此,笔者将会在这一系列文章中分享一些自己经常用或原创的调试工具以及手段,希望能对国内移动安全的研究起到一些催化剂的作用. 目录如下: 安卓动态调试七种武器之长生剑 - Smali Instrumentation 安卓动态调试七种武器之孔雀翎 – Ida Pro 安卓动态调试七种武器之离别钩

Linux System Calls Hooking Method Summary

http://www.cnblogs.com/LittleHann/p/3854977.html http://www.cnblogs.com/cozy/articles/3175615.html http://samanbarghi.com/blog/2014/09/05/how-to-wrap-a-system-call-libc-function-in-linux/ http://wwwold.cs.umd.edu/Library/TRs/CS-TR-4585/CS-TR-4585.pdf

[Docker] Hooking a Volume to Node.js Source Code

Normally when you create a Volume, it will store in Docket Host, you can also tell the folder which you want docket to store the volume. docker run -p 8080:3000 -v /var/www node # run with a node image You can check the volume information by: docker

Bootstrap-Select插件

Bootstrap Select 是使用按钮下拉的 Bootstrap 风格的自定义的选项和多选. option Options can be passed via data attributes or JavaScript. For data attributes, append the option name to data-, as in data-style="" or data-selected-text-format="count". Core opti

Citrix XenApp和XenDesktop 打印系统解析③

Citrix Universal PrintServer(UPS) 3.3.1.Citrix UPS概述 Citrix UniversalPrinter Server(以下简称UPS)是一个XenApp和XenDesktop环境中的一个打印组件,它有助力提高用户在网络打印方面的体验. 首先我们来说,Citrix已经有了UPD为什么还需要推出UPS?根据前文我们的描述,Citrix UPD只是解决了基于客户端的打印问题(当然并不是完全解决,部分驱动还存在兼容问题),而对于网络打印呢?Citrix

android opengl es 源码

[转自:http://blog.csdn.net/happyhell/article/details/6086973] The entire OpenGL ES API on Android is implemented in three libraries, located under /system/lib (for more information about OpenGL ES visit the official Khronos page): * libEGL.so: implemen