Hey guys, umm i was trying to hook endscene using detours and i used a method that i hooked many other functions with before but it just doesnt seem to work.
Here is what i have:

Code:
DWORD ThreadID;

LPDIRECT3DDEVICE9 pDEVICE;

D3DCOLOR fontRed = D3DCOLOR_ARGB(, , , );

Hacks hack;

HRESULT (APIENTRY *oEndScene)(LPDIRECT3DDEVICE9 pDevice);

HRESULT APIENTRY dEndScene(LPDIRECT3DDEVICE9 pDevice)

{

    DrawBorderBox(, ,  , , , fontRed, pDevice);

    return oEndScene(pDevice);

}

void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

bool __stdcall DllMain(HINSTANCE hinst,  DWORD _Reason, _In_opt_ LPVOID _Reserved)

{

    DisableThreadLibraryCalls(hinst);

    CreateThread(,,(LPTHREAD_START_ROUTINE)HookAPI,,,&ThreadID);

    return true;

}

void Hacks::DrawBorderBox( int x, int y, int w, int h, int thickness, D3DCOLOR Colour, IDirect3DDevice9 *pDevice)

{

    //Top horiz line

    DrawFilledRect( x, y, w, thickness,  Colour, pDevice );

    //Left vertical line

    DrawFilledRect( x, y, thickness, h, Colour, pDevice );

    //right vertical line

    DrawFilledRect( (x + w), y, thickness, h, Colour, pDevice );

    //bottom horiz line

    DrawFilledRect( x, y + h, w+thickness, thickness, Colour, pDevice );

}

//We receive the 2-D Coordinates the colour and the device we want to use to draw those colours with

void Hacks::DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)

{

    //We create our rectangle to draw on screen

    D3DRECT BarRect = { x, y, x + w, y + h };

    //We clear that portion of the screen and display our rectangle

    dev->Clear(, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, , );

}

I have no idea y this code does not seem to work
Please help me 
Thanks,
Konsowa.

Answer:

What learn_more said..

You would have to do something on the lines of Create a Device and get the EndScene address or you could retrieve it with a Byte Pattern such as

Code C++
Patterns.AddPattern( "DirectX9 VirtualTable",      (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx", NULL, "d3d9.dll" );

Functions.MemoryCopy( &Renderer_DX9.m_VTable, (void*)( Patterns.FindPatternByName( "DirectX9 VirtualTable" ).m_Address +  ),  );
void APIENTRY HookAPI(LPVOID param)

{

    HANDLE Endsceneaddy = GetProcAddress(GetModuleHandleA("d3d9.dll"),"EndScene");

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

};

that code not retrieve correct EndScene address because EndScene not exported in d3d9.dll

try this:

Code:
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)

{

    for(;*szMask;++szMask,++pData,++bMask)

        if(*szMask=='x' && *pData!=*bMask )

            return false;

    return (*szMask) == NULL;

}

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)

{

    for(DWORD i=; i < dwLen; i++)

        if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )

            return (DWORD)(dwAddress+i);

    return ;

}

DWORD EndSceneaddy;

void APIENTRY HookAPI(LPVOID param)

{

    DWORD* vtbl = ;

    DWORD table = FindPattern((DWORD)GetModuleHandle("d3d9.dll"), 0x128000,     (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

    memcpy(&vtbl, (void*)(table+), );

    EndSceneaddy = vtbl[];

    if (Endsceneaddy)

    {

        oEndScene = (HRESULT (WINAPI *)(LPDIRECT3DDEVICE9 pDevice))(DetourFunction((PBYTE)Endsceneaddy,(PBYTE)dEndScene));

    }

}

it's a different way of doing the same,
but that is not going to work with GetProcAddress either,
if you want the addresses of these functions you will have to create a dummy dx device, and get them from the vtable (more than enough examples around for that)

They are virtual functions which is why they aren't exported.
You can also do a simple vtable hook on them depending on A/C.

I love that question 

Seems you can't do a straight up VMT hook so explore other hook methods of functions to hook. If we all said here is our undetected hook for a game it would then become detected. It all depends on game and A/C used so you need to get creative and come up with your own.

Hooking EndScene的更多相关文章

  1. Windows API Hooking in Python

    catalogue . 相关基础知识 . Deviare API Hook Overview . 使用ctypes调用Windows API . pydbg . winappdbg . dll inj ...

