DIP Hook

**mamo007** · 06-29-2015

Hey all

Long time i didn't post anything. Here's an undetected dip hook using ntcreatethread. GoodLuck!

Debug Mode

Code:

#include <windows.h> #include <d3d9.h> #include <d3dx9.h> #include <iostream> #include <fstream> #include <tlhelp32.h> #include <process.h> #include <stdint.h> #include <string> #pragma comment(lib,"d3d9.lib") #pragma comment(lib,"d3dx9.lib") using namespace std; ofstream ofile; LPD3DXFONT pFont; #include <time.h> #include "XOR.h" #include "main.h" DWORD FindDeviceDIP,retMyDIP; #define sWeapon 36 #define sMap 24 #define sSkyWalls 28 #define sBody 44 #define sHead 40 int d3dwallhack=1; void D3DFunction (LPDIRECT3DDEVICE9 pDevice) { IDirect3DVertexBuffer9* pStreamData = NULL; UINT pOffsetInBytes , pStride; pDevice->GetStreamSource(0,&pStreamData,&pOffsetInBytes,&pStride); if(d3dwallhack) { if (pStride == sBody|| pStride == sHead || pStride == sWeapon) { pDevice->SetRenderState( D3DRS_ZENABLE, D3DZB_FALSE ); } } } __declspec(naked) HRESULT WINAPI MyDIP() { static LPDIRECT3DDEVICE9 pDevice; __asm { MOV EDI,EDI PUSH EBP MOV EBP,ESP MOV EAX,DWORD PTR SS:[EBP + 0x8] MOV pDevice,EAX } D3DFunction(pDevice); __asm { JMP retMyDIP } } void HookDIP () { while(!Ready2Hook()) Sleep(200); DWORD hD3D = (DWORD)GetModuleHandle(ed3d9); DWORD *vtbl; DWORD adr = FindPattern(hD3D, 0x128000, (BYTE*)"\xc7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "00????00????00"); if(adr) { memcpy(&vtbl,(void*)(adr + 2),4); retMyDIP = vtbl[147] + 0x5; MakeJMP((PBYTE)vtbl[147],(DWORD)MyDIP,0x5); } } HMODULE Kernel32Dll; extern "C" { BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls(hinstDLL); EraseHeaders(hinstDLL); ErasePEHeader(hinstDLL); HideModule(hinstDLL); FreeLibrary(Kernel32Dll); Kernel32Dll = LoadLibrary("Kernel32.dll"); TerminateThreadAddress=(unsigned char*) GetProcAddress(Kernel32Dll,"TerminateThread"); HANDLE HandleProzess = OpenProcess (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,false,GetCurrentProcessId()); NtCreateThreadEx (HandleProzess , (void*)HookDIP , (void*)hinstDLL ); CloseHandle (HandleProzess); //Sleep(3000); break; } return TRUE; } }

Code:

