Solved How to hook Endscene? Direct3D

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

NTvalk

Hacker
Meme Tier VIP
Jul 6, 2013
499
3,108
8
Hello i'm trying to find the address of endscene through the IAT, code:
C++:
int IATfind(const char* function, HMODULE module){
	int ip = 0;
	if (module == 0)
		module = GetModuleHandle(0);

	/* retrieve headers of module */
	PIMAGE_DOS_HEADER pImgDosHeaders = (PIMAGE_DOS_HEADER)module;
	PIMAGE_NT_HEADERS pImgNTHeaders = (PIMAGE_NT_HEADERS)((LPBYTE)pImgDosHeaders + pImgDosHeaders->e_lfanew); //  the actual PE header
	PIMAGE_IMPORT_DESCRIPTOR pImgImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)pImgDosHeaders + pImgNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress );
	int size = (int)((LPBYTE)pImgDosHeaders + pImgNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size);

	if (pImgDosHeaders->e_magic != IMAGE_DOS_SIGNATURE){
		printf("e_magic is no valid DOS signature\n");
		return 1;
	}


	for (IMAGE_IMPORT_DESCRIPTOR* iid = pImgImportDesc; iid->Name != NULL; iid++){ 
		printf("\n \t \t %s \n \n",(char*)iid->Name + (SIZE_T)module);
		for (int funcIdx = 0; *(funcIdx + (LPVOID*)(iid->FirstThunk + (SIZE_T)module)) != NULL; funcIdx++){

			//check if the function matches the function we are looking for
			char* modFuncName = (char*)(*(funcIdx + (SIZE_T*)(iid->OriginalFirstThunk + (SIZE_T)module)) + (SIZE_T)module + 2);
			printf(modFuncName); // only finds direct3dcreate9
			printf("\n");



			/*PIMAGE_THUNK_DATA pImgThunkData = (PIMAGE_THUNK_DATA)((LPBYTE)pImgDosHeaders + iid[iz].OriginalFirstThunk);
			PIMAGE_IMPORT_BY_NAME pImgImportByName = NULL;
			for (; pImgThunkData->u1.Function; ++pImgThunkData)
			{
				pImgImportByName = (PIMAGE_IMPORT_BY_NAME)((LPBYTE)pImgDosHeaders + pImgThunkData->u1.AddressOfData);
				printf(pImgImportByName->Name);
				printf("\n");
			}*/
		}
	}
	return 0;
}
But the IAT only contains Direct3dCreate9, can i hook this function to retrieve the device pointer? And if it is not in the IAT how is endscene imported?
 

kokole

k
Dank Tier Donator
Nobleman
Aug 1, 2012
70
628
0
EndScene isn't defined as export for d3d9.dll, it's a method of the IDirect3DDevice9 interface.
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
GetProcAddress to find d3d9.dll exports.

I use some sigs to find d3d9 present and then get the device pointer, then reverse the game's renderer classes and access the functions I want to hook from there.

Easiest for you would be to hook createdevice, get the pointer to the device from there and get endscene from there.

Regards your idea on import walking, I think HadesMem supported it, look at that, it's open source.
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
When not just using vtable and directly hooking EndScene through it?
 

NTvalk

Hacker
Meme Tier VIP
Jul 6, 2013
499
3,108
8
When not just using vtable and directly hooking EndScene through it?
I assume you meant why, the reason why i'm doing this is because i can make it fully external without injection/malicious calls.

GetProcAddress to find d3d9.dll exports.

I use some sigs to find d3d9 present and then get the device pointer, then reverse the game's renderer classes and access the functions I want to hook from there.

Easiest for you would be to hook createdevice, get the pointer to the device from there and get endscene from there.

Regards your idea on import walking, I think HadesMem supported it, look at that, it's open source.
Alright i will try hooking createdevice, and about the sigs, will they work on all different platforms? (windows 8,7 etc)
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Alright i will try hooking createdevice, and about the sigs, will they work on all different platforms? (windows 8,7 etc)
The sig I am using currently for d3d9 endscene does work fine everywhere, since the d3d9 comes from the directX redist, I just need to make sure it properly works with it.
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
I assume you meant why, the reason why i'm doing this is because i can make it fully external without injection/malicious calls.
Sure, sorry.. But you could do patterns externally..
 

till0sch

Respected Hacker
Dank Tier VIP
Dank Tier Donator
Oct 14, 2012
1,104
12,593
51
EndScene isn't defined as export for d3d9.dll, it's a method of the IDirect3DDevice9 interface.
Sure it isn't, that's why you use patterns to find the VTable. Or hook some of those exported functions and retrieve the device.
 

c5

Kim Kong Trasher
Dank Tier VIP
Dank Tier Donator
Jul 19, 2012
1,187
12,638
76
Sure it isn't, that's why you use patterns to find the VTable. Or hook some of those exported functions and retrieve the device.
He is just saying that because NTValk thought it would be, he was looking at imports initially.
 

kokole

k
Dank Tier Donator
Nobleman
Aug 1, 2012
70
628
0
Sure it isn't, that's why you use patterns to find the VTable. Or hook some of those exported functions and retrieve the device.
Using patterns is a really bad idea since there is more than just 1 version of d3d9.dll, so getting the function pointer by knowing the index of EndScene in the VTable is much better.

Edit: Sorry you're right, I've read it as "to find EndScene".
 
Last edited:
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods