D3D9挂钩(EndScene + DrawIndexedPrimitive)

时间:2017-12-05 11:47:11

标签: c++ hook direct3d

正如你们当中没有人知道的那样,我现在非常厌倦了DirectX。我已经尝试过,无论我做什么,我都无法找到任何工作。我在网上搜索并研究了钩子;我将一些代码组合在一起以废弃我自己的钩子;我找到了剽窃的钩子,以了解它们是如何工作的;我甚至从头开始写了一些。但是,我似乎无法让一个人工作。我正在尝试为CrossFire制作一个简单的D3D模式菜单。我尝试过:

  1. 通过VT​​able挂钩[遇到设备指针问题]
  2. 通过模式+掩码扫描等方式进行挂钩并绕路[不确定如何获取模式,找不到可靠的win10工作方式]
  3. 创建虚拟设备以获取地址等[导致游戏立即关闭(检测到)]

    4. 无论我做什么,菜单要么变得扁平,一旦被编程到绕道的EndScene中就会出现,我会关闭,我崩溃,或者没有任何反应。

    是否有任何好的入门材料都有我可以学习的示例代码,并且可以实现这一目标?

    我已经编写了hack菜单,设置了变量,编程了功能,DllMain,依赖项,你给它命名了。我需要的只是让一个合适的钩子工作 - 我唯一一个工作有一个奇怪的错误,在EndScene& DrawIndexedPrimitive中的wall-hack无效。

1 个答案:

答案 0 :(得分:0)

这是一个SO答案的大量代码,但是我们开始吧。

  • 获取正确的窗口
  • 创建虚拟设备
  • 从vtable获取endcene的地址
  • 做一个标准的x86蹦床挂钩
  • 内部挂钩可以执行您需要进行的初始化工作
  • 获取正确的设备指针的副本
  • 画东西
  • 使用正确的设备指针调用原始功能
#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")
#include <windows.h>
#include <d3d9.h>
#include <d3dx9.h>

bool Hook(char* src, char* dst, int len)
{
    if (len < 5) return false;

    DWORD curProtection;

    VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);

    memset(src, 0x90, len);

    uintptr_t relativeAddress = (uintptr_t)(dst - src - 5);

    *src = (char)0xE9;
    *(uintptr_t*)(src + 1) = (uintptr_t)relativeAddress;

    DWORD temp;
    VirtualProtect(src, len, curProtection, &temp);

    return true;
}

char* TrampHook(char* src, char* dst, unsigned int len)
{
    if (len < 5) return 0;

    // Create the gateway (len + 5 for the overwritten bytes + the jmp)
    char* gateway = (char*)VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    // Put the bytes that will be overwritten in the gateway
    memcpy(gateway, src, len);

    // Get the gateway to destination addy
    uintptr_t gateJmpAddy = (uintptr_t)(src - gateway - 5);

    // Add the jmp opcode to the end of the gateway
    *(gateway + len) = (char)0xE9;

    // Add the address to the jmp
    *(uintptr_t*)(gateway + len + 1) = gateJmpAddy;

    // Place the hook at the destination
    if (Hook(src, dst, len))
    {
        return gateway;
    }
    else return nullptr;
}


typedef HRESULT(APIENTRY* tEndScene)(LPDIRECT3DDEVICE9 pDevice);

static HWND window;


BOOL CALLBACK EnumWindowsCallback(HWND handle, LPARAM lParam)
{
    DWORD wndProcId;
    GetWindowThreadProcessId(handle, &wndProcId);

    if (GetCurrentProcessId() != wndProcId)
        return TRUE; // skip to next window

    window = handle;
    return FALSE; // window found abort search
}

HWND GetProcessWindow()
{
    window = NULL;
    EnumWindows(EnumWindowsCallback, NULL);
    return window;
}

bool GetD3D9Device(void** pTable, size_t Size)
{
    if (!pTable)
        return false;

    IDirect3D9* pD3D = Direct3DCreate9(D3D_SDK_VERSION);

    if (!pD3D)
        return false;

    IDirect3DDevice9* pDummyDevice = NULL;

    // options to create dummy device
    D3DPRESENT_PARAMETERS d3dpp = {};
    d3dpp.Windowed = false;
    d3dpp.SwapEffect = D3DSWAPEFFECT_DISCARD;
    d3dpp.hDeviceWindow = GetProcessWindow();

    HRESULT dummyDeviceCreated = pD3D->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, d3dpp.hDeviceWindow, D3DCREATE_SOFTWARE_VERTEXPROCESSING, &d3dpp, &pDummyDevice);

    if (dummyDeviceCreated != S_OK)
    {
        // may fail in windowed fullscreen mode, trying again with windowed mode
        d3dpp.Windowed = !d3dpp.Windowed;

        dummyDeviceCreated = pD3D->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, d3dpp.hDeviceWindow, D3DCREATE_SOFTWARE_VERTEXPROCESSING, &d3dpp, &pDummyDevice);

        if (dummyDeviceCreated != S_OK)
        {
            pD3D->Release();
            return false;
        }
    }

    memcpy(pTable, *reinterpret_cast<void***>(pDummyDevice), Size);

    pDummyDevice->Release();
    pD3D->Release();
    return true;
}

void DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)
{
    D3DRECT BarRect = { x, y, x + w, y + h };
    dev->Clear(1, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, 0, 0);
}


bool bInit = false;
tEndScene oEndScene = nullptr;
LPDIRECT3DDEVICE9 pD3DDevice = nullptr;
void* d3d9Device[119];

HRESULT APIENTRY hkEndScene(LPDIRECT3DDEVICE9 pDevice)
{
    if (bInit == false)
    {
        pD3DDevice = pDevice;
        bInit = true;
    }

    //draw stuff here like so:
    DrawFilledRect(200, 200, 200, 200, D3DCOLOR_ARGB(255, 255, 0, 0), pDevice);

    return oEndScene(pDevice);
}

DWORD WINAPI Init(HMODULE hModule)
{
    if (GetD3D9Device(d3d9Device, sizeof(d3d9Device)))
    {
        oEndScene = (tEndScene)TrampHook((char*)d3d9Device[42], (char*)hkEndScene, 7);
    }
    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)Init, hModule, 0, nullptr));
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

这个准系统d3d9结束场景钩子向我,Broihon,Solaire和0xDEC0DE致谢

相关问题
最新问题