Hooking EndScene

Hey guys, umm i was trying to hook endscene using detours and i used a method that i hooked many other functions with before but it just doesnt seem to work.
Here is what i have:

Code:
DWORD ThreadID;
LPDIRECT3DDEVICE9 pDEVICE;
D3DCOLOR fontRed = D3DCOLOR_ARGB(255, 255, 0, 0);
Hacks hack;

HRESULT (APIENTRY *oEndScene)(LPDIRECT3DDEVICE9 pDevice);

HRESULT APIENTRY dEndScene(LPDIRECT3DDEVICE9 pDevice)
{
    DrawBorderBox(50, 50, 200 , 200, 10, fontRed, pDevice);
    
    return oEndScene(pDevice);
}

void APIENTRY HookAPI(LPVOID param)
{
    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)
    {
        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));
    }
};



bool __stdcall DllMain(HINSTANCE hinst,  DWORD _Reason, _In_opt_ LPVOID _Reserved)
{
    DisableThreadLibraryCalls(hinst);

    CreateThread(0,0,(LPTHREAD_START_ROUTINE)HookAPI,0,0,&ThreadID);

    return true;
}

void Hacks::DrawBorderBox( int x, int y, int w, int h, int thickness, D3DCOLOR Colour, IDirect3DDevice9 *pDevice)
{
    //Top horiz line
    DrawFilledRect( x, y, w, thickness,  Colour, pDevice );
    //Left vertical line
    DrawFilledRect( x, y, thickness, h, Colour, pDevice );
    //right vertical line
    DrawFilledRect( (x + w), y, thickness, h, Colour, pDevice );
    //bottom horiz line
    DrawFilledRect( x, y + h, w+thickness, thickness, Colour, pDevice );
}


//We receive the 2-D Coordinates the colour and the device we want to use to draw those colours with
void Hacks::DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)
{
    //We create our rectangle to draw on screen
    D3DRECT BarRect = { x, y, x + w, y + h }; 
    //We clear that portion of the screen and display our rectangle
    dev->Clear(1, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, 0, 0);
}

I have no idea y this code does not seem to work
Please help me 
Thanks,
Konsowa.

 

 

Answer:

 

What learn_more said..

You would have to do something on the lines of Create a Device and get the EndScene address or you could retrieve it with a Byte Pattern such as

Code C++
Patterns.AddPattern( "DirectX9 VirtualTable",      (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx", NULL, "d3d9.dll" );

Functions.MemoryCopy( &Renderer_DX9.m_VTable, (void*)( Patterns.FindPatternByName( "DirectX9 VirtualTable" ).m_Address + 2 ), 4 );
void APIENTRY HookAPI(LPVOID param)
{
    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)
    {
        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));
    }
};

that code not retrieve correct EndScene address because EndScene not exported in d3d9.dll

try this:

Code:
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask ) 
            return false;

    return (*szMask) == NULL;
}
DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i < dwLen; i++)
        if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
            return (DWORD)(dwAddress+i);

    return 0;
}

DWORD EndSceneaddy;
void APIENTRY HookAPI(LPVOID param)
{
    DWORD* vtbl = 0;     
    DWORD table = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000,     (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
    memcpy(&vtbl, (void*)(table+2), 4);
    EndSceneaddy = vtbl[42];    
    if (Endsceneaddy)
    {
        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));
    }

}

it's a different way of doing the same,
but that is not going to work with GetProcAddress either,
if you want the addresses of these functions you will have to create a dummy dx device, and get them from the vtable (more than enough examples around for that)

They are virtual functions which is why they aren't exported.
You can also do a simple vtable hook on them depending on A/C.

 

I love that question 

Seems you can't do a straight up VMT hook so explore other hook methods of functions to hook. If we all said here is our undetected hook for a game it would then become detected. It all depends on game and A/C used so you need to get creative and come up with your own.

posted @ 2014-10-07 15:03  royalwong_real  阅读(647)  评论(0编辑  收藏  举报