A little function that searches your applications memory for the VirtualTable of the DevicePointer.
This function finds the device pointer's vtable by scanning for the following logic:
This method is not 100% successful all the time. However I've tested it on 7 games and only in 1 game it returned a wrong pointer (DragonAge 2)Code:Vtable.DWORD1 > Vtable.DWORD2 & Vtable.DWORD3 Vtable.DWORD2 > Vtable.DWORD3 Vtable.DWORD1 < Vtable.DWORD4 Vtable.DWORD5 > Vtable.DWORD4 etc...etc... && Vtable[0x3] == Vtable[0x7] == Vtable[0x..] == ... etc... etc
You should check the pointer that is returned though. You could do this by checking if the vtable function pointers point to functions(see if they begin with the standard windows prologue code: mov ebp, esp)
This function is also slow, it may take up to 5 seconds for it to return (depending on how high a memory location the Vtable is located)
Code:#include <windows.h> #include <iostream> #include <string.h> #pragma comment(lib, "VtableScan.lib") extern "C"{ DWORD _stdcall ScanTable(); } int MainThread(); BOOL APIENTRY DllMain( HANDLE hModule, DWORD fdwReason, LPVOID lpReserved ){ if( fdwReason == DLL_PROCESS_ATTACH){ CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&MainThread, NULL, NULL, NULL); return TRUE; } return TRUE; } int MainThread(){ while(!GetModuleHandle("d3d9.dll")){ Sleep(1000); } DWORD Vtable = ScanTable(); // returns the vtable (or something that looks like it) char buffer[10] = ""; std::string OutString = "Vtable Location: 0x"; sprintf(&buffer[0],"%x",Vtable); OutString += buffer; MessageBox(NULL, OutString.c_str(), "SCHiM", MB_OK); // output return 0; }
Virs:
Jotti
Virscan
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
This is pretty neat, ill give it a look
Good job
Epic shit dude! Thanks a lot!
Are u a mathematical genius or something?
Well done!!!
Thanks for all the responses, post back if it works. If it doesn't I'll see what I can do
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
Makes everything I've made, look ridiculously easy :P
any reason for using this over a sigscan? <:
Ah we-a blaze the fyah, make it bun dem!
Not in particular, but signature scans have to be updated every once in a while. This wont need an update, and even if it will need one in the future, it can be done in 5/10 minutes
EDIT: Now that I think about it, you could make an automatic updater. So this won't need to be updated manually
Last edited by .::SCHiM::.; 05-20-2011 at 05:46 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
Fuck off Cookie. Stop ruining good threads.
@schim, looks fantastic mate.
You can win the rat race,Originally Posted by Jeremy S. Anderson
But you're still nothing but a fucking RAT.
++Latest Projects++
[Open Source] Injection Library
Simple PE Cipher
FilthyHooker - Simple Hooking Class
CLR Injector - Inject .NET dlls with ease
Simple Injection - An in-depth look
MPGH's .NET SDK
eJect - Simple Injector
Basic PE Explorer (BETA)
.::SCHiM::. (05-20-2011)
Amazing Job.