D3D Hook Internal Undetected

Page 1 of 2 1 2
05/07/2015 16:43 MRx86™#1
If we would like to stay stealth we must just choose stealth thing like this.

Dear guys i'm posting this hook cuz it will be really usefull for people, its works to any GAME, undetected to any ANTICHEATS. THERE IS NO ANTICHEATS Which is checking for it.

What does i'm doing,
Intercept EnterCriticalSection from d3d9 and wait for exactly returnaddress
of the follow function exactly in this case D3DReset, D3DPresent, D3DDrawIndexPrimitive.

Its current works to any OS From Windows XP To windowS 8.1.

All Credit goes to me. GHTheBoss
Skype GHTheBoss
its the current hook which i'm using to any game since october 2012.

i'm posting this since i saw a forum where our know guys called CYNO ASKING for help i just posted it for him full ;)


Ohohoh Kozboh rofl

Code:
BOOL  bCompare ( const BYTE* pData, const BYTE* bMask, const char* szMask )
{
    for ( ;*szMask; ++szMask, ++pData, ++bMask )
    {
        if ( *szMask == 'x' && *pData != *bMask )
             return 0;
    }
    return (*szMask) == NULL;
}

DWORD FindPattern ( DWORD dwStartAddress,DWORD dwSize, BYTE *bMask, char * szMask, int codeOffset, BOOL extract )
{ 
    for ( DWORD i = 0; i < dwSize; i++ )
    {
        if ( this->bCompare((BYTE*)(dwStartAddress + i),bMask,szMask) )
        {
            if ( extract )  
            {
                return *(DWORD*)(dwStartAddress+i+codeOffset);

            } else {

                return  (DWORD)(dwStartAddress+i+codeOffset);
            }
        }
    }
    return NULL;
}

void __cdecl nReset ( void )
{
	  _asm pushad

	 _asm popad
}


void __cdecl nEndScene ( void )
{
     _asm pushad

	 _asm popad
}


void __cdecl nDrawIndexedPrimitive ( void )
{
     _asm pushad
     
	_asm popad
}


static DWORD hHooking           = NULL;
static DWORD hEndScene          = NULL;
static DWORD hReset             = NULL;
static DWORD hDrawIndexPrimtive = NULL;
 

typedef void ( WINAPI * EnterCriticalSection_t ) ( LPCRITICAL_SECTION lpCriticalSection );
            EnterCriticalSection_t  pEnterCriticalSection;

void WINAPI nEnterCriticalSection ( LPCRITICAL_SECTION lpCriticalSection )
{
	_asm
	{
		MOV EAX, [EBP+0x4]
		MOV hHooking, EAX
	}

	// EndScene
	if ( hHooking == hEndScene )
	{
	    __asm call [nEndScene]
	}

	//Reset
	if ( hHooking == hReset )
	{
		__asm call [nReset]
	}

	// DIP
	if ( hHooking == hDrawIndexPrimtive )
	{
	    __asm call [nDrawIndexedPrimitive];
	}


	return pEnterCriticalSection(lpCriticalSection);
}


DWORD WINAPI Start ( LPVOID lpArg )
{ 	

			DWORD hD3D,hCriticalSection;
			do
			{
				 hD3D = (DWORD)GetModuleHandle("d3d9.dll");
				 Sleep(100);
			}    while(!hD3D);


			MEMORY_BASIC_INFORMATION D3D9Info;
			VirtualQuery((void*)(hD3D+0x1000),&D3D9Info,sizeof(D3D9Info));


			hCriticalSection = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x74\x07\x00\xFF\x15\x00\x00\x00\x00\x8D\x00\x00","xx?xx????x??",5,true);
			if ( !hCriticalSection )
			{
				MessageBox(NULL,"Error Code (0)","Error",MB_ICONERROR);
				exit(1);
			}

			if ( !hReset )
			    hReset  = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\xFF\x15\x00\x00\x00\x00\x3B\x43\x20\x74\x1B\x8B\x46\x18\x85\xC0\x74\x07\x56","xx????xxxxxxxxxxxxx",0,false);// Win XP
			if ( !hReset  )
                hReset  = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x57\xFF\x15\x00\x00\x00\x00\x8B\x45\x0C\x33\xF6\x39\x70\x20","xxx????xxxxxxxx",7,false);// Vista - Win7
			if ( !hReset  )
                hReset  = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x33\xC9\x39\x4F\x20\x75\x79\x8D\x44\x24\x38\x89\x44\x24\x1C\x32\xC0\x8B\xDE","xxxxxxxxxxxxxxxxxxx",0,false);// Win 8.0
			if ( !hReset  )
                hReset  = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x8B\xCE\xE8\x00\x00\x00\x00\x8B\x4E\x0C\x48\xF7\xD8","xxx????xxxxxx",0,false);// Win 8.1 
			if ( !hReset  )
			{
				MessageBox(NULL,"Error Code (1)","Error",MB_ICONERROR);
				exit(1);
			}

