Hey guys, umm i was trying to hook endscene using detours and i used a method that i hooked many other functions with before but it just doesnt seem to work.
Here is what i have:

Code:
DWORD ThreadID;

LPDIRECT3DDEVICE9 pDEVICE;

D3DCOLOR fontRed = D3DCOLOR_ARGB(, , , );

Hacks hack;

HRESULT (APIENTRY *oEndScene)(LPDIRECT3DDEVICE9 pDevice);

HRESULT APIENTRY dEndScene(LPDIRECT3DDEVICE9 pDevice)

{

    DrawBorderBox(, ,  , , , fontRed, pDevice);

    return oEndScene(pDevice);

}

void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

bool __stdcall DllMain(HINSTANCE hinst,  DWORD _Reason, _In_opt_ LPVOID _Reserved)

{

    DisableThreadLibraryCalls(hinst);

    CreateThread(,,(LPTHREAD_START_ROUTINE)HookAPI,,,&ThreadID);

    return true;

}

void Hacks::DrawBorderBox( int x, int y, int w, int h, int thickness, D3DCOLOR Colour, IDirect3DDevice9 *pDevice)

{

    //Top horiz line

    DrawFilledRect( x, y, w, thickness,  Colour, pDevice );

    //Left vertical line

    DrawFilledRect( x, y, thickness, h, Colour, pDevice );

    //right vertical line

    DrawFilledRect( (x + w), y, thickness, h, Colour, pDevice );

    //bottom horiz line

    DrawFilledRect( x, y + h, w+thickness, thickness, Colour, pDevice );

}

//We receive the 2-D Coordinates the colour and the device we want to use to draw those colours with

void Hacks::DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)

{

    //We create our rectangle to draw on screen

    D3DRECT BarRect = { x, y, x + w, y + h };

    //We clear that portion of the screen and display our rectangle

    dev->Clear(, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, , );

}

I have no idea y this code does not seem to work
Please help me 
Thanks,
Konsowa.

Answer:

What learn_more said..

You would have to do something on the lines of Create a Device and get the EndScene address or you could retrieve it with a Byte Pattern such as

Code C++
Patterns.AddPattern( "DirectX9 VirtualTable",      (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx", NULL, "d3d9.dll" );

Functions.MemoryCopy( &Renderer_DX9.m_VTable, (void*)( Patterns.FindPatternByName( "DirectX9 VirtualTable" ).m_Address +  ),  );
void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

that code not retrieve correct EndScene address because EndScene not exported in d3d9.dll

try this:

Code:
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)

{

    for(;*szMask;++szMask,++pData,++bMask)

        if(*szMask=='x' && *pData!=*bMask )

            return false;

    return (*szMask) == NULL;

}

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)

{

    for(DWORD i=; i < dwLen; i++)

        if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )

            return (DWORD)(dwAddress+i);

    return ;

}

DWORD EndSceneaddy;

void APIENTRY HookAPI(LPVOID param)

{

    DWORD* vtbl = ;

    DWORD table = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000,     (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

    memcpy(&vtbl, (void*)(table+), );

    EndSceneaddy = vtbl[];

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

}

it's a different way of doing the same,
but that is not going to work with GetProcAddress either,
if you want the addresses of these functions you will have to create a dummy dx device, and get them from the vtable (more than enough examples around for that)

They are virtual functions which is why they aren't exported.
You can also do a simple vtable hook on them depending on A/C.

I love that question 

Seems you can't do a straight up VMT hook so explore other hook methods of functions to hook. If we all said here is our undetected hook for a game it would then become detected. It all depends on game and A/C used so you need to get creative and come up with your own.

Hooking EndScene的更多相关文章

  1. Windows API Hooking in Python

    catalogue . 相关基础知识 . Deviare API Hook Overview . 使用ctypes调用Windows API . pydbg . winappdbg . dll inj ...

