Results 1 to 7 of 7
  1. #1
    .::SCHiM::.'s Avatar
    Join Date
    Sep 2010
    Gender
    male
    Posts
    733
    Reputation
    180
    Thanks
    833
    My Mood
    Twisted

    Dreafully slow 100% undetected DIP hook

    Here's a very slow 100% undetected DIP hook, you can modify it to hook other addresses too. It lags like windows 3.0 from hell.

    So, here goes:

    SetDbgReg.cpp:
    hThreadID = Threadid (GetCurrentThreadId())
    HookAddress = address you want to hook (d3d9.dll!DrawIndexedPrimitive)
    DWORD AccessRestriction = DBG_EXEC (break on execution)
    CallBackFunction = Hook stub (can be described as a trampoline)

    A few functions I've had to dynamically link with kernel32.dll because I use a very old compiler. (pre windows 2000 professional)





    Code:
    #define DBG_READ_WRITE 0x3C001    // break on read/write but not on execution
    #define DBG_EXEC 0x1        // break on execution
    #define DBG_NODBG 0x0     // remove the breakpoint
    
    DWORD SetDebugReg(DWORD hThreadID, DWORD HookAddres, DWORD AccessRestriction, PDWORD CallBackFunction){
    
    MyOpenThread = (OpenThread)GetProcAddress(GetModuleHandle("Kernel32.dll"), "OpenThread");
    
    HANDLE hThread = MyOpenThread(THREAD_ALL_ACCESS, FALSE, hThreadID);
    
    		SuspendThread(hThread);		
    
    	CONTEXT c;
    	c.ContextFlags=CONTEXT_DEBUG_REGISTERS; 
    	GetThreadContext(hThread,&c); 
    	c.Dr0=(DWORD)HookAddres; 
    	c.Dr6=0;          
     	c.Dr7 =	AccessRestriction;     
    	SetThreadContext(hThread,&c);
                 
    		ResumeThread(hThread);
    
    CloseHandle(hThread);
    
    MyAddVectoredExceptionHandler = (AddVectoredExceptionHandler)GetProcAddress(GetModuleHandle("Kernel32.dll"), "AddVectoredExceptionHandler");
    MyAddVectoredExceptionHandler( 1, (PDWORD)CallBackFunction);
    return 0;
    }
    Example usage:
    note:
    ScanTable() is a function that returns a pointer to the Vtable of the d3ddevice
    The entries may not apply to your version (neither may the reentry code at the end of hkDIP()
    That's all


    Code:
    #include <windows.h>
    #include <iostream>
    #include <string.h>
    #include <fstream>
    #include <stdio.h>
    #include <C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)\Include\d3d9.h>
    #include <C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)\Include\d3dx9.h>
    
    #pragma comment (lib, "C:\\Program Files (x86)\\Microsoft DirectX SDK (June 2010)\\Lib\\x86\\d3dx9.lib")
    #pragma comment(lib, "VtableScan.lib")
    
    #define _WIN32_WINNT 0x0500 //is needed for AddVectoredExceptionHandler function
    #define DBG_READ_WRITE 0x3C001
    #define DBG_EXEC 0x1
    #define DBG_NODBG 0x0
    
    extern "C"{
    	DWORD _stdcall ScanTable();
    	DWORD _stdcall Hook(DWORD TargetAddress, DWORD HookAddress);
    	DWORD _stdcall ReturnFromHook(DWORD GhookAddress, DWORD NumberOfArguments);
    	DWORD _stdcall RemoveHook(DWORD GGhookAddress);
    	DWORD _stdcall MidFunctionHook(DWORD MidFunctionTargetAddress,DWORD MidFunctionHookAddress,DWORD InstructionSize);
    	DWORD _stdcall PreparePseudoStack(DWORD FistArgument, DWORD PreviousPseudoStack);
    	DWORD _stdcall RewindStackForReturn(DWORD StackBasePointer);
    }
    
    
    void MainThread();  // [82]
    DWORD SetDebugReg(DWORD hThreadID, DWORD HookAddres, DWORD AccessRestriction, PDWORD CallBackFunction);
    HRESULT hkDip(LPDIRECT3DDEVICE9 Device, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount);
    typedef DWORD (__stdcall *AddVectoredExceptionHandler) ( ULONG FirstHandler, PDWORD VectoredHandler);
    AddVectoredExceptionHandler MyAddVectoredExceptionHandler; 
    typedef DWORD (__stdcall *OrigionalDIP) (LPDIRECT3DDEVICE9 Device, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount);
    OrigionalDIP oDIP;
    typedef HANDLE (__stdcall *OpenThread) (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId);
    OpenThread MyOpenThread;
    
    DWORD heThread;
    DWORD Target; 
    DWORD HookTrampoline;
    
    bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
    {
        for(;*szMask;++szMask,++pData,++bMask)
            if(*szMask=='x' && *pData!=*bMask)   return 0;
        return (*szMask) == NULL;
    }
    
    DWORD FindPattern(DWORD dwdwAdd,DWORD dwLen,BYTE *bMask,char * szMask)
    {
        for(DWORD i=0; i<dwLen; i++)
            if (bCompare((BYTE*)(dwdwAdd+i),bMask,szMask))  return (DWORD)(dwdwAdd+i);
        return 0;
    }
    
    BOOL APIENTRY DllMain( HANDLE hModule, DWORD  fdwReason, LPVOID lpReserved ){
    
    	if( fdwReason == DLL_PROCESS_ATTACH){
           CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&MainThread, NULL, NULL, NULL);
    	   return TRUE;
    	}
    
        return TRUE;
    }
    
    
    __declspec(naked) HRESULT hkDip(LPDIRECT3DDEVICE9 Device, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount){
    	__asm pushad
    
    
    Device->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE);
    	__asm{ 
    		popad
    		push -1
    		mov eax, oDIP
    		jmp eax
    	}
    
    }
    
    LONG CALLBACK VectoredHandler( PEXCEPTION_POINTERS ExceptionInfo){
    		if( ExceptionInfo->ExceptionRecord->ExceptionCode==EXCEPTION_SINGLE_STEP){
    					ExceptionInfo->ContextRecord->Eip = (DWORD) hkDip;						
    		return EXCEPTION_CONTINUE_EXECUTION;             
    	}
    	return EXCEPTION_CONTINUE_SEARCH; 
    }
    
    
    HRESULT OneTimeDipHook(LPDIRECT3DDEVICE9 Device, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount){
    __asm pushad
    	
    heThread = GetCurrentThreadId();
    
    __asm  popad
    
    ReturnFromHook(HookTrampoline, 1);
    }
    
    void MainThread(){
    
    
    	while(!GetModuleHandle("d3d9.dll")){
          Sleep(1000);
    	}
    
    DWORD* Vtable = (DWORD*) ScanTable();
    
    	while(1){
    		if(GetAsyncKeyState(VK_INSERT)){
    			break;
    		}
    		Sleep(100);
    	}
    	
    
    Sleep(5000);
    oDIP = (OrigionalDIP)Vtable[82];
    
    __asm{
    mov eax, oDIP
    add eax, 07h
    mov oDIP, eax
    }
    
    
    
    HookTrampoline = Hook((DWORD)Vtable[82], (DWORD)&OneTimeDipHook);
    Sleep(5000);
    RemoveHook(HookTrampoline);
    Sleep(1000);
    Target = (DWORD)Vtable[82];
    
    __asm{
    mov eax, Target
    add eax, 05h
    mov Target, eax
    }
    
    while(1){
    
    	if(GetAsyncKeyState(VK_INSERT)){
    		SetDebugReg(heThread, (DWORD)Target, DBG_EXEC, (PDWORD)&VectoredHandler);
    	}
    	if(GetAsyncKeyState(VK_END)){
    		SetDebugReg(heThread, (DWORD)Target, DBG_NODBG, (PDWORD)&VectoredHandler);
    	}
    
    Sleep(100);
    }
    }
    
    DWORD SetDebugReg(DWORD hThreadID, DWORD HookAddres, DWORD AccessRestriction, PDWORD CallBackFunction){
    
    MyOpenThread = (OpenThread)GetProcAddress(GetModuleHandle("Kernel32.dll"), "OpenThread");
    
    HANDLE hThread = MyOpenThread(THREAD_ALL_ACCESS, FALSE, hThreadID);
    
    		SuspendThread(hThread);		
    
    	CONTEXT c;
    	c.ContextFlags=CONTEXT_DEBUG_REGISTERS; 
    	GetThreadContext(hThread,&c); 
    	c.Dr0=(DWORD)HookAddres; 
    	c.Dr6=0;          
     	c.Dr7 =	AccessRestriction;     
    	SetThreadContext(hThread,&c);
                 
    		ResumeThread(hThread);
    
    CloseHandle(hThread);
    
    MyAddVectoredExceptionHandler = (AddVectoredExceptionHandler)GetProcAddress(GetModuleHandle("Kernel32.dll"), "AddVectoredExceptionHandler");
    MyAddVectoredExceptionHandler( 1, (PDWORD)CallBackFunction);
    return 0;
    }
    Last edited by .::SCHiM::.; 06-16-2011 at 02:19 PM.

    I'm SCHiM

    Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.

    Polymorphic engine
    Interprocess callback class
    SIN
    Infinite-precision arithmetic
    Hooking dynamic linkage
    (sloppy)Kernel mode Disassembler!!!

    Semi debugger




  2. The Following 4 Users Say Thank You to .::SCHiM::. For This Useful Post:

    joered (06-18-2011),pashak (06-16-2011),whit (06-16-2011),_Fk127_ (06-16-2011)

  3. #2
    zarto's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    26
    Reputation
    10
    Thanks
    6
    My Mood
    Twisted
    Ummm.....yeah its really good....Ty man

  4. #3
    whit's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    7,170
    Reputation
    490
    Thanks
    2,252
    Lol at that Encyclopedia Dramatica link
    Code:
    Microsoft, was founded by Bill Gates and named after the size and shape of his penis (hence "Micro" and "soft")
    Good job man

  5. The Following 2 Users Say Thank You to whit For This Useful Post:

    Cryptonic (06-16-2011),[MPGH]flameswor10 (06-17-2011)

  6. #4
    dugindog's Avatar
    Join Date
    Feb 2009
    Gender
    male
    Location
    jasper mn
    Posts
    189
    Reputation
    7
    Thanks
    7
    My Mood
    Twisted
    lol u made it slower than hell on purpos

  7. #5
    supercarz1991's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Location
    North of Hell, South of Heaven
    Posts
    6,067
    Reputation
    323
    Thanks
    3,320
    My Mood
    Doh
    nicely done, can't wait to ownz pplz withz itz

    commando: You're probably the best non-coder coder I know LOL


  8. #6
    pashak's Avatar
    Join Date
    Nov 2009
    Gender
    male
    Posts
    350
    Reputation
    29
    Thanks
    42
    I don't even want to test it...

  9. #7
    elcamu987's Avatar
    Join Date
    Aug 2010
    Gender
    male
    Posts
    705
    Reputation
    1
    Thanks
    42
    My Mood
    Angelic
    good job nice