Dreafully slow 100% undetected DIP hook

**.::SCHiM::.** · 06-16-2011

Here's a very slow 100% undetected DIP hook, you can modify it to hook other addresses too. It lags like windows 3.0 from hell.

So, here goes:

SetDbgReg.cpp:
hThreadID = Threadid (GetCurrentThreadId())
HookAddress = address you want to hook (d3d9.dll!DrawIndexedPrimitive)
DWORD AccessRestriction = DBG_EXEC (break on execution)
CallBackFunction = Hook stub (can be described as a trampoline)

A few functions I've had to dynamically link with kernel32.dll because I use a very old compiler. (pre windows 2000 professional)

Code:

#define DBG_READ_WRITE 0x3C001    // break on read/write but not on execution
#define DBG_EXEC 0x1        // break on execution
#define DBG_NODBG 0x0     // remove the breakpoint

DWORD SetDebugReg(DWORD hThreadID, DWORD HookAddres, DWORD AccessRestriction, PDWORD CallBackFunction){

MyOpenThread = (OpenThread)GetProcAddress(GetModuleHandle("Kernel32.dll"), "OpenThread");

HANDLE hThread = MyOpenThread(THREAD_ALL_ACCESS, FALSE, hThreadID);

		SuspendThread(hThread);		

	CONTEXT c;
	c.ContextFlags=CONTEXT_DEBUG_REGISTERS; 
	GetThreadContext(hThread,&c); 
	c.Dr0=(DWORD)HookAddres; 
	c.Dr6=0;          
 	c.Dr7 =	AccessRestriction;     
	SetThreadContext(hThread,&c);
             
		ResumeThread(hThread);

CloseHandle(hThread);

MyAddVectoredExceptionHandler = (AddVectoredExceptionHandler)GetProcAddress(GetModuleHandle("Kernel32.dll"), "AddVectoredExceptionHandler");
MyAddVectoredExceptionHandler( 1, (PDWORD)CallBackFunction);
return 0;
}

Example usage:
note:
ScanTable() is a function that returns a pointer to the Vtable of the d3ddevice
The entries may not apply to your version (neither may the reentry code at the end of hkDIP()
That's all

Code:

#include <windows.h>
#include <iostream>
#include <string.h>
#include <fstream>
#include <stdio.h>
#include <C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)\Include\d3d9.h>
#include <C:\Program Files (x86)\Microsoft DirectX SDK (June 2010)\Include\d3dx9.h>

#pragma comment (lib, "C:\\Program Files (x86)\\Microsoft DirectX SDK (June 2010)\\Lib\\x86\\d3dx9.lib")
#pragma comment(lib, "VtableScan.lib")

#define _WIN32_WINNT 0x0500 //is needed for AddVectoredExceptionHandler function
#define DBG_READ_WRITE 0x3C001
#define DBG_EXEC 0x1
#define DBG_NODBG 0x0

extern "C"{
	DWORD _stdcall ScanTable();
	DWORD _stdcall Hook(DWORD TargetAddress, DWORD HookAddress);
	DWORD _stdcall ReturnFromHook(DWORD GhookAddress, DWORD NumberOfArguments);
	DWORD _stdcall RemoveHook(DWORD GGhookAddress);
	DWORD _stdcall MidFunctionHook(DWORD MidFunctionTargetAddress,DWORD MidFunctionHookAddress,DWORD InstructionSize);
	DWORD _stdcall PreparePseudoStack(DWORD FistArgument, DWORD PreviousPseudoStack);
	DWORD _stdcall RewindStackForReturn(DWORD StackBasePointer);
}


void MainThread();  // [82]
DWORD SetDebugReg(DWORD hThreadID, DWORD HookAddres, DWORD AccessRestriction, PDWORD CallBackFunction);
HRESULT hkDip(LPDIRECT3DDEVICE9 Device, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount);
typedef DWORD (__stdcall *AddVectoredExceptionHandler) ( ULONG FirstHandler, PDWORD VectoredHandler);
AddVectoredExceptionHandler MyAddVectoredExceptionHandler; 
typedef DWORD (__stdcall *OrigionalDIP) (LPDIRECT3DDEVICE9 Device, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount);
OrigionalDIP oDIP;
typedef HANDLE (__stdcall *OpenThread) (DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId);
OpenThread MyOpenThread;

DWORD heThread;
DWORD Target; 
DWORD HookTrampoline;

bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
    for(;*szMask;++szMask,++pData,++bMask)
        if(*szMask=='x' && *pData!=*bMask)   return 0;
    return (*szMask) == NULL;
}

DWORD FindPattern(DWORD dwdwAdd,DWORD dwLen,BYTE *bMask,char * szMask)
{
    for(DWORD i=0; i<dwLen; i++)
        if (bCompare((BYTE*)(dwdwAdd+i),bMask,szMask))  return (DWORD)(dwdwAdd+i);
    return 0;
}

BOOL APIENTRY DllMain( HANDLE hModule, DWORD  fdwReason, LPVOID lpReserved ){

	if( fdwReason == DLL_PROCESS_ATTACH){
       CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&MainThread, NULL, NULL, NULL);
	   return TRUE;
	}

    return TRUE;
}


__declspec(naked) HRESULT hkDip(LPDIRECT3DDEVICE9 Device, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount){
	__asm pushad


Device->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE);
	__asm{ 
		popad
		push -1
		mov eax, oDIP
		jmp eax
	}

}

LONG CALLBACK VectoredHandler( PEXCEPTION_POINTERS ExceptionInfo){
		if( ExceptionInfo->ExceptionRecord->ExceptionCode==EXCEPTION_SINGLE_STEP){
					ExceptionInfo->ContextRecord->Eip = (DWORD) hkDip;						
		return EXCEPTION_CONTINUE_EXECUTION;             
	}
	return EXCEPTION_CONTINUE_SEARCH; 
}


HRESULT OneTimeDipHook(LPDIRECT3DDEVICE9 Device, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex, UINT NumVertices, UINT StartIndex, UINT PrimitiveCount){
__asm pushad
	
heThread = GetCurrentThreadId();

__asm  popad

ReturnFromHook(HookTrampoline, 1);
}

void MainThread(){


	while(!GetModuleHandle("d3d9.dll")){
      Sleep(1000);
	}

DWORD* Vtable = (DWORD*) ScanTable();

	while(1){
		if(GetAsyncKeyState(VK_INSERT)){
			break;
		}
		Sleep(100);
	}
	

Sleep(5000);
oDIP = (OrigionalDIP)Vtable[82];

__asm{
mov eax, oDIP
add eax, 07h
mov oDIP, eax
}



HookTrampoline = Hook((DWORD)Vtable[82], (DWORD)&OneTimeDipHook);
Sleep(5000);
RemoveHook(HookTrampoline);
Sleep(1000);
Target = (DWORD)Vtable[82];

__asm{
mov eax, Target
add eax, 05h
mov Target, eax
}

while(1){

	if(GetAsyncKeyState(VK_INSERT)){
		SetDebugReg(heThread, (DWORD)Target, DBG_EXEC, (PDWORD)&VectoredHandler);
	}
	if(GetAsyncKeyState(VK_END)){
		SetDebugReg(heThread, (DWORD)Target, DBG_NODBG, (PDWORD)&VectoredHandler);
	}

Sleep(100);
}
}

DWORD SetDebugReg(DWORD hThreadID, DWORD HookAddres, DWORD AccessRestriction, PDWORD CallBackFunction){

MyOpenThread = (OpenThread)GetProcAddress(GetModuleHandle("Kernel32.dll"), "OpenThread");

HANDLE hThread = MyOpenThread(THREAD_ALL_ACCESS, FALSE, hThreadID);

		SuspendThread(hThread);		

	CONTEXT c;
	c.ContextFlags=CONTEXT_DEBUG_REGISTERS; 
	GetThreadContext(hThread,&c); 
	c.Dr0=(DWORD)HookAddres; 
	c.Dr6=0;          
 	c.Dr7 =	AccessRestriction;     
	SetThreadContext(hThread,&c);
             
		ResumeThread(hThread);

CloseHandle(hThread);

MyAddVectoredExceptionHandler = (AddVectoredExceptionHandler)GetProcAddress(GetModuleHandle("Kernel32.dll"), "AddVectoredExceptionHandler");
MyAddVectoredExceptionHandler( 1, (PDWORD)CallBackFunction);
return 0;
}

**zarto** · 06-16-2011

Ummm.....yeah its really good....Ty man

**whit** · 06-16-2011

Lol at that Encyclopedia Dramatica link

Code:

Microsoft, was founded by Bill Gates and named after the size and shape of his penis (hence "Micro" and "soft")

Good job man

**dugindog** · 06-16-2011

lol u made it slower than hell on purpos

**supercarz1991** · 06-16-2011

nicely done, can't wait to ownz pplz withz itz

**pashak** · 06-16-2011

I don't even want to test it...

**elcamu987** · 06-16-2011

good job nice

Thread: Dreafully slow 100% undetected DIP hook

Thread Tools

Display

Dreafully slow 100% undetected DIP hook

The Following 4 Users Say Thank You to .::SCHiM::. For This Useful Post:

The Following 2 Users Say Thank You to whit For This Useful Post: