D3D9 Hooking (EndScene + DrawIndexedPrimitive)

，众所周知，我目前对DirectX感到厌烦。我已经尝试并尝试了，无论我做什么，我似乎都无法工作。我已经搜寻了网络并研究了钩子。我将一块代码合并在一起，将自己的钩子刮在一起。我有扁平的窃钩，以找出它们的工作方式。我什至从头开始写了一些。但是，我似乎无法让一个人工作。我正在尝试为Crossfire制作一个简单的D3D Mod-Menu。我尝试的是：

通过vtable挂钩[有获得设备指针的问题]
通过图案掩码扫描等钩钩和弯路[不确定如何获取模式，并且找不到可靠的Win10的作品]
创建一个虚拟设备以获取地址等等等[引起游戏的立即关闭（检测到）]

不管我做什么，菜单要么平坦拒绝出现在绕过端的末端，因此我被关闭，我崩溃了，或者什么也没发生。

有没有我可以从中学到的样本代码的优质起动材料，也可以将其从地面上学习？

我已经编程了黑客菜单，变量集，编程的功能，dllmain，依赖项，您可以命名。我只需要一个适当的挂钩工作 - 我唯一要上班的钩子有一个奇怪的错误，其中文字在endScene中绘制＆amp;drawindexedprimive中的壁式黑手是行不通的。

这是SO答案的大量代码

获取正确的窗口
创建虚拟设备
从VTable获取EndScene的地址
做标准X86蹦床钩
内部挂钩做您需要的任何初始化的东西
获取正确的设备指针的副本
画东西
用正确的设备指针调用原始功能

#pragma comment(lib, "d3d9.lib")
#pragma comment(lib, "d3dx9.lib")
#include <windows.h>
#include <d3d9.h>
#include <d3dx9.h>
bool Hook(char* src, char* dst, int len)
{
    if (len < 5) return false;
    DWORD curProtection;
    VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &curProtection);
    memset(src, 0x90, len);
    uintptr_t relativeAddress = (uintptr_t)(dst - src - 5);
    *src = (char)0xE9;
    *(uintptr_t*)(src + 1) = (uintptr_t)relativeAddress;
    DWORD temp;
    VirtualProtect(src, len, curProtection, &temp);
    return true;
}
char* TrampHook(char* src, char* dst, unsigned int len)
{
    if (len < 5) return 0;
    // Create the gateway (len + 5 for the overwritten bytes + the jmp)
    char* gateway = (char*)VirtualAlloc(0, len + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    // Put the bytes that will be overwritten in the gateway
    memcpy(gateway, src, len);
    // Get the gateway to destination addy
    uintptr_t gateJmpAddy = (uintptr_t)(src - gateway - 5);
    // Add the jmp opcode to the end of the gateway
    *(gateway + len) = (char)0xE9;
    // Add the address to the jmp
    *(uintptr_t*)(gateway + len + 1) = gateJmpAddy;
    // Place the hook at the destination
    if (Hook(src, dst, len))
    {
        return gateway;
    }
    else return nullptr;
}

typedef HRESULT(APIENTRY* tEndScene)(LPDIRECT3DDEVICE9 pDevice);
static HWND window;

BOOL CALLBACK EnumWindowsCallback(HWND handle, LPARAM lParam)
{
    DWORD wndProcId;
    GetWindowThreadProcessId(handle, &wndProcId);
    if (GetCurrentProcessId() != wndProcId)
        return TRUE; // skip to next window
    window = handle;
    return FALSE; // window found abort search
}
HWND GetProcessWindow()
{
    window = NULL;
    EnumWindows(EnumWindowsCallback, NULL);
    return window;
}
bool GetD3D9Device(void** pTable, size_t Size)
{
    if (!pTable)
        return false;
    IDirect3D9* pD3D = Direct3DCreate9(D3D_SDK_VERSION);
    if (!pD3D)
        return false;
    IDirect3DDevice9* pDummyDevice = NULL;
    // options to create dummy device
    D3DPRESENT_PARAMETERS d3dpp = {};
    d3dpp.Windowed = false;
    d3dpp.SwapEffect = D3DSWAPEFFECT_DISCARD;
    d3dpp.hDeviceWindow = GetProcessWindow();
    HRESULT dummyDeviceCreated = pD3D->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, d3dpp.hDeviceWindow, D3DCREATE_SOFTWARE_VERTEXPROCESSING, &d3dpp, &pDummyDevice);
    if (dummyDeviceCreated != S_OK)
    {
        // may fail in windowed fullscreen mode, trying again with windowed mode
        d3dpp.Windowed = !d3dpp.Windowed;
        dummyDeviceCreated = pD3D->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, d3dpp.hDeviceWindow, D3DCREATE_SOFTWARE_VERTEXPROCESSING, &d3dpp, &pDummyDevice);
        if (dummyDeviceCreated != S_OK)
        {
            pD3D->Release();
            return false;
        }
    }
    memcpy(pTable, *reinterpret_cast<void***>(pDummyDevice), Size);
    pDummyDevice->Release();
    pD3D->Release();
    return true;
}
void DrawFilledRect(int x, int y, int w, int h, D3DCOLOR color, IDirect3DDevice9* dev)
{
    D3DRECT BarRect = { x, y, x + w, y + h };
    dev->Clear(1, &BarRect, D3DCLEAR_TARGET | D3DCLEAR_TARGET, color, 0, 0);
}

bool bInit = false;
tEndScene oEndScene = nullptr;
LPDIRECT3DDEVICE9 pD3DDevice = nullptr;
void* d3d9Device[119];
HRESULT APIENTRY hkEndScene(LPDIRECT3DDEVICE9 pDevice)
{
    if (bInit == false)
    {
        pD3DDevice = pDevice;
        bInit = true;
    }
    //draw stuff here like so:
    DrawFilledRect(200, 200, 200, 200, D3DCOLOR_ARGB(255, 255, 0, 0), pDevice);
    return oEndScene(pDevice);
}
DWORD WINAPI Init(HMODULE hModule)
{
    if (GetD3D9Device(d3d9Device, sizeof(d3d9Device)))
    {
        oEndScene = (tEndScene)TrampHook((char*)d3d9Device[42], (char*)hkEndScene, 7);
    }
    return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)Init, hModule, 0, nullptr));
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

归功于我，兄弟，索莱尔＆amp;0xdec0de对于此准骨D3D9 ENDSCENE HONK

相关内容

最新更新

热门标签：