[CODE] Hooking Direct3D and using AntTweakBar

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

edgar

Newbie
Full Member
Dec 30, 2012
28
518
3
I was going to post this originally on the UC forums but the crowd there sucks. Since you all are much cooler you get this code. Please don't paste this on other forums. Link back here and support Fleep!

I've finally got my DLL to the point where it will make a good starting point for any hack. The attached code will hook into a target Direct3D application and display AntTweakBar. AntTweakBar makes a professional looking menu for your hacks and it is relatively easy to use. If you aren't familiar with it go to the link above and check it out. Now on to the code!

The most common method of injecting into a process is to use a remote thread however if you do so after the application is running you need to use pattern scanners, offsets, or other tricks to find EndScene. If you create a suspended process and use a remote thread then you can make a cleaner hook but this can cause problems with applications that use launchers. For my hook I decided to install a global hook with SetWindowsHookEx. Here is the code for installing and uninstalling the global hook which is exported from my DLL.

C++:
extern "C" void InstallHook(HWND hWnd, const char *pName)
{
    hwnd = hWnd;
    targetName[0] = 0;
    if( pName )
    {
        strcpy_s(targetName,pName);
    }

    hHook = SetWindowsHookEx(WH_CBT, (HOOKPROC)HookProc, hins, 0);
    if (NULL == hHook) 
    {
        TCHAR msg[256];
        wsprintf(msg, TEXT("Cannot install hook, code: %d"), GetLastError());
        MessageBox(hwnd, msg, TEXT("error"), MB_ICONERROR);
    }
}

extern "C" void ReleaseHook()
{
    if (hHook != NULL) 
    {
        BOOL bRes = UnhookWindowsHookEx(hHook);
        if (!bRes) MessageBox(hwnd, TEXT("Cannot remove hook."), TEXT("error"), MB_ICONERROR);
    }
}
This code is called from a hack manager application before you launch the target process. See the attached zip file for a C# example manager app.

The hook DLL relies on global shared memory for passing data from the manager application and all instances of the target process. This shared data segment is the same for every process which has our DLL injected into it. The code for initializing the share data is shown below.

C++:
#pragma data_seg (".shared")
// only INITIALIZED variables in this block will actually end up in the shared section!!!
// https://abdelrahmanogail.wordpress.com/2010/12/28/sharing-variables-between-several-instances-from-the-same-exe-or-dll/
static HHOOK hHook = NULL;
static HINSTANCE hins = NULL;
static HWND hwnd = NULL;
static char targetName[MAX_PATH] = "";
#pragma data_seg ()
Now let's look at the window hook code. This code is called by Windows for a variety of reasons. See the CBTProc documentation for more details. The event we are interested in is HCBT_CREATEWND which is called when the application calls CreateWindow. Since you need to call CreateWindow before calling Direct3DCreate9 we can safely hook up Direct3D with a clean and portable hook. Here is the CBT callback code.

C++:
extern "C" LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam)
{
    if( HCBT_CREATEWND == nCode )
    {
        if( inTarget == false )
        {
            char szPath[MAX_PATH];

            if( GetModuleFileNameA( NULL, szPath, MAX_PATH ) )
            {
                if( strstr(szPath,targetName) )
                {
                    OutputDebugString(_T("Found target process.  Hooking DirectX...\n"));
                    tDirect3DCreate9 _Direct3DCreate9 = (tDirect3DCreate9)GetProcAddress(GetModuleHandle(TEXT("d3d9.dll")),"Direct3DCreate9");
                    if( _Direct3DCreate9 != NULL )
                    {
                        dDirect3DCreate9 = new DetourXS(_Direct3DCreate9, hDirect3DCreate9);
                        oDirect3DCreate9 = (tDirect3DCreate9) dDirect3DCreate9->GetTrampoline();
                        inTarget = true;
                        SendMessage(hwnd,0xBEEF,GetCurrentProcessId(),0);
                    }
                }
            }
        }
    }

    return CallNextHookEx(hHook, nCode, wParam, lParam);
}
This code looks for a given module name to decide whether to hook Direct3D. Once we find the target process we set a flag so we can quickly exit this callback. This function is called a lot so it is important not to hog resources here.

