123456

 

Hook IDirect3DDevice9::Present

 

其实很简单.主要针对D3D游戏.主要思路:Hook IDirect3DDevice9::Present,在其中加入sleep函数.让系统获得更多的CPU时间片.

试验游戏:剑网三(以D3D9为例)
学习各种外挂制作技术,马上去百度搜索 "魔鬼作坊" 点击第一个站 去那里学习喽。
 
具体实现步骤:
1.HOOK Direct3DCreate9来获得类型为LPDIRECT3D9的Direct3D对象的接口指针,它有一个成员函数为 IDirect3D9::CreateDevice,所以,只要根据Direct3D对象接口指针找到Direct3D对象的虚函数表,再根据虚函数表确定IDirect3D9::CreateDevice的内存地址,就可以hook这个函数,从而获得类型为LPDIRECT3DDEVICE9的设备对象指针,然后根据设备对象指针找到设备对象的虚函数表,根据虚函数表找到IDirect3DDevice9::Present在内存中的地址,对其进行HOOK,在其中加入sleep函数.
 
----------------------------------------------------------------------------------------------------

//代码参考runjin
#include <d3d9.h>
#include <D3dx9core.h>
#pragma comment(lib, "D3D9.lib")
#pragma comment(lib, "D3Dx9.lib")
void GameD3D_HOOK();
IDirect3D9 * _stdcall New_Direct3DCreate9(UINT SDKVersion); 
HRESULT _stdcall New_CreateDevice(
                                    LPDIRECT3D9 pDx9,
                                    UINT Adapter,
                                    D3DDEVTYPE DeviceType,
                                    HWND hFocusWindow,
                                    DWORD BehaviorFlags,
                                    D3DPRESENT_PARAMETERS * pPresentsentationParameters,
                                    IDirect3DDevice9 ** pPresentturnedDeviceInterface
 
                                    );
 
HRESULT _stdcall New_Present(
                              LPDIRECT3DDEVICE9 pDxdevice,
                              CONST RECT * pSourceRect,
                              CONST RECT * pDestRect,
                              HWND hDestWindowOverride,
                              CONST RGNDATA * pDirtyRegion
                              );
 
 
LPDIRECT3D9 m_pD3D=NULL; //Direct3D对象的接口指针
 
void * pDirect3DCreate9=NULL;//Direct3DCreate9函数地址指针
void * pCreateDevice=NULL;//IDirect3D9::CreateDevice函数地址指针
void * pPresent=NULL;//IDirect3DDevice9::Present函数地址指针
 
int Sleeptime=50;//延时时间
 
BYTE Direct3DCreate_Begin[5];//用于保存Direct3DCreate9入口的5字节
BYTE CreateDevice_Begin[5];//用于保存IDirect3D9::CreateDevice入口的字节
BYTE Present_Begin[5];//用于保存IDirect3DDevice9::Present入口的5字节
 
void GameD3D_HOOK()
{
    //hook Direct3DCreate9
    pDirect3DCreate9=GetProcAddress(GetModuleHandle("d3d9.dll"),"Direct3DCreate9");
    DWORD oldproc=0;
    memcpy(Direct3DCreate_Begin,pDirect3DCreate9,5);
    VirtualProtect(pDirect3DCreate9,5,PAGE_EXECUTE_READWRITE,&oldpro);
    *(BYTE*)pDirect3DCreate9=0xe9;
    *(DWORD*)((BYTE*)pDirect3DCreate9+1)=(DWORD)New_Direct3DCreate9-(DWORD)pDirect3DCreate9-5;
}
//当运行到Direct3DCreate9时跳转到这里
IDirect3D9 * _stdcall New_Direct3DCreate9(
    UINT SDKVersion
    )
{
    __asm pushad
        memcpy(pDirect3DCreate9,Direct3DCreate_Begin,5);//首先还原入口的5个字节
    m_pD3D=Direct3DCreate9(SDKVersion);
    if(m_pD3D){//如果成功
        pCreateDevice=(void*)*(DWORD*)(*(DWORD*)m_pD3D+0x40);//获得IDirect3D9::CreateDevice的地址指针
 
        DWORD oldpro=0;
        memcpy(CreateDevice_Begin,pCreateDevice,5);//保存IDirect3D9::CreateDevice入口5个字节
        VirtualProtect(pCreateDevice,5,PAGE_EXECUTE_READWRITE,&oldpro);
        *(BYTE*)pCreateDevice=0xe9;
        *(DWORD*)((BYTE*)pCreateDevice+1)=(DWORD)New_CreateDevice-(DWORD)pCreateDevice-5;
 
    }else{//如果失败就再hook一次
        DWORD oldpro=0;
        VirtualProtect(pDirect3DCreate9,5,PAGE_EXECUTE_READWRITE,&oldpro);
        *(BYTE*)pDirect3DCreate9=0xe9;
        *(DWORD*)((BYTE*)pDirect3DCreate9+1)=(DWORD)New_Direct3DCreate9-(DWORD)pDirect3DCreate9-5;
    }
 
    __asm popad
        return m_pD3D;
}
//hook CreateDevice
HRESULT _stdcall New_CreateDevice(
                                    LPDIRECT3D9 pDx9,
                                    UINT Adapter,
                                    D3DDEVTYPE DeviceType,
                                    HWND hFocusWindow,
                                    DWORD BehaviorFlags,
                                    D3DPRESENT_PARAMETERS * pPresentsentationParameters,
                                    IDirect3DDevice9 ** pPresentturnedDeviceInterface
 
                                    )
{
    __asm pushad
 
 
        memcpy(pCreateDevice,CreateDevice_Begin,5);//先还原入口的5个字节
 
    HRESULT ret=pDx9->CreateDevice( //创建设备
        Adapter,
        DeviceType,
        hFocusWindow,
        BehaviorFlags,
        pPresentsentationParameters,
        pPresentturnedDeviceInterface);
 
 
    if (ret==D3D_OK){//如果创建设备成功
 
        LPDIRECT3DDEVICE9 m_pDevice=*pPresentturnedDeviceInterface;
 
        pPresent=(void*)*(DWORD*)(*(DWORD*)m_pDevice+0x44);//获得IDirect3DDevice9::Present的地址指针
        memcpy(Present_Begin,pPresent,5);//保存IDirect3DDevice9::Present入口的5个字节
        DWORD oldpro=0;
        VirtualProtect(pPresent,5,PAGE_EXECUTE_READWRITE,&oldpro);
        *(BYTE*)pPresent=0xe9;
        *(DWORD*)((BYTE*)pPresent+1)=(DWORD)New_Present-(DWORD)pPresent-5;
 
 
 
    }else{//如果失败再hookIDirect3D9::CreateDevice一次
        DWORD oldpro=0;
        VirtualProtect(pCreateDevice,5,PAGE_EXECUTE_READWRITE,&oldpro);
        *(BYTE*)pCreateDevice=0xe9;
        *(DWORD*)((BYTE*)pCreateDevice+1)=(DWORD)New_CreateDevice-(DWORD)pCreateDevice-5;
    }
    __asm popad
        return ret;
}
 
//当程序运行到IDirect3DDevice9::Present入口处将跳转到这里
HRESULT _stdcall New_Present(
                              LPDIRECT3DDEVICE9 pDxdevice,//类的this指针
                              CONST RECT * pSourceRect,//此参数请参考dx sdk
                              CONST RECT * pDestRect,//同上
                              HWND hDestWindowOverride,//同上
                              CONST RGNDATA * pDirtyRegion//同上
 
                              )
{
    Sleep(Sleeptime);
    __asm pushad
 
        if(pDirect3DCreate9 && pCreateDevice && pPresent)
            memcpy(pPresent,Present_Begin,5);//先还原IDirect3DDevice9::Present入口的5字节
 
        HRESULT retdata= pDxdevice->Present(pSourceRect,pDestRect,hDestWindowOverride,pDirtyRegion);
 
        if(pDirect3DCreate9 && pCreateDevice && pPresent){
            //DWORD oldpro=0;
            //VirtualProtect(pPresent,5,PAGE_EXECUTE_READWRITE,&oldpro);
            //调用完IDirect3DDevice9::Present后再hook一次
            *(BYTE*)pPresent=0xe9;
            *(DWORD*)((BYTE*)pPresent+1)=(DWORD)New_Present-(DWORD)pPresent-5;
        }
 
        __asm popad
            return retdata;
}
 
-----------------------------------------------------------------------------------------------------

sleep 50ms的效果..

未HOOK,剑三客户端CPU占用率在我的本本上是:60%左右

HOOK后,剑三客户端CPU占用率在我的本本上是:15%左右

学习各种外挂制作技术,马上去百度搜索 "魔鬼作坊" 点击第一个站 去那里学习喽。

 

posted on 2012-09-05 19:54  hgy413  阅读(786)  评论(0编辑  收藏  举报

导航