#pragma warning(disable:4996) bool bCompare (const BYTE* pData, const BYTE* bMask, const char* szMask) { for(; *szMask; ++szMask, ++pData, ++bMask) if(*szMask=='0' && *pData != *bMask) return false; return (*szMask) == 0; } DWORD FindPattern (DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask) { for(DWORD i=0; i<dwLen; i++) if (bCompare((BYTE*)(dwAddress + i), bMask, szMask)) return (DWORD)(dwAddress + i); return false; } // MODULE // typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; }LDR_MODULE, *PLDR_MODULE; typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; }PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; }PEB, *PPEB; void HideModule (HINSTANCE hModule) { PEB* peb; LDR_MODULE* ldr; peb = (PEB*)__readfsdword(0x30); ldr = (LDR_MODULE*)peb->Ldr->InLoadOrderModuleList.Flink; while(ldr->BaseAddress != 0) { if(ldr->BaseAddress == hModule) { if(ldr->InLoadOrderModuleList.Blink != 0) (ldr->InLoadOrderModuleList.Blink)->Flink = ldr->InLoadOrderModuleList.Flink; if(ldr->InLoadOrderModuleList.Blink != 0) (ldr->InLoadOrderModuleList.Flink)->Blink = ldr->InLoadOrderModuleList.Blink; if(ldr->InInitializationOrderModuleList.Blink != 0) (ldr->InInitializationOrderModuleList.Blink)->Flink = ldr->InInitializationOrderModuleList.Flink; if(ldr->InInitializationOrderModuleList.Flink != 0) (ldr->InInitializationOrderModuleList.Flink)->Blink = ldr->InInitializationOrderModuleList.Blink; if(ldr->InMemoryOrderModuleList.Flink != 0) (ldr->InMemoryOrderModuleList.Blink)->Flink = ldr->InMemoryOrderModuleList.Flink; if(ldr->InMemoryOrderModuleList.Flink != 0) (ldr->InMemoryOrderModuleList.Flink)->Blink = ldr->InMemoryOrderModuleList.Blink; } ldr = (LDR_MODULE*)ldr->InLoadOrderModuleList.Flink; } } void EraseHeaders (HINSTANCE hModule) { PIMAGE_DOS_HEADER pDoH; PIMAGE_NT_HEADERS pNtH; DWORD i, ersize, protect; if(!hModule) return; pDoH = (PIMAGE_DOS_HEADER)(hModule); pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew); ersize = sizeof(IMAGE_DOS_HEADER); if(VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect)) { for(i=0; i < ersize; i++) *(BYTE*)((BYTE*)pDoH + i) = 0; } ersize = sizeof(IMAGE_NT_HEADERS); if(pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect)) { for(i=0; i < ersize; i++) *(BYTE*)((BYTE*)pNtH + i) = 0; } return; } void ErasePEHeader (HINSTANCE hModule) { MEMORY_BASIC_INFORMATION mbi; VirtualQuery((LPCVOID)hModule, &mbi, sizeof(mbi)); VirtualProtect(mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &mbi.Protect); ZeroMemory((PVOID)hModule, 4096); VirtualProtect(mbi.BaseAddress, mbi.RegionSize, mbi.Protect, NULL); FlushInstructionCache(GetCurrentProcess(), (LPCVOID)mbi.BaseAddress, mbi.RegionSize); } void MakeJMP(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen) { DWORD dwOldProtect, dwBkup, dwRelAddr; VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect); dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5; *pAddress = 0xE9; *((DWORD *)(pAddress + 0x1)) = dwRelAddr; for(DWORD x = 0x5; x < dwLen; x++) *(pAddress + x) = 0x90; VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup); return; } bool Ready2Hook () { if(GetModuleHandle(eCShell) != 0 && GetModuleHandle(eClient) != 0) return true; return false; } struct NtCreateThreadExBuffer { ULONG Size; ULONG Unknown1; ULONG Unknown2; PULONG Unknown3; ULONG Unknown4; ULONG Unknown5; ULONG Unknown6; PULONG Unknown7; ULONG Unknown8; }; HANDLE NtCreateThreadEx( HANDLE InProcess, void* InRemoteThreadStart, void* InRemoteCallback) { typedef DWORD WINAPI NtCreateThreadEx_PROC( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, BOOL CreateSuspended, DWORD dwStackSize, LPVOID Unknown1, LPVOID Unknown2, LPVOID Unknown3 ); // this will only work for vista and later... NtCreateThreadEx_PROC* VistaCreateThread = (NtCreateThreadEx_PROC*) GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); if(VistaCreateThread == NULL) return NULL; HANDLE hRemoteThread = NULL; HRESULT hRes = 0; if(!SUCCEEDED(hRes = VistaCreateThread( &hRemoteThread, 0x1FFFFF, // all access 0, InProcess, (LPTHREAD_START_ROUTINE)InRemoteThreadStart, InRemoteCallback, FALSE, 0, 0, 0, 0 ))) return NULL; return hRemoteThread; } unsigned char Backup[5], *TerminateThreadAddress; /** Backup**/ /** Dummy Function **/ BOOL WINAPI MyTerminateThread( HANDLE hThread, DWORD dwExitCode) { return true; } #ifdef BUILD_DLL #define DLL_EXPORT __declspec(dllexport) #else #define DLL_EXPORT __declspec(dllimport) #endif #ifdef __cplusplus extern "C" { #endif void DLL_EXPORT PCeumel( void ); #ifdef __cplusplus } #endif

Code:

Search yourself :P

for sure it won't take long time to get patched so ....

Credits Me , -[I]fLuX , pceumel , creator of "MakeJMP,XOR,FindPattern and the one who make the first DIP"

**dreek1** · 06-29-2015

Good Job

Xor.h

Code:

#ifndef _XOR_H
#define _XOR_H
template <int XORSTART, int BUFLEN, int XREFKILLER>

class XorStr
{
private:
	XorStr();
public:
	char s[BUFLEN];

	XorStr(const char * xs);

	~XorStr()
	{
		for (int i = 0; i<BUFLEN; i++) s[i] = 0;
	}
};

template <int XORSTART, int BUFLEN, int XREFKILLER>
XorStr<XORSTART, BUFLEN, XREFKILLER>::XorStr(const char * xs)
{
	int xvalue = XORSTART;
	int i = 0;

	for (; i < (BUFLEN - 1); i++)
	{
		s[i] = xs[i - XREFKILLER] ^ xvalue;
		xvalue += 1;
		xvalue %= 256;
	}

	s[BUFLEN - 1] = 0;
}


#define eCShell		XorStr<0xBB,11,0xEC676C84>("\xF8\xEF\xD5\xDB\xD3\xAC\xEF\xA6\xAF\xA8"+0xEC676C84).s
#define eClient		XorStr<0x19,13,0x4464E51F>("\x5A\x76\x72\x79\x73\x6A\x59\x78\x0F\x44\x5B\x40"+0x4464E51F).s
#define ed3d9		/*d3d9.dll*/XorStr<0xB9,9,0x64C42EE0>("\xDD\x89\xDF\x85\x93\xDA\xD3\xAC"+0x64C42EE0).s
#define eCF			/*crossfire.exe*/XorStr<0x52,14,0x2F5C6EF5>("\x31\x21\x3B\x26\x25\x31\x31\x2B\x3F\x75\x39\x25\x3B"+0x2F5C6EF5).s

#endif

**vinizn7** · 07-27-2015

o que eu faço com esse codico ? ajuda

**pandaseller12** · 06-29-2015

thanks for posting

**tommytho** · 06-29-2015

thank you !

**sobasoba13** · 06-30-2015

all credits ?

**badicecube** · 06-30-2015

Great work......keep it up

**ponzis_bitch** · 07-01-2015

Originally Posted by badicecube

Great work......keep it up

plz sir explains code to meeeee sirs? plzzzzz tell me what this codexxxing does?

**~FALLEN~** · 07-05-2015

A few things you should know.
The declaration for NtCreateThreadEx is :

NTSTATUS NTAPI ZwCreateThreadEx( PHANDLE,
ACCESS_MASK,
POBJECT_ATTRIBUTES,
HANDLE,
PVOID,
PVOID,
ULONG,
ULONG_PTR,
SIZE_T,
SIZE_T,
PVOID );

the first is a pointer to the handle you get from the thread's creation ( e.g. the returned threads handle )
the second is the access rights for the thread. THREAD_ALL_ACCESS for example
object attributes can be a nullptr ( or fill out the structure accordingly, up to you )
third is process which you can just use GetCurrentProcess for.. you don't even need to open a real handle.. lmfao
fourth is thread address
fifth is an optional argument you can pass to the thread
six is flags
seven is the number of bits that are zero on the stack address - just set it to 0
eighth is stack commit ( default 4k ) this is how much memory is initially committed for the threads stack
ninth is stack reserve ( default 64k up to 1mb depending on settings ) and is how much memory is reserved the the threads stack ( max is 1mb )
tenth/last is an optional return buffer that you can just set to 0 because you won't use it.

btw you should really learn what the fuck you're doing because you clearly copy pasted most of this.
p.s. iirc that function you're hooking is CD3DHal::DrawIndexedPrimitive which is just the internal function called from DrawIndexedPrimitive ( & a bit of other stuff ) that's used before the rendering command gets sent off to the user mode display driver to do processing and handed off to the kernel display driver.

**I2espect** · 07-07-2015

Originally Posted by ~FALLEN~

A few things you should know.
The declaration for NtCreateThreadEx is :

NTSTATUS NTAPI ZwCreateThreadEx( PHANDLE,
ACCESS_MASK,
POBJECT_ATTRIBUTES,
HANDLE,
PVOID,
PVOID,
ULONG,
ULONG_PTR,
SIZE_T,
SIZE_T,
PVOID );

the first is a pointer to the handle you get from the thread's creation ( e.g. the returned threads handle )
the second is the access rights for the thread. THREAD_ALL_ACCESS for example
object attributes can be a nullptr ( or fill out the structure accordingly, up to you )
third is process which you can just use GetCurrentProcess for.. you don't even need to open a real handle.. lmfao
fourth is thread address
fifth is an optional argument you can pass to the thread
six is flags
seven is the number of bits that are zero on the stack address - just set it to 0
eighth is stack commit ( default 4k ) this is how much memory is initially committed for the threads stack
ninth is stack reserve ( default 64k up to 1mb depending on settings ) and is how much memory is reserved the the threads stack ( max is 1mb )
tenth/last is an optional return buffer that you can just set to 0 because you won't use it.

btw you should really learn what the fuck you're doing because you clearly copy pasted most of this.
p.s. iirc that function you're hooking is CD3DHal:

rawIndexedPrimitive which is just the internal function called from DrawIndexedPrimitive ( & a bit of other stuff ) that's used before the rendering command gets sent off to the user mode display driver to do processing and handed off to the kernel display driver.

how can he hook normal dip without detection?
isnt that the normal and old dip hook ?

**~FALLEN~** · 07-07-2015

Originally Posted by I2espect

how can he hook normal dip without detection?
isnt that the normal and old dip hook ?

CD3DHal::DrawIndexedPrimitive and CD3DBase::DrawIndexedPrimitive are seperate functions. The former being one of the internal functions for the latter that's called before it's sent off to the UMDD for processing. You can easily detect both though.

**mamo007** · 07-07-2015

Originally Posted by ~FALLEN~

CD3DHal:rawIndexedPrimitive and CD3DBase:rawIndexedPrimitive are seperate functions. The former being one of the internal functions for the latter that's called before it's sent off to the UMDD for processing. You can easily detect both though.

Who said that's my hook? Here

**~FALLEN~** · 07-08-2015

Originally Posted by mamo007

Who said that's my hook? Here

I never said it was yours.
In fact in one of my replies to this thread I stated "btw you should really learn what the fuck you're doing because you clearly copy pasted most of this."
Thanks for proving my point.

**I2espect** · 07-09-2015

Originally Posted by ~FALLEN~

CD3DHal:

rawIndexedPrimitive and CD3DBase:

rawIndexedPrimitive are seperate functions. The former being one of the internal functions for the latter that's called before it's sent off to the UMDD for processing. You can easily detect both though.

so how can that be undetected???
and btw am i right that every byte modifications in the process can be detected .. how can that be bypassed ??
can't xtrap scan all the process bytes and detect any hook ?

**DevleopingForNoobs** · 07-09-2015

Originally Posted by I2espect

so how can that be undetected???
and btw am i right that every byte modifications in the process can be detected .. how can that be bypassed ??
can't xtrap scan all the process bytes and detect any hook ?

Up until a few updates ago pointer redirection was undetected in the engine renders with a little modification, Start3D, End3D - all parts of the LtClient class. Also using the LTDrawPrim class, which you can access from the LTClient class LtClient->GetDrawPrim, you can draw to the players using the engine (Aslong as you already have a DIP Hook).

Thread: DIP Hook | NtCreateThreadEx

Thread Tools

Display

Hybrid View

DIP Hook | NtCreateThreadEx

The Following 9 Users Say Thank You to mamo007 For This Useful Post:

The Following User Says Thank You to dreek1 For This Useful Post:

The Following User Says Thank You to ~FALLEN~ For This Useful Post:

The Following User Says Thank You to ~FALLEN~ For This Useful Post:

Similar Threads

DIP Hook Chams

[Release] DIP Hook. Go RQ

[Release] Dreafully slow 100% undetected DIP hook

DIP Hook.