onlinegamehacking@forumn.com


    Midfunction Hook

    Share
    avatar
    Cloud
    ADMIN
    ADMIN

    Posts : 28
    Join date : 2012-10-31

    Midfunction Hook

    Post by Cloud on Thu Aug 01, 2013 5:54 pm

    [b style="color: rgb(38, 53, 63); font-family: verdana, geneva, lucida, 'lucida grande', arial, helvetica, sans-serif; font-size: 10px;"]Midfunction Hook (v2)[/b]


    Midfunction Hook - Revised
    Containing, memory class from my previous thread.

    Windows 7
    Unicode 

    Notes
    Code:
    This is a revision of the win7 midfunction hook.
    Most of the code written here is basic to intermidiate level.
    It is written as a base for learning purposes.
    There are many improvements that can be made and I leave you to make them.
    Credits and Thanks in Manager.h
    Manager.h
    Code:
    // Manager.h Header File - By Shad0w_ //
    // Containing Useful functions and classes //
    // Shad0w_Base Does contain a lot of public //
    // source code from both unknowncheats.me and //
    // gamedeception.net, feel free to use but //
    // remember to credit myself and these sites //
    // Thanks to those who helped with this: //
    // learn_more //
    // ZeaS //
    // Thanks also to the following: //
    // Azorbix - so much open source code //
    // Roverturbo - so much open source code //
    // fatboy88 - helping me too many times //
    // Thanks as always to the following man: //
    // Osama bin Mohammed bin Awad bin Laden //


    // ----------------------------- //
    // File Includes //
    // ----------------------------- //

    #include <windows.h>
    #include <d3d9.h>

    // ----------------------------- //
    // Class: Framework //
    // Helper functions & Memory Ops //
    // ----------------------------- //

    class Framework
    {
    public:

    VOID WriteMemory(PVOID dwAdd, VOID *val, INT bytes);
    VOID WriteFloat(DWORD dwAdd, FLOAT Value);
    VOID WriteInteger(DWORD dwAdd, INT Value);
    CHAR* ReadText(DWORD dwAdd);

    DWORD FindPattern(DWORD dwdwAdd,DWORD dwLen,BYTE *bMask,char * szMask);
    HINSTANCE lGetModuleHandle(LPCWSTR szModule);

    private:
    BOOL bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask);
    };

    extern Framework *FrmWrk;

    // ----------------------------- //
    // Thread: Thread_XD3DXINIT //
    // DirectX Functions Hooked here //
    // ----------------------------- //

    INT Thread_XD3DXINIT( );

    // ----------------------------- //
    // VOID Dx9Hook //
    // The purpose of this function //
    // is to find the vtable and //
    // copy all the offsets into our //
    // VTable array. We also get the //
    // right alignment for our hook. //
    // ----------------------------- //
    void Dx9Hook( LPCWSTR D3D9 );
    DllMain.cpp

    Code:
    #include "Manager.h"

    // ----------------------------- //
    // BOOL DllMain //
    // Entry Point of our dll //
    // ----------------------------- //

    BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
    {
    if( fdwReason == 1 ) //1 = On inject to process//
    {
    CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Thread_XD3DXINIT, NULL, NULL, NULL);

    //Thread_XD3DXINIT is now starting to execute code in a new thread//

    return TRUE;
    }

    return FALSE;
    }
    Framework.cpp
    Code:
    #include "Manager.h"

    Framework *FrmWrk;

    VOID Framework::WriteMemory(PVOID dwAdd, void *val, int bytes)
    {

    DWORD d, ds;
    VirtualProtect(dwAdd, bytes, PAGE_EXECUTE_READWRITE, &d);
    memcpy(dwAdd, val, bytes);
    VirtualProtect(dwAdd,bytes,d,&ds);
    }

    VOID Framework::WriteFloat(DWORD dwAdd,float Value)
    {
    *(float*)dwAdd = Value;
    }

    VOID Framework::WriteInteger(DWORD dwAdd, int Value)
    {
    *(int*)dwAdd = Value;
    }

    CHAR* Framework::ReadText(DWORD dwAdd)
    {
    CHAR* Text = (CHAR*)dwAdd; //reversal of WriteText...
    return Text;
    }

    BOOL Framework::bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
    {
    for(;*szMask;++szMask,++pData,++bMask)
    if(*szMask=='x' && *pData!=*bMask) return 0;
    return (*szMask) == NULL;
    }

    DWORD Framework::FindPattern(DWORD dwdwAdd,DWORD dwLen,BYTE *bMask,char * szMask)
    {
    for(DWORD i=0; i<dwLen; i++)
    if (this->bCompare((BYTE*)(dwdwAdd+i),bMask,szMask)) return (DWORD)(dwdwAdd+i);
    return 0;
    }

    HINSTANCE Framework::lGetModuleHandle(LPCWSTR szModule)
    {
    HINSTANCE hModule = NULL;
    if(!(hModule = GetModuleHandle(szModule)))
    {
    hModule = LoadLibrary(szModule);
    }
    return hModule;
    }
    Direct3D.cpp

    Code:
    #include "Manager.h"

    // ----------------------------- //
    // LPDIRECT3DDEVICE9 m_pD3Ddev //
    // The device should not be //
    // defined locally in the naked //
    // function as this would cause //
    // issues. Credits to learn_more //
    // for this information. //
    // ----------------------------- //

    LPDIRECT3DDEVICE9 m_pD3Ddev;

    // ----------------------------- //
    // DWORD * VTable //
    // This will contain an array of //
    // offsets for the dx functions. //
    // ----------------------------- //

    DWORD * VTable;

    // ----------------------------- //
    // DWORD dwEndscene_hook //
    // Contains offset to jmp from, //
    // Allowing program to flow into //
    // our dll. //
    // ----------------------------- //
    // DWORD dwEndscene_ret //
    // Contains offset to ret to, //
    // Allowing program to flow back //
    // into the orginal code. //
    // ----------------------------- //

    DWORD dwEndscene_hook, dwEndscene_ret;

    // ----------------------------- //
    // BYTE EndSceneOpCodes[6] //
    // This holds the overwritten //
    // bytes from the games code. //
    // ----------------------------- //

    BYTE EndSceneOpCodes[6];

    // ----------------------------- //
    // Hook: MyEndscene //
    // Code injected //
    // Module: D3D9.DLL //
    // Offset: EndScene + 0x2A (W7) //
    // ----------------------------- //

    __declspec(naked) void MyEndscene( )
    {
    __asm
    {
    mov dword ptr ss:[ebp - 10], esp;
    mov esi, dword ptr ss:[ebp + 0x8]; //replace patched code
    mov m_pD3Ddev, esi; //Get the device
    pushad;
    }


    __asm
    {
    popad;
    jmp dwEndscene_ret; //jump back to normal endscene
    }

    }

    // ----------------------------- //
    // Thread: Thread_XD3DXINIT //
    // DirectX Functions Hooked here //
    // ----------------------------- //

    INT Thread_XD3DXINIT( )
    {
    Dx9Hook(L"d3d9.dll");

    FrmWrk->WriteMemory((void *)EndSceneOpCodes, (void *)"\x89\x65\xF0\x8B\x75\x08", 6);

    /*while( 1 )
    {
    Sleep( 1000 );

    if(memcmp((void *)Endscene_opcodes, (void *)dwEndscene_hook, 6) == 0 )
    Detour(dwEndscene_hook, MyEndscene);

    }*/

    return NULL;
    }

    // ----------------------------- //
    // VOID Dx9Hook //
    // The purpose of this function //
    // is to find the vtable and //
    // copy all the offsets into our //
    // VTable array. We also get the //
    // right alignment for our hook. //
    // ----------------------------- //

    VOID Dx9Hook( LPCWSTR D3D9 )
    {
    DWORD hD3D = NULL;

    while (!hD3D) hD3D = (DWORD)FrmWrk->lGetModuleHandle(D3D9);
    DWORD PPPDevice = FrmWrk->FindPattern(hD3D, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
    memcpy( &VTable, (VOID *)(PPPDevice + 2), 4);

    dwEndscene_hook = VTable[42] + 0x2A;
    dwEndscene_ret = dwEndscene_hook + 0x6;
    }
    Hey Shad0w_, you left something out. 
    I commented the loop containing the detour,
    while the code there is fully functional
    I decided that you can add the detour. 

    The Detour
    This should be 6 bytes in length, 
    I recommend: Push dwEndscene_hook Ret. 

    Advanced notes
    At this section of the endscene function all the registers are about to be set.
    At this section of the endscene function the flags are about to be set.

     credits @http://www.unknowncheats.me/forum/d3d-tutorials-and-source/66133-midfunction-hook-v2.html


    <signature>

      Current date/time is Mon Nov 20, 2017 9:26 am