| View previous topic :: View next topic |
| Author |
Message |
SwaggaJackin'
Master Cheater
 Reputation: 2
Joined: 06 Nov 2009
Posts: 304
|
 Posted: Wed Aug 17, 2011 9:17 am Post subject: Injecting code and hooking to Direct3D Present() |
 |
|
I've never written a hook and I have a basic knowledge of C++, I've never actually done anything as advanced as this in C++.
Basically I want to make a jump at Direct3D 9's present() function and have it jump to my own code that will draw items in the game based on memory values retrieved from the game
E.G. Read all of the enemy positions in the game, and read their life. Then draw their remaining life above their coordinates.
My problem lies in the actual hook, I have the address where I want to inject so how do I achieve patching it in C++ and how do I draw on to the game itself. Should I be using dll injection for this? Would that be the easiest method? I've never worked with DirectX, but I won't need to draw anything more advanced then a transparent rectangle.
So how should I go about this? I know how to find the process, just enumerate the process list and check the results of the process name against a string I specify. But how do I make the actual hook?
I've googled samples and a lot are either outdated or broken links. Would really appreciate some help on this. Trying to take it one step at a time. So I wanna first make a successful hook. After I verified I can do this. I want to then see if reading the memory brings in the results I desire. Finally I want to draw to the screen and jump back to the games actual present() function.
So I've got the process PID I want to attach my code to. What do I need to do now?
Thanks!
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Aug 17, 2011 11:20 am Post subject: |
|
|
You can either wrap the entire interface or specifically hook the single function. Inline patching or vtable hooking will be what you are wanting to do for a single function hook. You are better off hooking the vtable as its typically the most undetected method in most cases.
There are a ton of examples of how to hook onto Direct3D's vtable on the net so you should be able to find some examples easily. If you have any problems feel free to post for more assistance.
_________________
- Retired. |
|
| Back to top |
|
|
SwaggaJackin'
Master Cheater
Reputation: 2
Joined: 06 Nov 2009
Posts: 304
|
| Posted: Wed Aug 17, 2011 12:52 pm Post subject: |
|
|
| Wiccaan wrote: | You can either wrap the entire interface or specifically hook the single function. Inline patching or vtable hooking will be what you are wanting to do for a single function hook. You are better off hooking the vtable as its typically the most undetected method in most cases.
There are a ton of examples of how to hook onto Direct3D's vtable on the net so you should be able to find some examples easily. If you have any problems feel free to post for more assistance. |
Thanks. I was checking this out:
http://www.doxcoding.com/forums/viewtopic.php?t=237
I compiled detours 2.1, then compiled his source. I noticed his array of bytes actually gives 3 results, so I changed it where it always ONLY found the d3d9.dll address:
33C0C706xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986
| Code: |
BYTE* pattern = (PBYTE)"\x33\xC0\xC7\x06\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86";
|
However, I tried injecting it and it crashes every game I've tried so far.
I was on IRC and tuna said one way is to create a jump at the beginning of the procedure I want to hook (in this case present()). I understand the process, create the jump to (I guess) load my dll. However, what I don't understand is what then? How do I tell it to execute my specific main loop? After it executes the code inside of my dll, then I will return it back to the present() function. But on the next frame when present() is called....wouldn't it load my dll again?
Do I need to change the jmp when the dll is loaded, to a call inside my dll? If so how do I do that. Just trying to map this out in my head since I can't seem to find any working examples =/.
Thanks again.
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Aug 17, 2011 1:13 pm Post subject: |
|
|
| SwaggaJackin' wrote: |
Thanks. I was checking this out:
http://www.doxcoding.com/forums/viewtopic.php?t=237
I compiled detours 2.1, then compiled his source. I noticed his array of bytes actually gives 3 results, so I changed it where it always ONLY found the d3d9.dll address:
33C0C706xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986xxxxxxxx8986
| Code: |
BYTE* pattern = (PBYTE)"\x33\xC0\xC7\x06\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86\xFF\xFF\xFF\xFF\x89\x86";
|
|
Depends on what scanning code you are using. If you are finding results outside of d3d9.dll its because you are not limiting the scan to a specific range. If you want to only scan for that signature inside of a specific module, then start your check at the base address of the module, and scan up to the size of it.
| SwaggaJackin' wrote: |
However, I tried injecting it and it crashes every game I've tried so far.
|
You'll need to debug then to determine what is causing the crash. If you don't attempt to debug it to find out whats causing the crash you'll probably not get any further then where you are now.
| SwaggaJackin' wrote: |
I was on IRC and tuna said one way is to create a jump at the beginning of the procedure I want to hook (in this case present()). I understand the process, create the jump to (I guess) load my dll. However, what I don't understand is what then?
|
If you injected your DLL, it's loaded already. You'd be placing the jump at the start of the function to jump to your own code. If you go this route, then you will need to place the jump to your code; execute whatever you wish to do; then jump back to the proper location to return the code flow.
