Hey guys, umm i was trying to hook endscene using detours and i used a method that i hooked many other functions with before but it just doesnt seem to work.
Here is what i have:

Code:
DWORD ThreadID;

LPDIRECT3DDEVICE9 pDEVICE;

D3DCOLOR fontRed = D3DCOLOR_ARGB(, , , );

Hacks hack;

HRESULT (APIENTRY *oEndScene)(LPDIRECT3DDEVICE9 pDevice);

HRESULT APIENTRY dEndScene(LPDIRECT3DDEVICE9 pDevice)

{

    DrawBorderBox(, ,  , , , fontRed, pDevice);

    return oEndScene(pDevice);

}

void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

bool __stdcall DllMain(HINSTANCE hinst,  DWORD _Reason, _In_opt_ LPVOID _Reserved)

{

    DisableThreadLibraryCalls(hinst);

    CreateThread(,,(LPTHREAD_START_ROUTINE)HookAPI,,,&ThreadID);

    return true;

}

void Hacks::DrawBorderBox( int x, int y, int w, int h, int thickness, D3DCOLOR Colour, IDirect3DDevice9 *pDevice)

{

    //Top horiz line

    DrawFilledRect( x, y, w, thickness,  Colour, pDevice );

    //Left vertical line

    DrawFilledRect( x, y, thickness, h, Colour, pDevice );

    //right vertical line

    DrawFilledRect( (x + w), y, thickness, h, Colour, pDevice );

    //bottom horiz line

    DrawFilledRect( x, y + h, w+thickness, thickness, Colour, pDevice );

}

//We receive the 2-D Coordinates the colour and the device we want to use to draw those colours with

void Hacks::DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)

{

    //We create our rectangle to draw on screen

    D3DRECT BarRect = { x, y, x + w, y + h };

    //We clear that portion of the screen and display our rectangle

    dev->Clear(, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, , );

}

I have no idea y this code does not seem to work
Please help me 
Thanks,
Konsowa.

Answer:

What learn_more said..

You would have to do something on the lines of Create a Device and get the EndScene address or you could retrieve it with a Byte Pattern such as

Code C++
Patterns.AddPattern( "DirectX9 VirtualTable",      (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx", NULL, "d3d9.dll" );

Functions.MemoryCopy( &Renderer_DX9.m_VTable, (void*)( Patterns.FindPatternByName( "DirectX9 VirtualTable" ).m_Address +  ),  );
void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

that code not retrieve correct EndScene address because EndScene not exported in d3d9.dll

try this:

Code:
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)

{

    for(;*szMask;++szMask,++pData,++bMask)

        if(*szMask=='x' && *pData!=*bMask )

            return false;

    return (*szMask) == NULL;

}

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)

{

    for(DWORD i=; i < dwLen; i++)

        if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )

            return (DWORD)(dwAddress+i);

    return ;

}

DWORD EndSceneaddy;

void APIENTRY HookAPI(LPVOID param)

{

    DWORD* vtbl = ;

    DWORD table = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000,     (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

    memcpy(&vtbl, (void*)(table+), );

    EndSceneaddy = vtbl[];

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

}

it's a different way of doing the same,
but that is not going to work with GetProcAddress either,
if you want the addresses of these functions you will have to create a dummy dx device, and get them from the vtable (more than enough examples around for that)

They are virtual functions which is why they aren't exported.
You can also do a simple vtable hook on them depending on A/C.

I love that question 

Seems you can't do a straight up VMT hook so explore other hook methods of functions to hook. If we all said here is our undetected hook for a game it would then become detected. It all depends on game and A/C used so you need to get creative and come up with your own.

Hooking EndScene的更多相关文章

  1. Windows API Hooking in Python

    catalogue . 相关基础知识 . Deviare API Hook Overview . 使用ctypes调用Windows API . pydbg . winappdbg . dll inj ...

