WDDM Hook - UD D3D HOOKING

**Shion1425** · 03-07-2013

I try this thing.

**mildredcoston** · 03-07-2013

I Wouldn't trust you kid.

**CFHackerExtreme** · 03-07-2013

Originally Posted by pceumel

Originally Posted by CFHackerExtreme
PCe, why you Post This?
Bec. its funny to see all the people asking what it is ^^

Nice PCe, Nice

**Royku** · 03-07-2013

This use your Grapich card right?
i heard if you do something wrong you can fuck up your card.. lol
why dont you just make a mid function hook or w/e xD

**XarutoUsoCrack** · 03-07-2013

This is detected since 2011, and i can proof that cuz i tested this and gave me Xtrap Abnormal Error.

**pceumel** · 03-08-2013

Originally Posted by XarutoUsoCrack

This is detected since 2011, and i can proof that cuz i tested this and gave me Xtrap Abnormal Error.

xtrap doesn't detect it ..
I use this hook! - win 7- 64 home prem.
Only part which is "detected" is the TerminateThread .. Just sign it :P

---------- Post added at 06:35 AM ---------- Previous post was at 06:33 AM ----------

Originally Posted by Royku

This use your Grapich card right?
i heard if you do something wrong you can fuck up your card.. lol
why dont you just make a mid function hook or w/e xD

Yes Graphic card driver - ring03 .. i hate mid

and a wddm hook works for all d3d versions :P
my card is still ok..

**Ende!** · 03-08-2013

Originally Posted by pceumel

xtrap doesn't detect it ..
I use this hook! - win 7- 64 home prem.
Only part which is "detected" is the TerminateThread .. Just sign it :P

Code:

.text:4041D8D0 ; =============== S U B R O U T I N E =======================================
.text:4041D8D0
.text:4041D8D0
.text:4041D8D0 sub_4041D8D0    proc near               ; CODE XREF: sub_4041C9F0+2Dp
.text:4041D8D0                 push    esi
.text:4041D8D1                 mov     esi, ecx
.text:4041D8D3                 push    offset aAticfx32_dll ; "Aticfx32.dll"
.text:4041D8D8                 call    LoadLibrary
.text:4041D8DE                 test    eax, eax
.text:4041D8E0                 jz      short loc_4041D909
.text:4041D8E2                 push    offset aOpenadapter ; "OpenAdapter"
.text:4041D8E7                 push    eax             ; hLibrary
.text:4041D8E8                 call    GetProcAddress_1
.text:4041D8EE                 test    eax, eax
.text:4041D8F0                 mov     pOpenAdapter, eax
.text:4041D8F5                 jz      short loc_4041D909
.text:4041D8F7                 push    5
.text:4041D8F9                 add     esi, 210h
.text:4041D8FF                 push    eax
.text:4041D900                 push    esi
.text:4041D901                 call    sub_4042F9D0
.text:4041D906                 add     esp, 0Ch
.text:4041D909
.text:4041D909 loc_4041D909:                           ; CODE XREF: sub_4041D8D0+10j
.text:4041D909                                         ; sub_4041D8D0+25j
.text:4041D909                 pop     esi
.text:4041D90A                 retn
.text:4041D90A sub_4041D8D0    endp
.text:4041D90A
.text:4041D90A ; ---------------------------------------------------------------------------
.text:4041D90B                 align 10h
.text:4041D910
.text:4041D910 ; =============== S U B R O U T I N E =======================================
.text:4041D910
.text:4041D910
.text:4041D910 sub_4041D910    proc near               ; CODE XREF: sub_4041C9F0+26p
.text:4041D910                 push    esi
.text:4041D911                 mov     esi, ecx
.text:4041D913                 push    offset aNvd3dum_dll ; "Nvd3dum.DLL"
.text:4041D918                 call    LoadLibrary
.text:4041D91E                 test    eax, eax
.text:4041D920                 jz      short loc_4041D949
.text:4041D922                 push    offset aOpenadapter ; "OpenAdapter"
.text:4041D927                 push    eax             ; hLibrary
.text:4041D928                 call    GetProcAddress_1
.text:4041D92E                 test    eax, eax
.text:4041D930                 mov     dword_40540720, eax
.text:4041D935                 jz      short loc_4041D949
.text:4041D937                 push    5
.text:4041D939                 add     esi, 1FCh
.text:4041D93F                 push    eax
.text:4041D940                 push    esi
.text:4041D941                 call    sub_4042F9D0
.text:4041D946                 add     esp, 0Ch
.text:4041D949
.text:4041D949 loc_4041D949:                           ; CODE XREF: sub_4041D910+10j
.text:4041D949                                         ; sub_4041D910+25j
.text:4041D949                 pop     esi
.text:4041D94A                 retn
.text:4041D94A sub_4041D910    endp
.text:4041D94A
.text:4041D94A ; ---------------------------------------------------------------------------
.text:4041D94B                 align 10h

Just a small quote from an IDB file of XTrapVA.dll I created ~Nov.12 (with cleaned Themida IAT calls and reconstructed custom XT import table). Didn't perform further analysis, however they obviously do 'something' with it. The sub_XX call is the function they use to obfuscate their pointers which are put into a special structure to hold them all. I'm significantly too lazy to find the references to see what they are doing with it right now.

Oh by the way, that image came into mind when I reopened the IDB again. Probably nobody except ~FALLEN~ will understand it, but whatever, I'll post it anyway.

**derh.acker** · 03-08-2013

Originally Posted by Ende!

Interesting..

Code:

404193A2  |. 8B1D 08605040  MOV EBX,DWORD PTR DS:[40506008]          ;  kernel32.GetProcAddress

404193B0  |. 68 10DD5140    PUSH XTrapVa.4051DD10                    ; /ProcNameOrOrdinal = "GetProcAddress"
404193B5  |. 56             PUSH ESI                                 ; |hModule

404193BB  |. FFD3           CALL EBX                                 ; \GetProcAddress

404193C3  |. A3 C4A45440    MOV DWORD PTR DS:[4054A4C4],EAX

They were totally bored.

Code:

4041D151  |. 8B3D 08605040  MOV EDI,DWORD PTR DS:[40506008]          ;  kernel32.GetProcAddress
4041D157  |. 68 FCF15140    PUSH XTrapVa.4051F1FC                    ; /ProcNameOrOrdinal = "NetUserGetInfo"
4041D15C  |. 56             PUSH ESI                                 ; |hModule
4041D15D  |. FFD7           CALL EDI                                 ; \GetProcAddress

Code:

40419293  |. 68 E4DC5140    PUSH XTrapVa.4051DCE4                    ; /ProcNameOrOrdinal = "Process32First"
40419298  |. 56             PUSH ESI                                 ; |hModule
40419299  |. A3 8CA45440    MOV DWORD PTR DS:[4054A48C],EAX          ; |
4041929E  |. FF15 C4A45440  CALL DWORD PTR DS:[4054A4C4]             ; \GetProcAddress

**XarutoUsoCrack** · 03-09-2013

Originally Posted by derh.acker

Interesting..

Code:

404193A2  |. 8B1D 08605040  MOV EBX,DWORD PTR DS:[40506008]          ;  kernel32.GetProcAddress

404193B0  |. 68 10DD5140    PUSH XTrapVa.4051DD10                    ; /ProcNameOrOrdinal = "GetProcAddress"
404193B5  |. 56             PUSH ESI                                 ; |hModule

404193BB  |. FFD3           CALL EBX                                 ; \GetProcAddress

404193C3  |. A3 C4A45440    MOV DWORD PTR DS:[4054A4C4],EAX

They were totally bored.

Code:

4041D151  |. 8B3D 08605040  MOV EDI,DWORD PTR DS:[40506008]          ;  kernel32.GetProcAddress
4041D157  |. 68 FCF15140    PUSH XTrapVa.4051F1FC                    ; /ProcNameOrOrdinal = "NetUserGetInfo"
4041D15C  |. 56             PUSH ESI                                 ; |hModule
4041D15D  |. FFD7           CALL EDI                                 ; \GetProcAddress

Code:

40419293  |. 68 E4DC5140    PUSH XTrapVa.4051DCE4                    ; /ProcNameOrOrdinal = "Process32First"
40419298  |. 56             PUSH ESI                                 ; |hModule
40419299  |. A3 8CA45440    MOV DWORD PTR DS:[4054A48C],EAX          ; |
4041929E  |. FF15 C4A45440  CALL DWORD PTR DS:[4054A4C4]             ; \GetProcAddress

They Actually Checking your Adapter to Check if have any Mem Modify.

They use totally a Unprofessional way to check their things, xtrap is crappy already said that.

**Ende!** · 03-09-2013

Originally Posted by derh.acker

Interesting..

Code:

404193A2  |. 8B1D 08605040  MOV EBX,DWORD PTR DS:[40506008]          ;  kernel32.GetProcAddress

404193B0  |. 68 10DD5140    PUSH XTrapVa.4051DD10                    ; /ProcNameOrOrdinal = "GetProcAddress"
404193B5  |. 56             PUSH ESI                                 ; |hModule

404193BB  |. FFD3           CALL EBX                                 ; \GetProcAddress

404193C3  |. A3 C4A45440    MOV DWORD PTR DS:[4054A4C4],EAX

They were totally bored.

Code:

4041D151  |. 8B3D 08605040  MOV EDI,DWORD PTR DS:[40506008]          ;  kernel32.GetProcAddress
4041D157  |. 68 FCF15140    PUSH XTrapVa.4051F1FC                    ; /ProcNameOrOrdinal = "NetUserGetInfo"
4041D15C  |. 56             PUSH ESI                                 ; |hModule
4041D15D  |. FFD7           CALL EDI                                 ; \GetProcAddress

Code:

40419293  |. 68 E4DC5140    PUSH XTrapVa.4051DCE4                    ; /ProcNameOrOrdinal = "Process32First"
40419298  |. 56             PUSH ESI                                 ; |hModule
40419299  |. A3 8CA45440    MOV DWORD PTR DS:[4054A48C],EAX          ; |
4041929E  |. FF15 C4A45440  CALL DWORD PTR DS:[4054A4C4]             ; \GetProcAddress

I guess you didn't really get the point. Dynamic linkage makes sense when trying to hide imports. However, dynamically linking GetProcAddress using GetProcAddress definitely doesn't as it has to be imported via IAT either way.

**derh.acker** · 03-09-2013

Originally Posted by Ende!

I guess you didn't really get the point. Dynamic linkage makes sense when trying to hide imports. However, dynamically linking GetProcAddress using GetProcAddress definitely doesn't as it has to be imported via IAT either way.

Originally Posted by derh.acker

They were totally bored.

Code:

4041D151  |. 8B3D 08605040  MOV EDI,DWORD PTR DS:[40506008]          ;  kernel32.GetProcAddress
4041D157  |. 68 FCF15140    PUSH XTrapVa.4051F1FC                    ; /ProcNameOrOrdinal = "NetUserGetInfo"
4041D15C  |. 56             PUSH ESI                                 ; |hModule
4041D15D  |. FFD7           CALL EDI                                 ; \GetProcAddress

Code:

40419293  |. 68 E4DC5140    PUSH XTrapVa.4051DCE4                    ; /ProcNameOrOrdinal = "Process32First"
40419298  |. 56             PUSH ESI                                 ; |hModule
40419299  |. A3 8CA45440    MOV DWORD PTR DS:[4054A48C],EAX          ; |
4041929E  |. FF15 C4A45440  CALL DWORD PTR DS:[4054A4C4]             ; \GetProcAddress

I meant that they use both the imported and non-imported GetProcAddress.

**~FALLEN~** · 03-13-2013

Originally Posted by Ende!

Code:

.text:4041D8D0 ; =============== S U B R O U T I N E =======================================
.text:4041D8D0
.text:4041D8D0
.text:4041D8D0 sub_4041D8D0    proc near               ; CODE XREF: sub_4041C9F0+2Dp
.text:4041D8D0                 push    esi
.text:4041D8D1                 mov     esi, ecx
.text:4041D8D3                 push    offset aAticfx32_dll ; "Aticfx32.dll"
.text:4041D8D8                 call    LoadLibrary
.text:4041D8DE                 test    eax, eax
.text:4041D8E0                 jz      short loc_4041D909
.text:4041D8E2                 push    offset aOpenadapter ; "OpenAdapter"
.text:4041D8E7                 push    eax             ; hLibrary
.text:4041D8E8                 call    GetProcAddress_1
.text:4041D8EE                 test    eax, eax
.text:4041D8F0                 mov     pOpenAdapter, eax
.text:4041D8F5                 jz      short loc_4041D909
.text:4041D8F7                 push    5
.text:4041D8F9                 add     esi, 210h
.text:4041D8FF                 push    eax
.text:4041D900                 push    esi
.text:4041D901                 call    sub_4042F9D0
.text:4041D906                 add     esp, 0Ch
.text:4041D909
.text:4041D909 loc_4041D909:                           ; CODE XREF: sub_4041D8D0+10j
.text:4041D909                                         ; sub_4041D8D0+25j
.text:4041D909                 pop     esi
.text:4041D90A                 retn
.text:4041D90A sub_4041D8D0    endp
.text:4041D90A
.text:4041D90A ; ---------------------------------------------------------------------------
.text:4041D90B                 align 10h
.text:4041D910
.text:4041D910 ; =============== S U B R O U T I N E =======================================
.text:4041D910
.text:4041D910
.text:4041D910 sub_4041D910    proc near               ; CODE XREF: sub_4041C9F0+26p
.text:4041D910                 push    esi
.text:4041D911                 mov     esi, ecx
.text:4041D913                 push    offset aNvd3dum_dll ; "Nvd3dum.DLL"
.text:4041D918                 call    LoadLibrary
.text:4041D91E                 test    eax, eax
.text:4041D920                 jz      short loc_4041D949
.text:4041D922                 push    offset aOpenadapter ; "OpenAdapter"
.text:4041D927                 push    eax             ; hLibrary
.text:4041D928                 call    GetProcAddress_1
.text:4041D92E                 test    eax, eax
.text:4041D930                 mov     dword_40540720, eax
.text:4041D935                 jz      short loc_4041D949
.text:4041D937                 push    5
.text:4041D939                 add     esi, 1FCh
.text:4041D93F                 push    eax
.text:4041D940                 push    esi
.text:4041D941                 call    sub_4042F9D0
.text:4041D946                 add     esp, 0Ch
.text:4041D949
.text:4041D949 loc_4041D949:                           ; CODE XREF: sub_4041D910+10j
.text:4041D949                                         ; sub_4041D910+25j
.text:4041D949                 pop     esi
.text:4041D94A                 retn
.text:4041D94A sub_4041D910    endp
.text:4041D94A
.text:4041D94A ; ---------------------------------------------------------------------------
.text:4041D94B                 align 10h

Just a small quote from an IDB file of XTrapVA.dll I created ~Nov.12 (with cleaned Themida IAT calls and reconstructed custom XT import table). Didn't perform further analysis, however they obviously do 'something' with it. The sub_XX call is the function they use to obfuscate their pointers which are put into a special structure to hold them all. I'm significantly too lazy to find the references to see what they are doing with it right now.

Oh by the way, that image came into mind when I reopened the IDB again. Probably nobody except ~FALLEN~ will understand it, but whatever, I'll post it anyway.

Made me rofl so hard.... Why not just get the address by walking the PEB to enumerate modules and then walk the import table to get the ordinal and from there get the actual address.... I guess that's too much logic for XCrap to use... smh

**Ende!** · 03-14-2013

Originally Posted by ~FALLEN~

Made me rofl so hard.... Why not just get the address by walking the PEB to enumerate modules and then walk the import table to get the ordinal and from there get the actual address.... I guess that's too much logic for XCrap to use... smh

Do you really expect someone who implements a "detour detection" like that

and string "encryption" using this technique

to know about ANY windows-internals, even if they are trivial? :P

Edit: Oh and in case of crypto-algorithms: better initialize the key multiple times, safety first.

We should consider starting a thread to honor the glorious coding-skills of the XTrap developers - finding content to feed it definitely won't be a big deal.

**CrazyFrost** · 03-07-2013

DIPEngine work (just change some hook code), why make brainfuck with WDDM?

**logobalogo** · 03-10-2013

nice man

)

Thread: WDDM Hook - UD D3D HOOKING

Thread Tools

Display

Hybrid View

The Following User Says Thank You to Ende! For This Useful Post:

The Following 2 Users Say Thank You to Ende! For This Useful Post:

Similar Threads

WR D3D Hook - =o - 09/21/07

WR D3D Hook - =o - 03/22/07

WR D3D Hook Updated to include Punkbuster Hardware Bypass!

WR D3D Hook - =o - 09/23/07

D3D hooking tutorial 5 i think

Tags for this Thread