            if ( !hEndScene )
 			   hEndScene = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x57\xFF\x15\x00\x00\x00\x00\xF6\x46\x00\x00\x89\x5D\xFC\x75\x0E\x8B\x86\x00\x00\x00\x00\xA8\x01\xC6\x45\x00\x00\x75\x24","xxx????xx??xxxxxxx????xxxx??xx",7,false); // Win XP
			if ( !hEndScene )                
			   hEndScene = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x57\xFF\x15\x00\x00\x00\x00\xE9\x00\x00\x00\x00\x39\x5F\x18\x74\x07\x57\xFF\x15\x00\x00\x00\x00\xB8\x00\x00\x00\x00\x8B\x4D\xF4\x64\x89\x0D\x00\x00\x00\x00\x59\x5F\x5E\x5B\x8B\xE5\x5D\xC2\x04\x00\x68\xAD\x06\x00\x00","xxx????x????xxxxxxxx????x????xxxxxx????xxxxxxxxxxxxx??",7,false); // Vista Win7
			if ( !hEndScene )
			   hEndScene = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x33\xC0\xE8\x00\x00\x00\x00\xC2\x04\x00\x8B\xDF\xEB\x8E\x53\xFF\x15\x00\x00\x00\x00\xEB\x90","xxx????xxxxxxxxxx????xx",21,false);// Win8 8.0 + 8.1				
			if ( !hEndScene )
			{
				MessageBox(NULL,"Error Code (2)","Error",MB_ICONERROR);
				exit(1);
			}

			if ( !hDrawIndexPrimtive )
			   hDrawIndexPrimtive = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x53\xFF\x15\x00\x00\x00\x00\xF6\x46\x00\x00\x89\x7D\xFC\x74\x24\x39\x7B\x18\x74\x07\x53\xFF\x15\x00\x00\x00\x00\xB8\x00\x00\x00\x00\x8B\x4D\xF4\x64\x89\x0D\x00\x00\x00\x00\x5F\x5E\x5B\x8B\xE5\x5D\xC2\x1C\x00","xxx????xx??xxxxxxxxxxxxx????x????xxxxxx????xxxxxxxxx",7,false);// Win XP
			if ( !hDrawIndexPrimtive )
			   hDrawIndexPrimtive = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x56\xFF\x15\x00\x00\x00\x00\xE9\x00\x00\x00\x00\x39\x5E\x18\x74\x07\x56\xFF\x15\x00\x00\x00\x00\xB8\x00\x00\x00\x00\x8B\x4D\xF4\x64\x89\x0D\x00\x00\x00\x00\x59\x5F\x5E\x5B\x8B\xE5\x5D\xC2\x1C\x00\x39\x9E\x00\x00\x00\x00","xxx????x????xxxxxxxx????x????xxxxxx????xxxxxxxxxxxx????",7,false);// Vista - Win7
			if ( !hDrawIndexPrimtive )
			   hDrawIndexPrimtive = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\xE9\x00\x00\x00\x00\x00\xFF\x00\x00\x00\x00\x00\xE9\x00\x00\x00\x00\xC7\x45\x00\x00\x00\x00\x00\x8D\x4D\x00\xE8\x00\x00\x00\x00\xB8\x00\x00\x00\x00\xE9\x00\x00\x00\x00\x83\xBA\x00\x00\x00\x00\x00\x74\x00","x?????x?????x????xx?????xx?x????x????x????xx?????x?",12,false); // Win8 8.0 + 8.1
			if ( !hDrawIndexPrimtive )
			{
				MessageBox(NULL,"Error Code (3)","Error",MB_ICONERROR);
				exit(1);
			}

			if ( hReset && hEndScene && hDrawIndexPrimtive )
			{
			   DWORD dwBack;
			   VirtualProtect((void*)(hCriticalSection),4,PAGE_EXECUTE_READWRITE,&dwBack);
			   pEnterCriticalSection       = (EnterCriticalSection_t) *(DWORD*)(hCriticalSection);
			   *(DWORD*)(hCriticalSection) = (DWORD)nEnterCriticalSection;
			   VirtualProtect((void*)(hCriticalSection),4,dwBack,&dwBack);
			   			return EXIT_SUCCESS;
			}
			return EXIT_FAIULURE;
}


BOOL WINAPI DllMain ( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
	 if( dwReason == DLL_PROCESS_ATTACH )
	 { 	
		CreateThread(NULL,NULL,Start,NULL,NULL,NULL);
	 }
	 return TRUE;
}
05/07/2015 16:47 disav0w_#2
nice idea, criticalsection being entered/left in many parts in d3d9, really good place for hook since it is being called in nearly all idirect3ddevice9 functions

edit: code miss reinterpret_cast, nowdays its really important use it.

btw kazbah might want to wonder whats going on since a while inside your website:
[Only registered and activated users can see links. Click Here To Register...]

no worries, you wont get humiliated
05/07/2015 16:51 Raz9r#3
  1. Interfering with mutex semaphores is a really bad idea, since they are often built using spinlocks (busy waiting for an unlock event using instructions like xchg). This may occasionaly cause a deadlock.
  2. We have a sticky thread for posts like this. No need to create a new thread.
05/07/2015 16:55 MRx86™#4
Quote:
Originally Posted by Raz9r View Post
  1. Interfering with mutex semaphores is a really bad idea, since they are often built using spinlocks (busy waiting for an unlock event using instructions like xchg). This may occasionaly cause a deadlock.
  2. We have a sticky thread for posts like this. No need to create a new thread.
In this case, that what you said wont happen for sure. that is a certain.

Raz9r we must always stay stealth everywhere specially for who coding and selling cheats.
05/07/2015 16:56 disav0w_#5
Quote:
Originally Posted by Raz9r
Interfering with mutex semaphores is a really bad idea, since they are often built using spinlocks (busy waiting for an unlock event using instructions like xchg). This may occasionaly cause a deadlock.
i didn't myself test the hook, i understand perfectly your thought but i'm sure that this situation is never happening in that case plus i want to remember you we are writing cheats and we should stay stealth(a concept i guess you completely forgot or never had), so:
in my opinion, that iat hook WAS a good idea
05/07/2015 16:58 Raz9r#6
Quote:
Originally Posted by disav0w_ View Post
in my opinion, that iat hook WAS a good idea
I don't consider a hook good that might create a deadlock, ultimately ending up freezing the application. It's one of those things that work almost all the time, but may fail in a time critical situation.
05/07/2015 17:00 MRx86™#7
Quote:
Originally Posted by Raz9r View Post
I don't consider a hook good that might create a deadlock, ultimately ending up freezing the application. It's one of those things that work almost all the time, but may fail in a time critical situation.


never it fail. also in critical situation.
if you have anything better please illuminate us!


BTW this is always a good way, specially where the anti cheats are kicking the ass, this may will be taken in consideration.
05/07/2015 17:03 Raz9r#8
It may actually fail. Consider what happens if active thread contexts switch while your hook is being executed. Another (then active) thread might call LeaveCriticalSection and then EnterCriticalSection on the same Critical Section (which is a Kernel Level Object), causing your code to be executed in a faulty/unintended manner. One of which is possibly deadlocking the application.
05/07/2015 17:05 disav0w_#9
Quote:
Originally Posted by Raz9r
I don't consider a hook good that might create a deadlock
basing it on your viewpoint, that's indeed not good cause what you said might actually happen, playing with criticalsection is not the best thing

but as i already said, this specific hook, which redirect iat ptr of d3d9(so it intercepts just d3d9 calls, not that this is important but just specifying) is not causing such issues aaand i wonder what anticheat is checking iat of d3d9(atleast till now)

Quote:
Originally Posted by Raz9r
It may actually fail. Consider what happens if active thread contexts switch while your hook is being executed. Another (then active) thread might call LeaveCriticalSection and then EnterCriticalSection on the same Critical Section (which is a Kernel Level Object), causing your code to be executed in a faulty/unintended manner. One of which is possibly deadlocking the application.
unintented manner? hes checking return address
05/07/2015 17:06 MRx86™#10
Quote:
Originally Posted by disav0w_ View Post
basing it on your viewpoint, that's indeed not good cause what you said might actually happen, playing with criticalsection is not the best thing

but as i already said, this specific hook, which redirect iat ptr of d3d9(so it intercepts just d3d9 calls) is not causing such issues aaand i wonder what anticheat is checking iat of d3d9(atleast till now)

but as i already said, this specific hook, which redirect iat ptr of d3d9(so it intercepts just d3d9 calls) is not causing such issues aaand i wonder what anticheat is checking iat of d3d9(atleast till now)


exactly
05/07/2015 17:07 Cyno™#11
i wasnt asking for help on hooking but because of another problem. as you can read in my 2nd post on that forum i have a similar hook like that for some time...
05/07/2015 17:08 MRx86™#12
Quote:
Originally Posted by Raz9r View Post
It may actually fail. Consider what happens if active thread contexts switch while your hook is being executed. Another (then active) thread might call LeaveCriticalSection and then EnterCriticalSection on the same Critical Section (which is a Kernel Level Object), causing your code to be executed in a faulty/unintended manner. One of which is possibly deadlocking the application.


what about, did u read code ? xD its its checking for return address mate.

Quote:
Originally Posted by Cyno™ View Post
i wasnt asking for help on hooking but because of another problem

Problem solved. Please cyno a little hint take kazbah mouth close. around. or we must spread ur site file including database.
05/07/2015 17:12 Raz9r#13
Quote:
Originally Posted by GHTheBoss View Post
its now solved your problem can paste it.
You quite obviously did not read his question over on UC. Still mad you're banned over there?
05/07/2015 17:14 MRx86™#14
Quote:
Originally Posted by Raz9r View Post
You quite obviously did not read his question over on UC. Still mad you're banned over there?
no just wanted to help him, and i helped him. with out make him to waste time.

you seems mad right now. since u tryed to attack me and u got stucked.
Like if u didn't read the code xD and just trying to attack directly and you got owned as well this time.
05/07/2015 17:18 Raz9r#15
I'm just tired of your bullshit and waiting for this sections moderation to clean up this thread.
Page 1 of 2 1 2