Solved Help Hooking VirtualQuery

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

FloppyWhale

Jr.Coder
Full Member
Nobleman
Jan 12, 2015
65
308
0
Hi guys! After getting help on how to hook, thanks to Rake, I decided to try and make a hack for Warface. I have no clue if this will work because ATM, I'm reinstalling my game. Any help would be greatly appreciated!

The hook :
C++:
typedef SIZE_T(__stdcall * tVirtualQuery) (_In_ HDC hDc);
tVirtualQuery oVirtualQuery;

SIZE_T __stdcall hVirtualQuery(_In_ HDC hDc)
{
	return false;
}

void hookVQ()
{
	HMODULE hMod = GetModuleHandle(L"kernel32.dll");
	if (hMod)
	{
		oVirtualQuery = (tVirtualQuery)(DWORD)GetProcAddress(hMod, "wVirtualQuery");
		DetourTransactionBegin();
		DetourUpdateThread(GetCurrentThread());
		DetourAttach(&(PVOID&)oVirtualQuery, hVirtualQuery);
		DetourTransactionCommit();
	}
}
I also have another question. Is the kernel32.dll the right module? I put that because I was reading about it here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366902(v=vs.85).aspx

Anyhow, thanks for any help!
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
I'm still a noob at this stuff. :s Anyhow, once I made the function prototype and I want to return it, what would I put in the ()'s in
C++:
return oVirtualQuery()
?
C++:
typedef SIZE_T(__stdcall * tVirtualQuery)(const void *, MEMORY_BASIC_INFORMATION *, SIZE_T);
tVirtualQuery oVirtualQuery;
 
SIZE_T __stdcall hVirtualQuery(const void * pAddress, MEMORY_BASIC_INFORMATION * pMemInfo, SIZE_T BufferSize)
{
    //checks here
    return oVirtualQuery(pAddress, pMemInfo, BufferSize);
}
 
void hookVQ()
{
    HMODULE hMod = GetModuleHandle(L"kernel32.dll");
    if (hMod)
    {
        oVirtualQuery = (tVirtualQuery)(DWORD)GetProcAddress(hMod, "VirtualQuery");
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourAttach(&(PVOID&)oVirtualQuery, hVirtualQuery);
        DetourTransactionCommit();
    }
}
This should do for that actual detouring. I don't know about the anti cheat specific checks though. Of course you can try and just return 0 instead though.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
I fixed 2 problems I saw:

C++:
typedef SIZE_T(__stdcall * tVirtualQuery) (_In_ HDC hDc);
tVirtualQuery oVirtualQuery;

SIZE_T __stdcall hVirtualQuery(_In_ HDC hDc)
{
	return oVirtualQuery(hDc);
}

void hookVQ()
{
	HMODULE hMod = GetModuleHandle(L"kernel32.dll");
	if (hMod)
	{
		oVirtualQuery = (tVirtualQuery)(DWORD)GetProcAddress(hMod, "VirtualQuery");
		DetourTransactionBegin();
		DetourUpdateThread(GetCurrentThread());
		DetourAttach(&(PVOID&)oVirtualQuery, hVirtualQuery);
		DetourTransactionCommit();
	}
}
 

FloppyWhale

Jr.Coder
Full Member
Nobleman
Jan 12, 2015
65
308
0
Rake;41304 said:
I fixed 2 problems I saw:

C++:
typedef SIZE_T(__stdcall * tVirtualQuery) (_In_ HDC hDc);
tVirtualQuery oVirtualQuery;

