This is a win7 midfunction hook. Most of the code written here is basic to intermidiate level.
It is written as a base for learning purposes.
Manager.h
// Manager.h Header File - By Shad0w_ //
// Containing Useful functions and classes //
// Shad0w_Base Does contain a lot of public //
// source code from both uc-forum.com and //
// gamedeception.net, feel free to use but //
// remember to credit myself and these sites //
// Thanks to those who helped with this: //
// learn_more //
// ZeaS //
// Thanks also to the following: //
// Azorbix - so much open source code //
// Roverturbo - so much open source code //
// fatboy88 - helping me too many times //
// ----------------------------- //
// File Includes //
// ----------------------------- //
#include <windows.h>
#include <d3d9.h>
// ----------------------------- //
// Class: Framework //
// Helper functions & Memory Ops //
// ----------------------------- //
class Framework
{
public:
VOID WriteMemory(PVOID dwAdd, VOID *val, INT bytes);
VOID WriteFloat(DWORD dwAdd, FLOAT Value);
VOID WriteInteger(DWORD dwAdd, INT Value);
CHAR* ReadText(DWORD dwAdd);
DWORD FindPattern(DWORD dwdwAdd,DWORD dwLen,BYTE *bMask,char * szMask);
HINSTANCE lGetModuleHandle(LPCWSTR szModule);
private:
BOOL bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask);
};
extern Framework *FrmWrk;
// ----------------------------- //
// Thread: Thread_XD3DXINIT //
// DirectX Functions Hooked here //
// ----------------------------- //
INT Thread_XD3DXINIT( );
// ----------------------------- //
// VOID Dx9Hook //
// The purpose of this function //
// is to find the vtable and //
// copy all the offsets into our //
// VTable array. We also get the //
// right alignment for our hook. //
// ----------------------------- //
void Dx9Hook( LPCWSTR D3D9 );
DllMain.cpp
#include "Manager.h"
// ----------------------------- //
// BOOL DllMain //
// Entry Point of our dll //
// ----------------------------- //
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
if( fdwReason == 1 ) //1 = On inject to process//
{
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Thread_XD3DXINIT, NULL, NULL, NULL);
//Thread_XD3DXINIT is now starting to execute code in a new thread//
return TRUE;
}
return FALSE;
}
Framework.cpp
#include "Manager.h"
Framework *FrmWrk;
VOID Framework::WriteMemory(PVOID dwAdd, void *val, int bytes)
{
DWORD d, ds;
VirtualProtect(dwAdd, bytes, PAGE_EXECUTE_READWRITE, &d);
memcpy(dwAdd, val, bytes);
VirtualProtect(dwAdd,bytes,d,&ds);
}
VOID Framework::WriteFloat(DWORD dwAdd,float Value)
{
*(float*)dwAdd = Value;
}
VOID Framework::WriteInteger(DWORD dwAdd, int Value)
{
*(int*)dwAdd = Value;
}
CHAR* Framework::ReadText(DWORD dwAdd)
{
CHAR* Text = (CHAR*)dwAdd; //reversal of WriteText...
return Text;
}
BOOL Framework::bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask) return 0;
return (*szMask) == NULL;
}
DWORD Framework::FindPattern(DWORD dwdwAdd,DWORD dwLen,BYTE *bMask,char * szMask)
{
for(DWORD i=0; i<dwLen; i++)
if (this->bCompare((BYTE*)(dwdwAdd+i),bMask,szMask)) return (DWORD)(dwdwAdd+i);
return 0;
}
HINSTANCE Framework::lGetModuleHandle(LPCWSTR szModule)
{
HINSTANCE hModule = NULL;
if(!(hModule = GetModuleHandle(szModule)))
{
hModule = LoadLibrary(szModule);
}
return hModule;
}
Direct3D.cpp
#include "Manager.h"
// ----------------------------- //
// LPDIRECT3DDEVICE9 m_pD3Ddev //
// The device should not be //
// defined locally in the naked //
// function as this would cause //
// issues. Credits to learn_more //
// for this information. //
// ----------------------------- //
LPDIRECT3DDEVICE9 m_pD3Ddev;
// ----------------------------- //
// DWORD * VTable //
// This will contain an array of //
// offsets for the dx functions. //
// ----------------------------- //
DWORD * VTable;
// ----------------------------- //
// DWORD dwEndscene_hook //
// Contains offset to jmp from, //
// Allowing program to flow into //
// our dll. //
// ----------------------------- //
// DWORD dwEndscene_ret //
// Contains offset to ret to, //
// Allowing program to flow back //
// into the orginal code. //
// ----------------------------- //
DWORD dwEndscene_hook, dwEndscene_ret;
// ----------------------------- //
// BYTE EndSceneOpCodes[6] //
// This holds the overwritten //
// bytes from the games code. //
// ----------------------------- //
BYTE EndSceneOpCodes[6];
// ----------------------------- //
// Hook: MyEndscene //
// Code injected //
// Module: D3D9.DLL //
// Offset: EndScene + 0x2A (W7) //
// ----------------------------- //
__declspec(naked) void MyEndscene( )
{
__asm
{
mov dword ptr ss:[ebp - 10], esp;
mov esi, dword ptr ss:[ebp + 0x8]; //replace patched code
mov m_pD3Ddev, esi; //Get the device
}
__asm
{
jmp dwEndscene_ret; //jump back to normal endscene
}
}
// ----------------------------- //
// Thread: Thread_XD3DXINIT //
// DirectX Functions Hooked here //
// ----------------------------- //
INT Thread_XD3DXINIT( )
{
Dx9Hook(L"d3d9.dll");
FrmWrk->WriteMemory((void *)EndSceneOpCodes, (void *)"\x89\x65\xF0\x8B\x75\x08", 6);
/*while( 1 )
{
Sleep( 1000 );
if(memcmp((void *)Endscene_opcodes, (void *)dwEndscene_hook, 6) == 0 )
Detour(dwEndscene_hook, MyEndscene);
}*/
return NULL;
}
// ----------------------------- //
// VOID Dx9Hook //
// The purpose of this function //
// is to find the vtable and //
// copy all the offsets into our //
// VTable array. We also get the //
// right alignment for our hook. //
// ----------------------------- //
VOID Dx9Hook( LPCWSTR D3D9 )
{
DWORD hD3D = NULL;
while (!hD3D) hD3D = (DWORD)FrmWrk->lGetModuleHandle(D3D9);
DWORD PPPDevice = FrmWrk->FindPattern(hD3D, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x 00\x00\x89\x86", "xx????xx????xx");
memcpy( &VTable, (VOID *)(PPPDevice + 2), 4);
dwEndscene_hook = VTable[42] + 0x2A;
dwEndscene_ret = dwEndscene_hook + 0x6;
}
The Detour
This should be 6 bytes in length,
I recommend: Push dwEndscene_hook Ret.
Advanced notes
At this section of the endscene function all the registers are about to be set. This means that you don't need to preserve them! At this section of the endscene function the flags are about to be set. This means that you don't need to preserve them!
by Shad0w_