  2. 安卓动态调试七种武器之离别钩 – Hooking(下)

    0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的,人是活的,如果能搞懂工具的原理再结合上自身的经验,你也可以创造出属于自己的调试 ...

  3. 安卓动态调试七种武器之离别钩 – Hooking(上)

    安卓动态调试七种武器之离别钩 – Hooking(上) 作者:蒸米@阿里聚安全 0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的 ...

  4. Hooking Android System Calls for Pleasure and Benefit

    The Android kernel is a powerful ally to the reverse engineer. While regular Android apps are hopele ...

  5. DLL Injection and Hooking

    DLL Injection and Hooking http://securityxploded.com/dll-injection-and-hooking.php Three Ways to Inj ...

  6. Linux System Calls Hooking Method Summary

    http://www.cnblogs.com/LittleHann/p/3854977.html http://www.cnblogs.com/cozy/articles/3175615.html h ...

  7. Delphi_MemoryModule — load DLL from memory. Also includes hooking utilities.

    https://github.com/Fr0sT-Brutal/Delphi_MemoryModule

  8. [Docker] Hooking a Volume to Node.js Source Code

    Normally when you create a Volume, it will store in Docket Host, you can also tell the folder which ...

  9. system call hooking 系统调用增加或劫持

    1. 引言:这篇文章提供了一种增加自定义系统调用或劫持原有的系统调用的实现方法,只针对 linux 系统.主要思路是获取系统调用表 sys_call_table 地址,然后用新函数地址覆盖系统调用表某 ...

随机推荐

  1. Synchronized 详解

    为了方便记忆,将锁做如下的分类 一.对象锁 包括方法锁(默认锁对象为this,当前实例对象)和同步代码块锁(自己指定锁对象) 1.代码块形式:手动指定锁定对象,也可是是this,也可以是自定义的锁 p ...

  2. Java稀疏数组

    一.概述 1.概念 2.处理方法 3.示例 原数组如下: 转换为稀疏数组如下: 二.代码 1.主方法 @Testpublic void SparseTest() { // 创建一个原始的二维数组 11 ...

  3. 04 volatile关键字实现原理

    volatile关键字实现原理 1.volatile关键字的语义分析 作用:让其他线程能够马上感知到某个线程多某个变量的修改 保证可见性 对共享变量的修改,其他线程能够马上感知到 保证有序性 在重排序 ...

  4. E Easy problem

    链接:https://ac.nowcoder.com/acm/contest/338/E来源:牛客网 Zghh likes number, but he doesn't like writing pr ...

  5. 搞定Oracle SCN -system change number

    SCN是Oracle的内部时钟,用来反映数据库中所有变化,在运行过程中不断更新.SCN种类包括:      (1)系统当前SCN                   (2)Checkpoint SCN ...

  6. Oracle 汉字占用字节数

    在oracle中一个字符特别是中文字符占几个字节是与字符集有关的.      比如GBK,汉字就会占两个字节,英文1个:如果是UTF-8,汉字一般占3个字节,英文还是1个.但是一般情况下,我们都认为是 ...

  7. installing-sql-server-2012-error-prior-visual-studio-2010-instances-requiring 转摘

    there are two way: First : Inside your CD of SQL Server 2012 you can go to this path \redist\VisualS ...

  8. css样式表的引入方式

    一般来说,css 有两种样式表的引入方式,在这里我记录一下,比较这两种引入方式的区别: <link rel="stylesheet" type="text/css& ...

  9. combox系列问题集

    visual studio崩溃 你是不是经常会遇到一编辑combox,visual studio就会立马崩溃.一直都无法理解是什么原因,然后后来发现居然是因为有道的截屏翻译,关掉截屏翻译就好了. co ...

  10. 2019-9-8-WPF-渲染原理

    title author date CreateTime categories WPF 渲染原理 lindexi 2019-9-8 10:40:0 +0800 2018-7-15 16:2:47 +0 ...