Most will just use vtable hooks as you can easily just replace the pointer to the Present function with the pointer to your own Present. Then you can call the original by casting the old pointer to the prototype of the function. This is the common method of hooking with Direct3D.
| SwaggaJackin' wrote: |
How do I tell it to execute my specific main loop? After it executes the code inside of my dll, then I will return it back to the present() function. But on the next frame when present() is called....wouldn't it load my dll again?
|
No, you don't want to tell Present to load your DLL. Thats not the point of injection. Your DllMain should be doing nothing. (If you plan to follow DLL standards.) You should be injecting your DLL and calling an export to do the hooking. Once you inject your DLL once, as long as nothing fails or causes it to unload it will stay loaded.
| SwaggaJackin' wrote: |
Do I need to change the jmp when the dll is loaded, to a call inside my dll? If so how do I do that. Just trying to map this out in my head since I can't seem to find any working examples =/.
|
Check out these examples; these are basically what you are trying to do:
http://www.ring3circus.com/downloads/direct3d-hooking/
http://www.gamedeception.net/threads/7681-Direct3D-StarterKit-v3.0?s=1d7661c8413ed93d6b6cdc59f6163e82
http://www.gamedeception.net/threads/11101-DirectX-VTable-Hook-Using-the-Games-Device-Pointer
GameDeception has a lot of vtable hooking examples. I don't recommend posting there with questions though as they are not kind hearted to new comers. But you can browse and find a lot of examples and such there though.
_________________
- Retired. |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Wed Aug 17, 2011 2:50 pm Post subject: |
|
|
Just one thing: Don't do the vtable hook method as calling certain methods (Like serRenderstate) will undo the hooks
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Aug 17, 2011 4:44 pm Post subject: |
|
|
| Dark Byte wrote: | | Just one thing: Don't do the vtable hook method as calling certain methods (Like serRenderstate) will undo the hooks |
Can't say I've ever seen this happen. Perhaps a game specific protection? Any game I've hooked has not had anything like this before.
Just tested with a demo app from the Direct3D SDK and this does not happen for me.
_________________
- Retired. |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Wed Aug 17, 2011 4:49 pm Post subject: |
|
|
I think it's new. Perhaps an update in DX.
I saw it last time I was playing with the direct3d sdk samples, the pointers in the vtable changed back
Could be it's for DX10+ only, or windows 7
edit: I tested it on the multianimation sample which uses DX9, so could be an updated d3dx library, or it's windows 7
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Wed Aug 17, 2011 5:08 pm Post subject: |
|
|
| Dark Byte wrote: | I think it's new. Perhaps an update in DX.
I saw it last time I was playing with the direct3d sdk samples, the pointers in the vtable changed back
Could be it's for DX10+ only, or windows 7
edit: I tested it on the multianimation sample which uses DX9, so could be an updated d3dx library, or it's windows 7 |
Which SDK (month/year) was this? I'll install it and check it out. The two installs I have are a bit old.
_________________
- Retired. |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 471
Joined: 09 May 2003
Posts: 25837
Location: The netherlands
|
| Posted: Wed Aug 17, 2011 5:40 pm Post subject: |
|
|
june 2010
hooking the vtable is of course still possible if you hook enough functions and make sure it keeps hooked (in my personal version of dxmess for example I added a rehook call right after the routines that tend to restore it)
and it could of course be an anti virus or the display driver itself (no idea why they would do that, but who knows...)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Thu Aug 18, 2011 9:52 am Post subject: |
|
|
| Dark Byte wrote: | june 2010
hooking the vtable is of course still possible if you hook enough functions and make sure it keeps hooked (in my personal version of dxmess for example I added a rehook call right after the routines that tend to restore it)
and it could of course be an anti virus or the display driver itself (no idea why they would do that, but who knows...) |
Just tested with this SDK version and still no issues on my machine.
Windows 7 x86
August 2007 SDK (used CustomUI.exe to test) - worked fine
February 2010 SDK (used CustomUI.exe to test) - worked fine
June 2010 SDK (used CustomUI.exe to test) - worked fine
I don't use any anti-virus so nothing is interfering as well.
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