  2. 安卓动态调试七种武器之离别钩 – Hooking(下)

    0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的,人是活的,如果能搞懂工具的原理再结合上自身的经验,你也可以创造出属于自己的调试 ...

  3. 安卓动态调试七种武器之离别钩 – Hooking(上)

    安卓动态调试七种武器之离别钩 – Hooking(上) 作者:蒸米@阿里聚安全 0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的 ...

  4. Hooking Android System Calls for Pleasure and Benefit

    The Android kernel is a powerful ally to the reverse engineer. While regular Android apps are hopele ...

  5. DLL Injection and Hooking

    DLL Injection and Hooking http://securityxploded.com/dll-injection-and-hooking.php Three Ways to Inj ...

  6. Linux System Calls Hooking Method Summary

    http://www.cnblogs.com/LittleHann/p/3854977.html http://www.cnblogs.com/cozy/articles/3175615.html h ...

  7. Delphi_MemoryModule — load DLL from memory. Also includes hooking utilities.

    https://github.com/Fr0sT-Brutal/Delphi_MemoryModule

  8. [Docker] Hooking a Volume to Node.js Source Code

    Normally when you create a Volume, it will store in Docket Host, you can also tell the folder which ...

  9. system call hooking 系统调用增加或劫持

    1. 引言:这篇文章提供了一种增加自定义系统调用或劫持原有的系统调用的实现方法,只针对 linux 系统.主要思路是获取系统调用表 sys_call_table 地址,然后用新函数地址覆盖系统调用表某 ...

随机推荐

  1. Laya2.0的转变

    之前一直用Laya1.x+TypeScript了,最近项目开始使用Laya2.0+AS3了 总结一下需要注意的一些事项,算是2种开发模式的区别与过渡吧 1.AS类的访问标识 必须是public,不写会 ...

  2. Thinkphp在nginx设置同域名二级目录访问

    Thinkphp在nginx设置同域名二级目录访问,是因为最近弄一个小程序项目,要https,但是只有单个域名,不能通配域名,所有只好用二级目录,thinkphp二级目录访问要怎么设置呢 下面是ngi ...

  3. 攻防世界--dmd-50

    测试文件:https://adworld.xctf.org.cn/media/task/attachments/7ef7678559ea46cbb535c0b6835f2f4d 1.准备 获取信息 6 ...

  4. 道路识别demo

    最近做的道路识别一开始终于弄懂了点东西,一开始在网上找到了一个简单的道路识别的opencvsharp的版本.我觉得opencvsharp真的是一个很好的东西,它封装了比opencv更多的数据结构和库, ...

  5. MySQL语句优化方法(简单版)

    基础回顾: sql语句是怎么样运行的? 一般来说,客户端发送sql语句到数据库服务器——数据库服务器进行运算并返回结果——客户端显示sql语句运行结果. 在本地运行时以workbench为例,客户端为 ...

  6. 一、简单的图片上传并预览功能input[file]

    一.简单的图片上传并预览功能input[file] <!DOCTYPE html> <html lang="en"> <head> <me ...

  7. java 抽象的概念 抽象类的使用

    package java10; /* 抽象方法:就是加上abstract关键字,然后去掉大括号,直接分号结束 抽象类:抽象方法所在的类,必须是抽象类才行.在class之前写上abstract即可 如何 ...

  8. extjs6.0 treepanel设置展开和设置选中

    var treePanel = { id: "treeUrl", xtype: "treepanel", useArrows: true, // 节点展开+,- ...

  9. python关于window文件写入后,换行默认\r\n的问题

    因为python兼容各种平台,所以当在window打开文本文件写入后,换行会默认写成\r\n linux是\n 如果想去掉换行的\r 解决方法:在open函数里写入换行要求即可 with open(f ...

  10. cornerNet部分学习内容记录

    cornerNet来源灵感是基于多人姿态估计的从下往上思想,预测角的热图,根据嵌入式向量对角进行分组,其主干网络也来自于姿态估计的环面网络. cornerNet的总体框架结构图如下:  CornerN ...