• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Page 1 of 3 123 LastLast
    Results 1 to 10 of 26
    1. #1
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      edgar's Avatar
      Join Date
      Dec 2012
      Posts
      29
      Thanks (-->)
      2
      Thanks (<--)
      11

      [CODE] Hooking Direct3D and using AntTweakBar

      Silent VPN
      I was going to post this originally on the UC forums but the crowd there sucks. Since you all are much cooler you get this code. Please don't paste this on other forums. Link back here and support Fleep!

      I've finally got my DLL to the point where it will make a good starting point for any hack. The attached code will hook into a target Direct3D application and display AntTweakBar. AntTweakBar makes a professional looking menu for your hacks and it is relatively easy to use. If you aren't familiar with it go to the link above and check it out. Now on to the code!

      The most common method of injecting into a process is to use a remote thread however if you do so after the application is running you need to use pattern scanners, offsets, or other tricks to find EndScene. If you create a suspended process and use a remote thread then you can make a cleaner hook but this can cause problems with applications that use launchers. For my hook I decided to install a global hook with SetWindowsHookEx. Here is the code for installing and uninstalling the global hook which is exported from my DLL.

      Code:
      extern "C" void InstallHook(HWND hWnd, const char *pName)
      {
          hwnd = hWnd;
          targetName[0] = 0;
          if( pName )
          {
              strcpy_s(targetName,pName);
          }
      
          hHook = SetWindowsHookEx(WH_CBT, (HOOKPROC)HookProc, hins, 0);
          if (NULL == hHook) 
          {
              TCHAR msg[256];
              wsprintf(msg, TEXT("Cannot install hook, code: %d"), GetLastError());
              MessageBox(hwnd, msg, TEXT("error"), MB_ICONERROR);
          }
      }
      
      extern "C" void ReleaseHook()
      {
          if (hHook != NULL) 
          {
              BOOL bRes = UnhookWindowsHookEx(hHook);
              if (!bRes) MessageBox(hwnd, TEXT("Cannot remove hook."), TEXT("error"), MB_ICONERROR);
          }
      }
      This code is called from a hack manager application before you launch the target process. See the attached zip file for a C# example manager app.

      The hook DLL relies on global shared memory for passing data from the manager application and all instances of the target process. This shared data segment is the same for every process which has our DLL injected into it. The code for initializing the share data is shown below.

      Code:
      #pragma data_seg (".shared")
      // only INITIALIZED variables in this block will actually end up in the shared section!!!
      // https://abdelrahmanogail.wordpress.com/2010/12/28/sharing-variables-between-several-instances-from-the-same-exe-or-dll/
      static HHOOK hHook = NULL;
      static HINSTANCE hins = NULL;
      static HWND hwnd = NULL;
      static char targetName[MAX_PATH] = "";
      #pragma data_seg ()
      Now let's look at the window hook code. This code is called by Windows for a variety of reasons. See the CBTProc documentation for more details. The event we are interested in is HCBT_CREATEWND which is called when the application calls CreateWindow. Since you need to call CreateWindow before calling Direct3DCreate9 we can safely hook up Direct3D with a clean and portable hook. Here is the CBT callback code.

      Code:
      extern "C" LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam)
      {
          if( HCBT_CREATEWND == nCode )
          {
              if( inTarget == false )
              {
                  char szPath[MAX_PATH];
      
                  if( GetModuleFileNameA( NULL, szPath, MAX_PATH ) )
                  {
                      if( strstr(szPath,targetName) )
                      {
                          OutputDebugString(_T("Found target process.  Hooking DirectX...\n"));
                          tDirect3DCreate9 _Direct3DCreate9 = (tDirect3DCreate9)GetProcAddress(GetModuleHandle(TEXT("d3d9.dll")),"Direct3DCreate9");
                          if( _Direct3DCreate9 != NULL )
                          {
                              dDirect3DCreate9 = new DetourXS(_Direct3DCreate9, hDirect3DCreate9);
                              oDirect3DCreate9 = (tDirect3DCreate9) dDirect3DCreate9->GetTrampoline();
                              inTarget = true;
                              SendMessage(hwnd,0xBEEF,GetCurrentProcessId(),0);
                          }
                      }
                  }
              }
          }
      
          return CallNextHookEx(hHook, nCode, wParam, lParam);
      }
      This code looks for a given module name to decide whether to hook Direct3D. Once we find the target process we set a flag so we can quickly exit this callback. This function is called a lot so it is important not to hog resources here.

      Now that we have Direct3DCreate9 detoured we can chain hook our way to EndScene in the usual manner. See the attached file for the full code. Next we need to initialize AntTweakBar and hook into the message queue and IDirect3D9::CreateDevice() is the perfect place to do it. Here is the code from that detour.

