D3D Hook Internal

MRx86™ · 06/28/2015, 22:42

Code:

BOOL  bCompare ( const BYTE* pData, const BYTE* bMask, const char* szMask )
{
    for ( ;*szMask; ++szMask, ++pData, ++bMask )
    {
        if ( *szMask == 'x' && *pData != *bMask )
             return 0;
    }
    return (*szMask) == NULL;
}

DWORD FindPattern ( DWORD dwStartAddress,DWORD dwSize, BYTE *bMask, char * szMask, int codeOffset, BOOL extract )
{
    for ( DWORD i = 0; i < dwSize; i++ )
    {
        if ( this->bCompare((BYTE*)(dwStartAddress + i),bMask,szMask) )
        {
            if ( extract )  
            {
                return *(DWORD*)(dwStartAddress+i+codeOffset);

            } else {

                return  (DWORD)(dwStartAddress+i+codeOffset);
            }
        }
    }
    return NULL;
}


void __cdecl nReset ( void )
{
      _asm pushad

      _asm popad
}


void __cdecl nEndScene ( void )
{
     _asm pushad

     _asm popad
}


void __cdecl nDrawIndexedPrimitive ( void )
{
     _asm pushad

      _asm popad
}



static DWORD hHooking           = NULL;
static DWORD hEndScene          = NULL;
static DWORD hReset             = NULL;
static DWORD hDrawIndexPrimtive = NULL;
 

typedef void ( WINAPI * EnterCriticalSection_t ) ( LPCRITICAL_SECTION lpCriticalSection );
            EnterCriticalSection_t  pEnterCriticalSection;

void WINAPI nEnterCriticalSection ( LPCRITICAL_SECTION lpCriticalSection )
{

    _asm
    {
        MOV EAX, [EBP+0x4]
        MOV hHooking, EAX
    }

    // EndScene
    if ( hHooking == hEndScene )
    {
        __asm call [nEndScene]
    }

    //Reset
    if ( hHooking == hReset )
    {
        __asm call [nReset]
    }

    // DIP
    if ( hHooking == hDrawIndexPrimtive )
    {
        __asm call [nDrawIndexedPrimitive];
    }


    return pEnterCriticalSection(lpCriticalSection);
}


DWORD WINAPI Start ( LPVOID lpArg )
{    
            DWORD hD3D,hCriticalSection;
            do
            {
                 hD3D = (DWORD)GetModuleHandle("d3d9.dll");
                 Sleep(100);
            }    while(!hD3D);


            MEMORY_BASIC_INFORMATION D3D9Info;
            VirtualQuery((void*)(hD3D+0x1000),&D3D9Info,sizeof(D3D9Info));


            hCriticalSection = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x74\x07\x00\xFF\x15\x00\x00\x00\x00\x8D\x00\x00","xx?xx????x??",5,true);
            if ( !hCriticalSection )
            {
                MessageBox(NULL,"Error Code (0)","Error",MB_ICONERROR);
                exit(1);
            }

            if ( !hReset )
                hReset  = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\xFF\x15\x00\x00\x00\x00\x3B\x43\x20\x74\x1B\x8B\x46\x18\x85\xC0\x74\x07\x56","xx????xxxxxxxxxxxxx",0,false);// Win XP
            if ( !hReset  )
                hReset  = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x57\xFF\x15\x00\x00\x00\x00\x8B\x45\x0C\x33\xF6\x39\x70\x20","xxx????xxxxxxxx",7,false);// Vista - Win7
            if ( !hReset  )
                hReset  = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x33\xC9\x39\x4F\x20\x75\x79\x8D\x44\x24\x38\x89\x44\x24\x1C\x32\xC0\x8B\xDE","xxxxxxxxxxxxxxxxxxx",0,false);// Win 8.0
            if ( !hReset  )
                hReset  = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x8B\xCE\xE8\x00\x00\x00\x00\x8B\x4E\x0C\x48\xF7\xD8","xxx????xxxxxx",0,false);// Win 8.1
            if ( !hReset  )
            {
                MessageBox(NULL,"Error Code (1)","Error",MB_ICONERROR);
                exit(1);
            }