Now that we have Direct3DCreate9 detoured we can chain hook our way to EndScene in the usual manner. See the attached file for the full code. Next we need to initialize AntTweakBar and hook into the message queue and IDirect3D9::CreateDevice() is the perfect place to do it. Here is the code from that detour.

C++:
        TwInit(TW_DIRECT3D9, pD3D9Dev);
        pBar = TwNewBar("TESTBAR");
        TwDefine(" GLOBAL help='This example shows how to integrate AntTweakBar in a DirectX9 application.' "); // Message added to the help bar.
        TwDefine(" TESTBAR color='128 224 160' text=dark "); // Change TweakBar color and use dark text
        TwAddVarRW(pBar, "Color", TW_TYPE_COLOR3F, &gColor, " label='Strip color' ");
        drawTwBar = true;

        targetWindow = hFocusWindow != NULL ? hFocusWindow : pPresentationParameters->hDeviceWindow;
        if( targetWindow != NULL )
        {
            RECT rect;
            GetClientRect(targetWindow,&rect);
            TwWindowSize(rect.right-rect.left,rect.bottom-rect.top);
            OldWindowProc = (WNDPROC)SetWindowLongPtr(targetWindow,GWL_WNDPROC,(LONG_PTR)WindowProc);
        }
The code above creates a bar with one color selector. See the AntTweakBar site for more examples on how to setup bars. Next we get the target window handle which was given to us and setup a new window procedure so we can intercept messages. Here is the code for the window procedure.

C++:
extern "C" LRESULT CALLBACK WindowProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
    int handled = 0;

    if(WM_CLOSE == message)
    {
        drawTwBar = false;
        TwTerminate();
    }
    else
    {
        handled = TwEventWin(hWnd,message,wParam,lParam);
    }

    return handled ? 0 : CallWindowProc(OldWindowProc, hWnd, message, wParam, lParam);
}
This code uses the WM_CLOSE message as a signal to cleanup the bars. The rest of the messages are passed to the AntTweakBar message pump and then on to the target application only if AntTweakBar didn't handle the message.

Virus Scan:https://www.virustotal.com/en/file/2...is/1365030388/

Below are screenshots of it all in action. Enjoy.

CREDITS

DetourXS: Easy to use detour library with x86 and x64 support. https://dreaminpixels.co.uk/detourxs-a-x8664-detours-library/
LDE64: Small length disassembler to feed DetourXS. https://beatrix2004.free.fr/tools.html
DirectXTutorials.com: Great site. Ripped the D3D test app from there. https://www.directxtutorial.com/Lesson.aspx?lessonid=9-4-1
AntTweakBar: Powerful UI for 3D apps. https://anttweakbar.sourceforge.net/doc/

EDIT: I fixed the x64 build problem. Here's the new code and new v-scan. https://www.virustotal.com/en/file/...8a1846961de35db79063d335/analysis/1365032140/
 

Attachments

You can download 0 Attachments
Last edited:

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
looks pretty nice, just if I compile your sln there are 2 errors -> GWL_WNDPROC not defined in main.cpp at line 98 and 132
here as it is in my compiler:
2>main.cpp(98): error C2065: 'GWL_WNDPROC': nichtdeklarierter Bezeichner
2>main.cpp(132): error C2065: 'GWL_WNDPROC': nichtdeklarierter Bezeichner
 

edgar

Newbie
Full Member
Dec 30, 2012
28
518
3
looks pretty nice, just if I compile your sln there are 2 errors -> GWL_WNDPROC not defined in main.cpp at line 98 and 132
here as it is in my compiler:
2>main.cpp(98): error C2065: 'GWL_WNDPROC': nichtdeklarierter Bezeichner
2>main.cpp(132): error C2065: 'GWL_WNDPROC': nichtdeklarierter Bezeichner
Are you building with VS2012? That definition should be in winuser.h. Check your installed SDK.
 

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
yep I have VS2012 Ultimate :)
May you can give me a hint where I should check~
(Im normaly trolling around in c++&VC++, just doing VC# since some weeks)
 

Chuck E

Coder
Dank Tier Donator
Nobleman
Jan 2, 2013
122
588
1
Thanks for contributing this to GH, matey :) I'll be sure to take a good look at it tomorrow, and that AnTweakBar. See how it all works. Goodly knowledge for the brainpan :D
 

Fleep

Founder
Meme Tier VIP
May 20, 2012
572
11,023
6
Excellent post Edgar, thanks for the release.
In future when you attach a file post a virus scan to let our members know its a safe file.

Fleep
 

edgar

Newbie
Full Member
Dec 30, 2012
28
518
3
Excellent post Edgar, thanks for the release.
In future when you attach a file post a virus scan to let our members know its a safe file.

Fleep
Sorry. It was just code so I didn't think of that... Here you go. https://www.virustotal.com/en/file/...a94a1f4884848d9d477fc29f/analysis/1365030388/

SHA256: 257e307f4d8374a25c446a3ba140440fb4f44367a94a1f4884848d9d477fc29f
File name: hooktest4gh.zip
Detection ratio: 0 / 46
Analysis date: 2013-04-03 23:06:28 UTC ( 0 minutes ago )
yep I have VS2012 Ultimate :)
May you can give me a hint where I should check~
(Im normaly trolling around in c++&VC++, just doing VC# since some weeks)
On my machine it is at c:\Program Files (x86)\Windows Kits\8.0\Include\um\WinUser.h

#define GWL_WNDPROC (-4)
 
Last edited:

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
ah ok, if I compile it as x86, it works ;)
btw which prog you use for testing it out ? :x just saw the framename "Our First Direct3D Program"
anyways, thanks for that hint :p
 

edgar

Newbie
Full Member
Dec 30, 2012
28
518
3
btw which prog you use for testing it out ?
See the dxapp project in the code. Just a simple DX9 app I found on the net. This should would with any DX9 app but I haven't tested in on anything yet.

If you want a quick test just build it and run the C# app. Then select hook32.dll, set the target name to dxapp, and hit the button. Then run dxapp to see the results.
 
Last edited:

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
Thanks, its rly impressive to me, well Im gonna look into that some hrs laters, its 01:58 here in germany and I have school soon :p
Its will be rly fun to find out how to make basic and advanced menu's on my own with click-features etc ;)
 
Last edited:

edgar

Newbie
Full Member
Dec 30, 2012
28
518
3
I did some test with Planetside 2 and here are some results.

1) The target name string comparison is currently case-sensitive so you need to enter "PlanetSide2" for the hook to activate.
2) AntTweakBar displays on the loading screen but PS2 crashes before getting to the character select screen. Removing AntTweakBar calls from the render and event loops fixes the problem. :(
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
19,938
76
Neat, thanks for sharing. :)
 

Syperus

RTFM
Meme Tier VIP
Dank Tier Donator
Oct 29, 2012
432
2,638
7
Thanks for sharing this code with us edgar! I'll try this out today on one of the projects were currently working on. :)
 

edgar

Newbie
Full Member
Dec 30, 2012
28
518
3
I fixed the issues with PS2 for the most part. The UI doesn't display correctly on the login screen because the menu is being drawn over my stuff. It is working good in game though. I'll post the updated code later tonight.

ant_ps2.png
 

GAFO666

Hacker
Meme Tier VIP
Aug 19, 2012
520
3,188
23
I think this would be more interesting for all members of GH if we would know howto make tabs, buttons n stuff and bind different funcs on every object like a button/checkbox (idk whats all possible with that)~
-> Written anywhere or in a video tut (didnt have that much time to look over it at all, just parts)

only 2 exams left, so I will have soon time to work on all stuff I wanted to (till study starts Ill have about 4month free time xD)
 

edgar

Newbie
Full Member
Dec 30, 2012
28
518
3
I think this would be more interesting for all members of GH if we would know howto make tabs, buttons n stuff and bind different funcs on every object like a button/checkbox (idk whats all possible with that)~
-> Written anywhere or in a video tut (didnt have that much time to look over it at all, just parts)

only 2 exams left, so I will have soon time to work on all stuff I wanted to (till study starts Ill have about 4month free time xD)
You can find all that info here: https://anttweakbar.sourceforge.net/doc/

https://anttweakbar.sourceforge.net/doc/tools:anttweakbar:twaddbutton
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods