Hey guys, umm i was trying to hook endscene using detours and i used a method that i hooked many other functions with before but it just doesnt seem to work.
Here is what i have:

Code:
DWORD ThreadID;

LPDIRECT3DDEVICE9 pDEVICE;

D3DCOLOR fontRed = D3DCOLOR_ARGB(, , , );

Hacks hack;

HRESULT (APIENTRY *oEndScene)(LPDIRECT3DDEVICE9 pDevice);

HRESULT APIENTRY dEndScene(LPDIRECT3DDEVICE9 pDevice)

{

    DrawBorderBox(, ,  , , , fontRed, pDevice);

    return oEndScene(pDevice);

}

void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

bool __stdcall DllMain(HINSTANCE hinst,  DWORD _Reason, _In_opt_ LPVOID _Reserved)

{

    DisableThreadLibraryCalls(hinst);

    CreateThread(,,(LPTHREAD_START_ROUTINE)HookAPI,,,&ThreadID);

    return true;

}

void Hacks::DrawBorderBox( int x, int y, int w, int h, int thickness, D3DCOLOR Colour, IDirect3DDevice9 *pDevice)

{

    //Top horiz line

    DrawFilledRect( x, y, w, thickness,  Colour, pDevice );

    //Left vertical line

    DrawFilledRect( x, y, thickness, h, Colour, pDevice );

    //right vertical line

    DrawFilledRect( (x + w), y, thickness, h, Colour, pDevice );

    //bottom horiz line

    DrawFilledRect( x, y + h, w+thickness, thickness, Colour, pDevice );

}

//We receive the 2-D Coordinates the colour and the device we want to use to draw those colours with

void Hacks::DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)

{

    //We create our rectangle to draw on screen

    D3DRECT BarRect = { x, y, x + w, y + h };

    //We clear that portion of the screen and display our rectangle

    dev->Clear(, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, , );

}

I have no idea y this code does not seem to work
Please help me 
Thanks,
Konsowa.

Answer:

What learn_more said..

You would have to do something on the lines of Create a Device and get the EndScene address or you could retrieve it with a Byte Pattern such as

Code C++
Patterns.AddPattern( "DirectX9 VirtualTable",      (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx", NULL, "d3d9.dll" );

Functions.MemoryCopy( &Renderer_DX9.m_VTable, (void*)( Patterns.FindPatternByName( "DirectX9 VirtualTable" ).m_Address +  ),  );
void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

that code not retrieve correct EndScene address because EndScene not exported in d3d9.dll

try this:

Code:
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)

{

    for(;*szMask;++szMask,++pData,++bMask)

        if(*szMask=='x' && *pData!=*bMask )

            return false;

    return (*szMask) == NULL;

}

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)

{

    for(DWORD i=; i < dwLen; i++)

        if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )

            return (DWORD)(dwAddress+i);

    return ;

}

DWORD EndSceneaddy;

void APIENTRY HookAPI(LPVOID param)

{

    DWORD* vtbl = ;

    DWORD table = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000,     (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

    memcpy(&vtbl, (void*)(table+), );

    EndSceneaddy = vtbl[];

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

}

it's a different way of doing the same,
but that is not going to work with GetProcAddress either,
if you want the addresses of these functions you will have to create a dummy dx device, and get them from the vtable (more than enough examples around for that)

They are virtual functions which is why they aren't exported.
You can also do a simple vtable hook on them depending on A/C.

I love that question 

Seems you can't do a straight up VMT hook so explore other hook methods of functions to hook. If we all said here is our undetected hook for a game it would then become detected. It all depends on game and A/C used so you need to get creative and come up with your own.

Hooking EndScene的更多相关文章

  1. Windows API Hooking in Python

    catalogue . 相关基础知识 . Deviare API Hook Overview . 使用ctypes调用Windows API . pydbg . winappdbg . dll inj ...

  2. 安卓动态调试七种武器之离别钩 – Hooking(下)

    0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的,人是活的,如果能搞懂工具的原理再结合上自身的经验,你也可以创造出属于自己的调试 ...

  3. 安卓动态调试七种武器之离别钩 – Hooking(上)

    安卓动态调试七种武器之离别钩 – Hooking(上) 作者:蒸米@阿里聚安全 0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的 ...

  4. Hooking Android System Calls for Pleasure and Benefit

    The Android kernel is a powerful ally to the reverse engineer. While regular Android apps are hopele ...

  5. DLL Injection and Hooking

    DLL Injection and Hooking http://securityxploded.com/dll-injection-and-hooking.php Three Ways to Inj ...

  6. Linux System Calls Hooking Method Summary

    http://www.cnblogs.com/LittleHann/p/3854977.html http://www.cnblogs.com/cozy/articles/3175615.html h ...

  7. Delphi_MemoryModule — load DLL from memory. Also includes hooking utilities.

    https://github.com/Fr0sT-Brutal/Delphi_MemoryModule

  8. [Docker] Hooking a Volume to Node.js Source Code

    Normally when you create a Volume, it will store in Docket Host, you can also tell the folder which ...

  9. system call hooking 系统调用增加或劫持

    1. 引言:这篇文章提供了一种增加自定义系统调用或劫持原有的系统调用的实现方法,只针对 linux 系统.主要思路是获取系统调用表 sys_call_table 地址,然后用新函数地址覆盖系统调用表某 ...

随机推荐

  1. 普通ACL访问控制列表

    配置OSPF R1: R2: R3: R4: 在R1上查看OSPF的学习 测试R1与R4环回接口连通性 配置普通ACL访问控制列表: 先在R4配置密码用R1与R4建立telnet建立 密码huawei ...

  2. ubuntu下mysql定时备份

    一:ubuntu下自动备份mysql数据库 转载来源:https://jingyan.baidu.com/article/ab0b563097cabac15afa7dbc.html 1.创建保存备份文 ...

  3. Codeforces 433A (背包)

    题面 传送门 真是令人胃疼的题面 我不管,我要把苹果都给雪菜!(滑稽)(冬马党不要打我) 分析 突然感觉这题跟今年NOIP Day1T2有点像,都是根据数加减来构造背包,只不过这题是01背包而不是完全 ...

  4. python:while循环语句及练习题

    while循环语句及练习题 Python 编程中 while 语句用于循环执行程序,即在某条件下,循环执行某段程序,以处理需要重复处理的相同任务.其基本形式为: while 判断条件: 执行语句... ...

  5. 2019牛客暑期多校训练营(第二场) - F - Partition problem - 枚举

    https://ac.nowcoder.com/acm/contest/882/F 潘哥的代码才卡过去了,自己写的都卡不过去,估计跟评测机有关. #include<bits/stdc++.h&g ...

  6. Qt 如何使用反射?

    Qt 如何使用反射? c++ 反射 标准库暂时还没有,那我们来看看如何使用 qt 来进行反射. 反射类的案例 1. 通过注册的类型需找 id 进行实例化该类 myclass.h #include &l ...

  7. CSRF相关

    CSRF原理 第一次获取页面的时候浏览器返回一个随机字符串,之后提交数据的时候需要把到这个字符串去提交,不然会报错 返回的时候还会把这个字符串放到cookie里面, 使用form提交时候: {% cs ...

  8. go web编程——路由与http服务

    本文主要讲解go语言web编程中的路由与http服务基本原理. 首先,使用go语言启动一个最简单的http服务: package main import ( "log" " ...

  9. valueOf()对象返回值

    valueOf()对象返回值 Array数组的元素被转换为字符串,这些字符串由逗号分隔,连接在一起.其操作与 Array.toString 和 Array.join 方法相同. Boolean为Boo ...

  10. DTS

    一.DTS的加载过程   如果要使用Device Tree,首先用户要了解自己的硬件配置和系统运行参数,并把这些信息组织成Device Tree source file.通过DTC(Device Tr ...