            if ( !hEndScene )
                hEndScene = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x57\xFF\x15\x00\x00\x00\x00\xF6\x46\x00\x00\x89\x5D\xFC\x75\x0E\x8B\x86\x00\x00\x00\x00\xA8\x01\xC6\x45\x00\x00\x75\x24","xxx????xx??xxxxxxx????xxxx??xx",7,false); // Win XP
            if ( !hEndScene )                
               hEndScene = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x57\xFF\x15\x00\x00\x00\x00\xE9\x00\x00\x00\x00\x39\x5F\x18\x74\x07\x57\xFF\x15\x00\x00\x00\x00\xB8\x00\x00\x00\x00\x8B\x4D\xF4\x64\x89\x0D\x00\x00\x00\x00\x59\x5F\x5E\x5B\x8B\xE5\x5D\xC2\x04\x00\x68\xAD\x06\x00\x00","xxx????x????xxxxxxxx????x????xxxxxx????xxxxxxxxxxxxx??",7,false); // Vista Win7
            if ( !hEndScene )
               hEndScene = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x33\xC0\xE8\x00\x00\x00\x00\xC2\x04\x00\x8B\xDF\xEB\x8E\x53\xFF\x15\x00\x00\x00\x00\xEB\x90","xxx????xxxxxxxxxx????xx",21,false);// Win8 8.0 + 8.1                
            if ( !hEndScene )
            {
                MessageBox(NULL,"Error Code (2)","Error",MB_ICONERROR);
                exit(1);
            }

            if ( !hDrawIndexPrimtive )
               hDrawIndexPrimtive = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x53\xFF\x15\x00\x00\x00\x00\xF6\x46\x00\x00\x89\x7D\xFC\x74\x24\x39\x7B\x18\x74\x07\x53\xFF\x15\x00\x00\x00\x00\xB8\x00\x00\x00\x00\x8B\x4D\xF4\x64\x89\x0D\x00\x00\x00\x00\x5F\x5E\x5B\x8B\xE5\x5D\xC2\x1C\x00","xxx????xx??xxxxxxxxxxxxx????x????xxxxxx????xxxxxxxxx",7,false);// Win XP
            if ( !hDrawIndexPrimtive )
               hDrawIndexPrimtive = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\x56\xFF\x15\x00\x00\x00\x00\xE9\x00\x00\x00\x00\x39\x5E\x18\x74\x07\x56\xFF\x15\x00\x00\x00\x00\xB8\x00\x00\x00\x00\x8B\x4D\xF4\x64\x89\x0D\x00\x00\x00\x00\x59\x5F\x5E\x5B\x8B\xE5\x5D\xC2\x1C\x00\x39\x9E\x00\x00\x00\x00","xxx????x????xxxxxxxx????x????xxxxxx????xxxxxxxxxxxx????",7,false);// Vista - Win7
            if ( !hDrawIndexPrimtive )
               hDrawIndexPrimtive = tool->FindPattern((DWORD)D3D9Info.BaseAddress,D3D9Info.RegionSize,(PBYTE)"\xE9\x00\x00\x00\x00\x00\xFF\x00\x00\x00\x00\x00\xE9\x00\x00\x00\x00\xC7\x45\x00\x00\x00\x00\x00\x8D\x4D\x00\xE8\x00\x00\x00\x00\xB8\x00\x00\x00\x00\xE9\x00\x00\x00\x00\x83\xBA\x00\x00\x00\x00\x00\x74\x00","x?????x?????x????xx?????xx?x????x????x????xx?????x?",12,false); // Win8 8.0 + 8.1
            if ( !hDrawIndexPrimtive )
            {
                MessageBox(NULL,"Error Code (3)","Error",MB_ICONERROR);
                exit(1);
            }

            if ( hReset && hEndScene && hDrawIndexPrimtive )
            {
               DWORD dwBack;
               VirtualProtect((void*)(hCriticalSection),4,PAGE_EXECUTE_READWRITE,&dwBack);
               pEnterCriticalSection       = (EnterCriticalSection_t) *(DWORD*)(hCriticalSection);
               *(DWORD*)(hCriticalSection) = (DWORD)nEnterCriticalSection;
               VirtualProtect((void*)(hCriticalSection),4,dwBack,&dwBack);
              return EXIT_SUCCESS;
            }

     return EXIT_FAILURE;
}



BOOL WINAPI DllMain ( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
     if( dwReason == DLL_PROCESS_ATTACH )
     {    
        CreateThread(NULL,NULL,Start,NULL,NULL,NULL);
     }
     return TRUE;
}

If we would like to stay stealth we must just choose stealth thing like this.

Dear guys i'm posting this hook cuz it will be really usefull for people, its works to any GAME, undetected to any ANTICHEATS. THERE IS NO ANTICHEATS Which is checking for it.

What does i'm doing,
Intercept EnterCriticalSection from d3d9 and wait for exactly returnaddress
of the follow function exactly in this case D3DReset, D3DPresent, D3DDrawIndexPrimitive.

Its current works to any OS From Windows XP To windowS 8.1.

its the current hook which i'm using to any game since october 2012.

snow · 06/28/2015, 22:53

#moved…

MRx86™ · 06/28/2015, 23:08

Quote:

Originally Posted by snow

#moved…

thank you