SIZE_T __stdcall hVirtualQuery(_In_ HDC hDc)
{
	return oVirtualQuery(hDc);
}

void hookVQ()
{
	HMODULE hMod = GetModuleHandle(L"kernel32.dll");
	if (hMod)
	{
		oVirtualQuery = (tVirtualQuery)(DWORD)GetProcAddress(hMod, "VirtualQuery");
		DetourTransactionBegin();
		DetourUpdateThread(GetCurrentThread());
		DetourAttach(&(PVOID&)oVirtualQuery, hVirtualQuery);
		DetourTransactionCommit();
	}
}
The first one where you put
C++:
return oVirtualQuery(hDc)
I don't think wasn't needed because here, https://www.unkn0wncheats.me/forum/anti-cheat-bypass/172444-bypass-warface.html#post1428345, it says that you need to make it return false & have it not call it anymore. Or is there another way todo that?
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,745
40,528
316
The first one where you put
C++:
return oVirtualQuery(hDc)
I don't think wasn't needed because here, https://www.unkn0wncheats.me/forum/anti-cheat-bypass/172444-bypass-warface.html#post1428345, it says that you need to make it return false & have it not call it anymore. Or is there another way todo that?
No. I don't know the context of what you are doing but guessing from that post it depends from where VirtualQuery has been called. You can't just let it return false all the time since there are probably normal APIs using it.
Furthermore I'm not sure what your function prototype is supposed to be: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366902(v=vs.85).aspx
It should be
C++:
typedef SIZE_T(__stdcall * tVirtualQuery)(const void *, MEMORY_BASIC_INFORMATION *, SIZE_T);
You either need to check from where VQ has been called or you need to hook the calls of the anti cheat to VQ.
 

FloppyWhale

Jr.Coder
Full Member
Nobleman
Jan 12, 2015
65
308
0
Вroihon;41306 said:
No. I don't know the context of what you are doing but guessing from that post it depends from where VirtualQuery has been called. You can't just let it return false all the time since there are probably normal APIs using it.
Furthermore I'm not sure what your function prototype is supposed to be: https://msdn.microsoft.com/en-us/library/windows/desktop/aa366902(v=vs.85).aspx
It should be
C++:
typedef SIZE_T(__stdcall * tVirtualQuery)(const void *, MEMORY_BASIC_INFORMATION *, SIZE_T);
You either need to check from where VQ has been called or you need to hook the calls of the anti cheat to VQ.
I'm still a noob at this stuff. :s Anyhow, once I made the function prototype and I want to return it, what would I put in the ()'s in
C++:
return oVirtualQuery()
?
 

FloppyWhale

Jr.Coder
Full Member
Nobleman
Jan 12, 2015
65
308
0
Вroihon;41309 said:
C++:
typedef SIZE_T(__stdcall * tVirtualQuery)(const void *, MEMORY_BASIC_INFORMATION *, SIZE_T);
tVirtualQuery oVirtualQuery;
 
SIZE_T __stdcall hVirtualQuery(const void * pAddress, MEMORY_BASIC_INFORMATION * pMemInfo, SIZE_T BufferSize)
{
    //checks here
    return oVirtualQuery(pAddress, pMemInfo, BufferSize);
}
 
void hookVQ()
{
    HMODULE hMod = GetModuleHandle(L"kernel32.dll");
    if (hMod)
    {
        oVirtualQuery = (tVirtualQuery)(DWORD)GetProcAddress(hMod, "VirtualQuery");
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourAttach(&(PVOID&)oVirtualQuery, hVirtualQuery);
        DetourTransactionCommit();
    }
}
This should do for that actual detouring. I don't know about the anti cheat specific checks though. Of course you can try and just return 0 instead though.
Alrighty thanks!
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,073
78,998
2,371
FloppyWhale just to explain some things:

I did not realize you did not prototype that function, I didn't check MSDN I just fixed the 2 things I saw wrong, luckily good ol' Broihon hooked you up!

MS detours is Microsoft's hooking library, you can write your own, but this is the correct way to use MS Detours 3.0.

We use GetProcAddress to grab the address of the exported symbol from the given module(this can easily be done because it's an exported function, most functions you have to manually find the address), you typecast that address to a function pointer that you have prototyped with calling convention and arguments, this ensures that the the compiler handles the arguments and the stack frame in the same way that the original function does.

SIZE_T is the return value type, __stdcall is the calling convention, what you do inside the hook is up to you!

For the record you can just pass execution to the original function without "return" like this:

C++:
oVirtualQuery(pAddress, pMemInfo, BufferSize);
But I think we all agree the other way is more 1337

Great Reading:
https://jbremer.org/x86-api-hooking-demystified/

Also you should find the function you're hooking in a debugger, and watch it while your hook attaches then step through the code to watch your hook do it's magic, so you can visualize it
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods