How To Make A D3D Hook (a little complement to Dead Hells hooking tut)

[Swag]

Hey guys,

I saw Dead Hell posted a hook tutorial and i thought: let i make a little complement
Here we go:


Step 1: Make ofc. a new project (empty dll project)
Step 2: Make Includes.h
Step 3: Make Main.cpp
Step 4: Include SDK to your project

Okay, Put this in Includes.h:

Code:

#include <Windows.h>
#include <stdio.h>
#include <d3d9.h>
#include <d3dx9.h>

Lets start with the main part
Add this in Main.cpp:

Code:

#include "Includes.h"
#include "Funtions.h"

BYTE CheckWindowsVersion();

#define WINDOWS_XP  5
#define WINDOWS_7   6

DWORD* DIP_hook = NULL;
DWORD DIP_return = NULL;

bool WallHack = true;

And now we are going to make the wallhack function:

Code:

void myDIP(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE Type,INT BaseVertexIndex,UINT MinVertexIndex,UINT NumVertices,UINT startIndex,UINT primCount)
{
    IDirect3DVertexBuffer9* pStreamData = NULL;
    UINT iOffsetInBytes,iStride;
    pDevice->GetStreamSource(0,&pStreamData,&iOffsetInBytes,&iStride);

    if(WallHack)
    if ((iStride==40)||(iStride==44))
    {
        pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE );
        pDevice->SetRenderState(D3DRS_ZFUNC,   D3DCMP_NEVER);
    }
}

Okay, we have make the wallhack function and now we are going to make the hook.
We are going to make a Windows XP hook and a Windows Vista+7 hook

Windows 7 part:

Code:

_declspec(naked) void myDIP_hook7()
{
	__asm
	{
		//Call myDIP
		MOV EAX, DWORD PTR [ESP+40];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+40];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+40];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+40];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+40];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+40];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+40];
		PUSH EAX;
		CALL myDIP;
		ADD ESP, 28;

		MOV EAX,DWORD PTR FS:[0];

		PUSH EAX;
		SUB ESP,0x20;

		JMP DIP_return;
	}
}

Windows XP Part:

Code:

_declspec(naked) void myDIP_hookxp()
{
	__asm
	{
		//Call myDIP
		MOV EAX, DWORD PTR [ESP+44];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+44];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+44];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+44];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+44];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+44];
		PUSH EAX;
		MOV EAX, DWORD PTR [ESP+44];
		PUSH EAX;
		CALL myDIP;
		ADD ESP, 28;

		MOV EAX,DWORD PTR FS:[0];

		MOV DWORD PTR FS:[0],ESP;
		SUB ESP, 0x12;

		JMP DIP_return;
	}
}

We are going to add some functions now..
Make a new .H file and give it the name: Functions.h

Put this codes in Functions.h:
Include:

Code:

#include "Includes.h"

Function bCompare

Code:

bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
	for(;*szMask;++szMask,++pData,++bMask)
		if(*szMask=='x' && *pData!=*bMask)   return 0;
	return (*szMask) == NULL;
}

Function FindPattern

Code:

DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
	for(DWORD i=0; i<dwLen; i++)
		if (bCompare((BYTE*)(dwAddress+i),bMask,szMask))  return (DWORD)(dwAddress+i);
	return 0;
}

MakeJMP Function

Code:

void MakeJMP( BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen )
{
    DWORD dwOldProtect, dwBkup, dwRelAddr;
    
    VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
    dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;
    *pAddress = 0xE9;
    
    *((DWORD *)(pAddress + 0x1)) = dwRelAddr;
    for(DWORD x = 0x5; x < dwLen; x++) *(pAddress + x) = 0x90;
    VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
    
    return;
}

CheckWindowsVersion Function:

Code:

BYTE CheckWindowsVersion()
{
	HKEY key = NULL;
	DWORD size = 100;
	char buffer[200] = {NULL};
	RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", NULL, KEY_ALL_ACCESS, &key);
	RegQueryValueExA(key, "CurrentVersion", NULL, NULL, (LPBYTE)&buffer, &size);
	RegCloseKey(key);
	if ((!strcmp(buffer, "5.1")) || (!strcmp(buffer, "5.2")))
		return WINDOWS_XP;

	if ((!strcmp(buffer, "6.0")) || (!strcmp(buffer, "6.1")))
		return WINDOWS_7;
	return NULL;
}

Okay, that was Function.h
Go back to Main.cpp and add this:

Code:

void D3Dhook()
{
    LoadLibraryA("d3d9.dll");
    DWORD D3D9, adr, *VTable;
    do
    {
        D3D9 = (DWORD)LoadLibraryA("d3d9.dll");
        Sleep(100);
    } while (D3D9 == NULL);

    adr = FindPattern(D3D9, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x8", "xx????xx????xx");
    if (adr) {
        memcpy(&VTable,(void *)(adr+2),4);

        if (CheckWindowsVersion() == WINDOWS_7) {
        MakeJMP((BYTE *)0x4FF51658, (DWORD)myDIP_hook7, 0x6);
        DWORD dwJMPback = 0x4FF51659;
	}
	else if (CheckWindowsVersion() == WINDOWS_XP)
	{
        MakeJMP((BYTE *)0x4FF51658, (DWORD)myDIP_hookxp, 0x6);
        DWORD dwJMPback = 0x4FF51659;
 		}
	}
}

And a DLLMain:

Code:

extern "C" __declspec(dllexport) BOOL APIENTRY DllMain(HINSTANCE hDll, DWORD dwReason, LPVOID lpvReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH)

	{
		DisableThreadLibraryCalls(hDll);
		
		D3Dhook();

	}else if(dwReason == DLL_PROCESS_DETACH) {
	}
	return TRUE;
}

DeadHell showed you guys how to make a hook and i showed in this tutorial how to make a Windows XP and Windows 7 hook..

Did i make a foult in this Tut.? Please PM me!

Credits:
I don't use this hook but i toke the codes from @Dead(H)ell Tutorial so the first credits go to him.
Ow, and DeadHell, in you tutorial you jump back at the same rule as you're hooking on.. I should jump back on the next rule
And Ofc. @giniyat101
And my great friend xD @Royku

I hope you guys like it...
Please press thanks and/or Rep

@Scata
@Royku
@Hero
@Jigsaw

Request Sticky

Thanks!