Hey guys, umm i was trying to hook endscene using detours and i used a method that i hooked many other functions with before but it just doesnt seem to work.
Here is what i have:

Code:
DWORD ThreadID;

LPDIRECT3DDEVICE9 pDEVICE;

D3DCOLOR fontRed = D3DCOLOR_ARGB(, , , );

Hacks hack;

HRESULT (APIENTRY *oEndScene)(LPDIRECT3DDEVICE9 pDevice);

HRESULT APIENTRY dEndScene(LPDIRECT3DDEVICE9 pDevice)

{

    DrawBorderBox(, ,  , , , fontRed, pDevice);

    return oEndScene(pDevice);

}

void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

bool __stdcall DllMain(HINSTANCE hinst,  DWORD _Reason, _In_opt_ LPVOID _Reserved)

{

    DisableThreadLibraryCalls(hinst);

    CreateThread(,,(LPTHREAD_START_ROUTINE)HookAPI,,,&ThreadID);

    return true;

}

void Hacks::DrawBorderBox( int x, int y, int w, int h, int thickness, D3DCOLOR Colour, IDirect3DDevice9 *pDevice)

{

    //Top horiz line

    DrawFilledRect( x, y, w, thickness,  Colour, pDevice );

    //Left vertical line

    DrawFilledRect( x, y, thickness, h, Colour, pDevice );

    //right vertical line

    DrawFilledRect( (x + w), y, thickness, h, Colour, pDevice );

    //bottom horiz line

    DrawFilledRect( x, y + h, w+thickness, thickness, Colour, pDevice );

}

//We receive the 2-D Coordinates the colour and the device we want to use to draw those colours with

void Hacks::DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)

{

    //We create our rectangle to draw on screen

    D3DRECT BarRect = { x, y, x + w, y + h };

    //We clear that portion of the screen and display our rectangle

    dev->Clear(, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, , );

}

I have no idea y this code does not seem to work
Please help me 
Thanks,
Konsowa.

Answer:

What learn_more said..

You would have to do something on the lines of Create a Device and get the EndScene address or you could retrieve it with a Byte Pattern such as

Code C++
Patterns.AddPattern( "DirectX9 VirtualTable",      (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx", NULL, "d3d9.dll" );

Functions.MemoryCopy( &Renderer_DX9.m_VTable, (void*)( Patterns.FindPatternByName( "DirectX9 VirtualTable" ).m_Address +  ),  );
void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

that code not retrieve correct EndScene address because EndScene not exported in d3d9.dll

try this:

Code:
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)

{

    for(;*szMask;++szMask,++pData,++bMask)

        if(*szMask=='x' && *pData!=*bMask )

            return false;

    return (*szMask) == NULL;

}

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)

{

    for(DWORD i=; i < dwLen; i++)

        if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )

            return (DWORD)(dwAddress+i);

    return ;

}

DWORD EndSceneaddy;

void APIENTRY HookAPI(LPVOID param)

{

    DWORD* vtbl = ;

    DWORD table = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000,     (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

    memcpy(&vtbl, (void*)(table+), );

    EndSceneaddy = vtbl[];

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

}

it's a different way of doing the same,
but that is not going to work with GetProcAddress either,
if you want the addresses of these functions you will have to create a dummy dx device, and get them from the vtable (more than enough examples around for that)

They are virtual functions which is why they aren't exported.
You can also do a simple vtable hook on them depending on A/C.

I love that question 

Seems you can't do a straight up VMT hook so explore other hook methods of functions to hook. If we all said here is our undetected hook for a game it would then become detected. It all depends on game and A/C used so you need to get creative and come up with your own.

Hooking EndScene的更多相关文章

  1. Windows API Hooking in Python

    catalogue . 相关基础知识 . Deviare API Hook Overview . 使用ctypes调用Windows API . pydbg . winappdbg . dll inj ...

  2. 安卓动态调试七种武器之离别钩 – Hooking(下)

    0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的,人是活的,如果能搞懂工具的原理再结合上自身的经验,你也可以创造出属于自己的调试 ...

  3. 安卓动态调试七种武器之离别钩 – Hooking(上)

    安卓动态调试七种武器之离别钩 – Hooking(上) 作者:蒸米@阿里聚安全 0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的 ...

  4. Hooking Android System Calls for Pleasure and Benefit

    The Android kernel is a powerful ally to the reverse engineer. While regular Android apps are hopele ...

  5. DLL Injection and Hooking

    DLL Injection and Hooking http://securityxploded.com/dll-injection-and-hooking.php Three Ways to Inj ...

  6. Linux System Calls Hooking Method Summary

    http://www.cnblogs.com/LittleHann/p/3854977.html http://www.cnblogs.com/cozy/articles/3175615.html h ...

  7. Delphi_MemoryModule — load DLL from memory. Also includes hooking utilities.

    https://github.com/Fr0sT-Brutal/Delphi_MemoryModule

  8. [Docker] Hooking a Volume to Node.js Source Code

    Normally when you create a Volume, it will store in Docket Host, you can also tell the folder which ...

  9. system call hooking 系统调用增加或劫持

    1. 引言:这篇文章提供了一种增加自定义系统调用或劫持原有的系统调用的实现方法,只针对 linux 系统.主要思路是获取系统调用表 sys_call_table 地址,然后用新函数地址覆盖系统调用表某 ...

随机推荐

  1. Windows下通过GitHub+Hexo搭建个人博客的步骤

    Windows下通过GitHub+Hexo搭建个人博客的步骤  https://blog.csdn.net/namechenfl/article/details/90442312 https://bl ...

  2. 13、numpy——算术函数

    NumPy 算术函数 1.NumPy 算术函数包含简单的加减乘除: add(),subtract(),multiply() 和 divide(). 需要注意的是数组必须具有相同的形状或符合数组广播规则 ...

  3. 【JAVA】毕向东Java基础视频教程-笔记

    传智播客-毕向东Java基础视频教程 <2013年-33days>版-学习代码记录 链接: GitHub库:JavaBXD33 目录 01-Java基础知识 02-Java对象细节 03- ...

  4. 金蝶云k3 cloud采购入库单校验日期不通过

    新增采购入库单的时候提示单据日期必须大于等于货主组织在核算系统最后关账日期 解决办法:库存系统和存货核算系统的反关账

  5. Nginx 教程 (1):基本概念

      简介 嗨!分享就是关心!所以,我们愿意再跟你分享一点点知识.我们准备了这个划分为三节的<Nginx教程>.如果你对 Nginx 已经有所了解,或者你希望了解更多,这个教程将会对你非常有 ...

  6. 3.Web中使用iReport 整合----------创建PDF格式的

    转自:https://wenku.baidu.com/view/104156f9770bf78a65295462.html 1.

  7. smbmount - 装载一个 smbfs 文件系统

    总览 SYNOPSIS smbmount {service} {mount-point} [-o options] 描述 DESCRIPTION smbmount 可以装载一个Linux SMB文件系 ...

  8. Redis线上环境做Keys匹配操作!你可以离职了!

    转自:https://blog.csdn.net/bntx2jsqfehy7/article/details/84207884一.一个新闻 新闻内容如下:php工程师执行redis keys * 导致 ...

  9. Codeforces Round #394 (Div. 2) - B

    题目链接:http://codeforces.com/contest/761/problem/B 题意:给定一个环形跑道.里面有n个障碍,跑道长度为L.然后有两个人在两个起点(起点可能相同),每个人都 ...

  10. java 静态内存图、静态代码块

    package java08; /* 静态代码块格式: public class 类名称{ static{ //静态代码块 } } 特点:当第一次执行本类时,静态代码块执行唯一的一次 * */ pub ...