  2. 安卓动态调试七种武器之离别钩 – Hooking(下)

    0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的,人是活的,如果能搞懂工具的原理再结合上自身的经验,你也可以创造出属于自己的调试 ...

  3. 安卓动态调试七种武器之离别钩 – Hooking(上)

    安卓动态调试七种武器之离别钩 – Hooking(上) 作者:蒸米@阿里聚安全 0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的 ...

  4. Hooking Android System Calls for Pleasure and Benefit

    The Android kernel is a powerful ally to the reverse engineer. While regular Android apps are hopele ...

  5. DLL Injection and Hooking

    DLL Injection and Hooking http://securityxploded.com/dll-injection-and-hooking.php Three Ways to Inj ...

  6. Linux System Calls Hooking Method Summary

    http://www.cnblogs.com/LittleHann/p/3854977.html http://www.cnblogs.com/cozy/articles/3175615.html h ...

  7. Delphi_MemoryModule — load DLL from memory. Also includes hooking utilities.

    https://github.com/Fr0sT-Brutal/Delphi_MemoryModule

  8. [Docker] Hooking a Volume to Node.js Source Code

    Normally when you create a Volume, it will store in Docket Host, you can also tell the folder which ...

  9. system call hooking 系统调用增加或劫持

    1. 引言:这篇文章提供了一种增加自定义系统调用或劫持原有的系统调用的实现方法,只针对 linux 系统.主要思路是获取系统调用表 sys_call_table 地址,然后用新函数地址覆盖系统调用表某 ...

随机推荐

  1. poj3669 Meteor Shower (宽度优先搜索)

    Description - 题目描述 Bessie听说有场史无前例的流星雨即将来临:有谶言:陨星将落,徒留灰烬.为保生机,她誓将找寻安全之所(永避星坠之地).目前她正在平面坐标系的原点放牧,打算在群星 ...

  2. Nacos-作为Sring cloud 注册发现

    Nacos:一个更易于构建云原生应用的动态服务发现.配置管理和服务管理平台. https://nacos.io/zh-cn/index.html 功能: 动态服务配置 服务发现和管理 动态DNS服务 ...

  3. LeetCode #807. Max Increase to Keep City Skyline 保持城市天际线

    https://leetcode-cn.com/problems/max-increase-to-keep-city-skyline/ 执行用时 : 3 ms, 在Max Increase to Ke ...

  4. 初涉kafka

    前言: 今天终于搭建成功kafka环境,并创建了第一个topic,并生产.消费消息,如下图: 生产: 消费: 心情真的是好激动,大家都说搭建环境其实特别简单,但是我的学习却一直卡在搭建环境上面,不是虚 ...

  5. cgi+lighttpd上传大文件失败解决办法

    问题: - 前端页面点击上传按钮,不超过30M的小文件顺利上传到板子指定位置,上传60Md的更新包,出错,http状态码413——请求实体过大 环境: - web服务器——lighttpd1.4.30 ...

  6. linux设置python虚拟环境的环境变量

    针对 linux系统中 python虚拟环境 设置环境变量 2种方法: 1.在建好的虚拟环境的 venv/bin/active 文件中,写入需要的环境变量,再进入虚拟环境: 如 配置文件路径 JERR ...

  7. AES-OZ745 OZ745 Zynq-7000 开发板与套件

    北京太速科技有限公司为广大合作单位特设海外代购业务,主要包括各类板卡.相机.传感器.仪器仪表.专用芯片等.代购业务仅收取基本的手续费. 北京太速科技有限公司在线客服:QQ:448468544 淘宝网站 ...

  8. 一、RabbitMQ安装与测试连接

    一.下载NuGet支持的RabbitMQ.Client客户端库与安装RabbitMQ服务. 1.安装客户端库操作服务. 2.安装服务. 步骤一.下载Erlang. 步骤二.下载RabbitMQ服务 采 ...

  9. Codeforces 633F 树的直径/树形DP

    题意:有两个小孩玩游戏,每个小孩可以选择一个起始点,并且下一个选择的点必须和自己选择的上一个点相邻,问两个选的点权和的最大值是多少? 思路:首先这个问题可以转化为求树上两不相交路径的点权和的最大值,对 ...

  10. 关于WTSAPI32

    一般在windows编程都是用用从ntdll导出的Native API,现在看到一点COM编程或者其他的一些不常用的接口函数总觉得蛮有意思,准备以后多积累一下. 先简单总结WTSAPI32.以下实在W ...