      Code:
              TwInit(TW_DIRECT3D9, pD3D9Dev);
              pBar = TwNewBar("TESTBAR");
              TwDefine(" GLOBAL help='This example shows how to integrate AntTweakBar in a DirectX9 application.' "); // Message added to the help bar.
              TwDefine(" TESTBAR color='128 224 160' text=dark "); // Change TweakBar color and use dark text
              TwAddVarRW(pBar, "Color", TW_TYPE_COLOR3F, &gColor, " label='Strip color' ");
              drawTwBar = true;
      
              targetWindow = hFocusWindow != NULL ? hFocusWindow : pPresentationParameters->hDeviceWindow;
              if( targetWindow != NULL )
              {
                  RECT rect;
                  GetClientRect(targetWindow,&rect);
                  TwWindowSize(rect.right-rect.left,rect.bottom-rect.top);
                  OldWindowProc = (WNDPROC)SetWindowLongPtr(targetWindow,GWL_WNDPROC,(LONG_PTR)WindowProc);
              }
      The code above creates a bar with one color selector. See the AntTweakBar site for more examples on how to setup bars. Next we get the target window handle which was given to us and setup a new window procedure so we can intercept messages. Here is the code for the window procedure.

      Code:
      extern "C" LRESULT CALLBACK WindowProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
      {
          int handled = 0;
      
          if(WM_CLOSE == message)
          {
              drawTwBar = false;
              TwTerminate();
          }
          else
          {
              handled = TwEventWin(hWnd,message,wParam,lParam);
          }
      
          return handled ? 0 : CallWindowProc(OldWindowProc, hWnd, message, wParam, lParam);
      }
      This code uses the WM_CLOSE message as a signal to cleanup the bars. The rest of the messages are passed to the AntTweakBar message pump and then on to the target application only if AntTweakBar didn't handle the message.

      Virus Scan:https://www.virustotal.com/en/file/2...is/1365030388/

      Below are screenshots of it all in action. Enjoy.

      CREDITS

      DetourXS: Easy to use detour library with x86 and x64 support. https://dreaminpixels.co.uk/detourxs...tours-library/
      LDE64: Small length disassembler to feed DetourXS. https://beatrix2004.free.fr/tools.html
      DirectXTutorials.com: Great site. Ripped the D3D test app from there. https://www.directxtutorial.com/Less...lessonid=9-4-1
      AntTweakBar: Powerful UI for 3D apps. https://anttweakbar.sourceforge.net/doc/

      EDIT: I fixed the x64 build problem. Here's the new code and new v-scan. https://www.virustotal.com/en/file/f...is/1365032140/
      Attached Thumbnails Attached Thumbnails injector.PNG   dxapp.PNG  
      Attached Files Attached Files
      Last edited by edgar; 04-03-2013 at 07:03 PM. Reason: Added credits

    2. Thanks Chuck E, Fleep, N/A, Syperus, tinmar0, Greg798 thanked for this post
    3. #2
      Hacker
      Working, University, Coding ..
       
      Drinking
       
      GAFO666's Avatar
      Join Date
      Aug 2012
      Location
      if(PlayerBase << 16) return IdontKnow("yolo");
      Posts
      531
      Thanks (-->)
      33
      Thanks (<--)
      102
      looks pretty nice, just if I compile your sln there are 2 errors -> GWL_WNDPROC not defined in main.cpp at line 98 and 132
      here as it is in my compiler:
      2>main.cpp(98): error C2065: 'GWL_WNDPROC': nichtdeklarierter Bezeichner
      2>main.cpp(132): error C2065: 'GWL_WNDPROC': nichtdeklarierter Bezeichner

    4. #3
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      edgar's Avatar
      Join Date
      Dec 2012
      Posts
      29
      Thanks (-->)
      2
      Thanks (<--)
      11
      Quote Originally Posted by GAFO666 View Post
      looks pretty nice, just if I compile your sln there are 2 errors -> GWL_WNDPROC not defined in main.cpp at line 98 and 132
      here as it is in my compiler:
      2>main.cpp(98): error C2065: 'GWL_WNDPROC': nichtdeklarierter Bezeichner
      2>main.cpp(132): error C2065: 'GWL_WNDPROC': nichtdeklarierter Bezeichner
      Are you building with VS2012? That definition should be in winuser.h. Check your installed SDK.

    5. #4
      Hacker
      Working, University, Coding ..
       
      Drinking
       
      GAFO666's Avatar
      Join Date
      Aug 2012
      Location
      if(PlayerBase << 16) return IdontKnow("yolo");
      Posts
      531
      Thanks (-->)
      33
      Thanks (<--)
      102
      yep I have VS2012 Ultimate
      May you can give me a hint where I should check~
      (Im normaly trolling around in c++&VC++, just doing VC# since some weeks)

    6. #5
      Coder
      Learning to hack games!
       
      Feeling Normal
       
      Chuck E's Avatar
      Join Date
      Jan 2013
      Location
      United Kingdom
      Posts
      119
      Thanks (-->)
      30
      Thanks (<--)
      20
      Thanks for contributing this to GH, matey I'll be sure to take a good look at it tomorrow, and that AnTweakBar. See how it all works. Goodly knowledge for the brainpan

    7. #6
      Hacker
      Learning to hack games!
       
      Pawning
       
      Fleep's Avatar
      Join Date
      May 2012
      Posts
      626
      Thanks (-->)
      208
      Thanks (<--)
      742
      Excellent post Edgar, thanks for the release.
      In future when you attach a file post a virus scan to let our members know its a safe file.

      Fleep

    8. #7
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      edgar's Avatar
      Join Date
      Dec 2012
      Posts
      29
      Thanks (-->)
      2
      Thanks (<--)
      11
      Quote Originally Posted by Fleep View Post
      Excellent post Edgar, thanks for the release.
      In future when you attach a file post a virus scan to let our members know its a safe file.

      Fleep
      Sorry. It was just code so I didn't think of that... Here you go. https://www.virustotal.com/en/file/2...is/1365030388/

      SHA256: 257e307f4d8374a25c446a3ba140440fb4f44367a94a1f4884 848d9d477fc29f
      File name: hooktest4gh.zip
      Detection ratio: 0 / 46
      Analysis date: 2013-04-03 23:06:28 UTC ( 0 minutes ago )
      Quote Originally Posted by GAFO666 View Post
      yep I have VS2012 Ultimate
      May you can give me a hint where I should check~
      (Im normaly trolling around in c++&VC++, just doing VC# since some weeks)
      On my machine it is at c:\Program Files (x86)\Windows Kits\8.0\Include\um\WinUser.h

      #define GWL_WNDPROC (-4)
      Last edited by edgar; 04-03-2013 at 06:18 PM.

    9. Thanks Fleep thanked for this post
    10. #8
      Hacker
      Working, University, Coding ..
       
      Drinking
       
      GAFO666's Avatar
      Join Date
      Aug 2012
      Location
      if(PlayerBase << 16) return IdontKnow("yolo");
      Posts
      531
      Thanks (-->)
      33
      Thanks (<--)
      102
      yh its in there, see :O https://pastebin.com/wzc5hi1M line 1810
      hmm bit confusing why it wont work >.<
      Last edited by GAFO666; 04-03-2013 at 06:29 PM.

    11. #9
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      edgar's Avatar
      Join Date
      Dec 2012
      Posts
      29
      Thanks (-->)
      2
      Thanks (<--)
      11
      Quote Originally Posted by GAFO666 View Post
      yh its in there, see :O https://pastebin.com/wzc5hi1M
      line 1810
      You are building for x64 and it is defined as GWLP_WNDPROC for x64. Sorry. I didn't compile for x64 before zipping it. Just test with x86 for now or replace GWL_WNDPROC with GWLP_WNDPROC.

    12. #10
      Hacker
      Working, University, Coding ..
       
      Drinking
       
      GAFO666's Avatar
      Join Date
      Aug 2012
      Location
      if(PlayerBase << 16) return IdontKnow("yolo");
      Posts
      531
      Thanks (-->)
      33
      Thanks (<--)
      102
      Silent VPN
      ah ok, if I compile it as x86, it works
      btw which prog you use for testing it out ? :x just saw the framename "Our First Direct3D Program"
      anyways, thanks for that hint :P

    Page 1 of 3 123 LastLast

    Similar Game Hacker Threads

    1. [Tutorial] VEH Hooking (aka PageGuard Hooking) - An In-depth Look
      By Zuva in forum Game Hacking Tutorials
      Replies: 7
      Last Post: 08-02-2016, 01:02 PM
    2. [Help] Need Help with AntTweakBar
      By huwe in forum C/C++
      Replies: 0
      Last Post: 10-23-2015, 09:43 PM
    3. Replies: 1
      Last Post: 09-19-2014, 02:44 AM
    4. [Help] Problem in Mid Function Hooking / Code Caving
      By bolla in forum GH Tutorials Help
      Replies: 5
      Last Post: 12-26-2013, 05:44 AM
    5. Replies: 13
      Last Post: 07-08-2013, 05:54 AM

    Tags for this Thread