Source Undetected DIP Int3 BreakPoint Hook

Discussion in 'D3D Tutorials and Source' started by trismund, Jan 31, 2019.

  1. trismund

    trismund King in the East
    Staff Member Administrator ROS VIP

    Joined:
    Oct 28, 2012
    Posts:
    2,724
    Likes Received:
    371
    Code:
    #include <windows.h>
    #include <d3d9.h>
    #include <d3dx9.h>
    #pragma comment(lib, "d3dx9.lib")
    #pragma comment(lib, "d3d9.lib")
    
    //==============================================================================
    
    typedef HRESULT(__stdcall* DrawIndexedPrimitive_t)(LPDIRECT3DDEVICE9, D3DPRIMITIVETYPE, INT, UINT, UINT, UINT, UINT);
    DrawIndexedPrimitive_t OrigDrawIndexedPrimitive;
    
    typedef HRESULT(__stdcall* DrawIndexedPrimitivePlusTwo_t)(LPDIRECT3DDEVICE9, D3DPRIMITIVETYPE, INT, UINT, UINT, UINT, UINT);
    DrawIndexedPrimitivePlusTwo_t OrigDrawIndexedPrimitivePlusTwo;
    
    // Generating Textures.
    HRESULT GenerateTexture(IDirect3DDevice9 *pD3Ddev, IDirect3DTexture9 **ppD3Dtex, DWORD colour32)
    {
        if (FAILED(pD3Ddev->CreateTexture(8, 8, 1, 0, D3DFMT_A4R4G4B4, D3DPOOL_MANAGED, ppD3Dtex, NULL)))
            return E_FAIL;
    
        WORD colour16 = ((WORD)((colour32 >> 28) & 0xF) << 12)
            | (WORD)(((colour32 >> 20) & 0xF) << 8)
            | (WORD)(((colour32 >> 12) & 0xF) << 4)
            | (WORD)(((colour32 >> 4) & 0xF) << 0);
    
        D3DLOCKED_RECT d3dlr;
        (*ppD3Dtex)->LockRect(0, &d3dlr, 0, 0);
        WORD *pDst16 = (WORD*)d3dlr.pBits;
    
        for (int xy = 0; xy < 8 * 8; xy++)
            *pDst16++ = colour16;
    
        (*ppD3Dtex)->UnlockRect(0);
    
        return S_OK;
    }
    //==============================================================================
    
    HRESULT __stdcall Hooked_DrawIndexedPrimitive(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE PrimType, INT BaseVertexIndex, UINT MinVertexIndex, UINT NumVertices, UINT startIndex, UINT primCount)
    {
        LPDIRECT3DVERTEXBUFFER9 Stream;
        UINT Stride;
        UINT Offset;
    
        if (pDevice->GetStreamSource(0, &Stream, &Offset, &Stride) == D3D_OK)
        {
            Stream->Release();
        }
    
    
        if (Stride == 64 || Stride == 32)
        {
        pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_FALSE);
       OrigDrawIndexedPrimitivePlusTwo(pDevice, PrimType,BaseVertexIndex,MinVertexIndex, NumVertices, startIndex, primCount);
       pDevice->SetRenderState(D3DRS_ZENABLE, D3DZB_TRUE);
    
        }
     
        return OrigDrawIndexedPrimitivePlusTwo(pDevice, PrimType, BaseVertexIndex, MinVertexIndex, NumVertices, startIndex, primCount); // continue after the breakpoint.( previously mov edi, edi ).
    }
    
    void Set_int3_Breakpoint(void *address)
    {
        DWORD dwOldProtect;
        BYTE *ptr = (BYTE *)address;
        VirtualProtect(address, 1, PAGE_EXECUTE_READWRITE, &dwOldProtect);
        *ptr = 0xCC;
        VirtualProtect(address, 1, dwOldProtect, &dwOldProtect);
    }
    
    LONG WINAPI MyExceptionFilter(struct _EXCEPTION_POINTERS* ExceptionInfo)
    {
        if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT)
        {
            //Check exception address
            if (ExceptionInfo->ContextRecord->Eip == (DWORD)OrigDrawIndexedPrimitive)
            {
                ExceptionInfo->ContextRecord->Eip = (DWORD)Hooked_DrawIndexedPrimitive; // Change instruction pointer - will jump to our hook
                return EXCEPTION_CONTINUE_EXECUTION; //Copies all registers from pExceptionInfo to the real registers
            }
         
        }
        return EXCEPTION_CONTINUE_SEARCH;
    }
    
    bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
    {
        for (; *szMask; ++szMask, ++pData, ++bMask)
            if (*szMask == 'x' && *pData != *bMask)
                return false;
    
        return (*szMask) == NULL;
    }
    
    DWORD FindPattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char * szMask)
    {
        for (DWORD i = 0; i < dwLen; i++)
            if (bCompare((BYTE*)(dwAddress + i), bMask, szMask))
                return (DWORD)(dwAddress + i);
    
        return 0;
    }
    
    void DXhook()
    {
        DWORD *vtbl;
    
        // wait for the d3dx dll
        DWORD hD3D = 0;
        do {
            hD3D = (DWORD)GetModuleHandleA("d3d9.dll");
            Sleep(10);
        } while (!hD3D);
        DWORD adr = FindPattern(hD3D, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
    
        if (adr)
        {
            memcpy(&vtbl, (void*)(adr + 2), 4);
             
            OrigDrawIndexedPrimitive = (HRESULT(__stdcall *)(LPDIRECT3DDEVICE9, D3DPRIMITIVETYPE, INT, UINT, UINT, UINT, UINT))vtbl[82];
            OrigDrawIndexedPrimitivePlusTwo = (HRESULT(__stdcall *)(LPDIRECT3DDEVICE9, D3DPRIMITIVETYPE, INT, UINT, UINT, UINT, UINT)) (((DWORD)OrigDrawIndexedPrimitive) + 2);
    
            AddVectoredExceptionHandler(1, MyExceptionFilter);
            Set_int3_Breakpoint(OrigDrawIndexedPrimitive); // write CC on mov edi, edi
     
    
        }
    }
    //==============================================================================
    BOOL WINAPI DllMain(HMODULE hModule,DWORD dwReason,LPVOID lpReserved)
    {
        UNREFERENCED_PARAMETER(lpReserved);
        if ( dwReason == DLL_PROCESS_ATTACH )
        {
    
            CreateThread(0,0,(LPTHREAD_START_ROUTINE)DXhook,0,0,0);
        }
            return ( TRUE );
    }


     
    #1 trismund, Jan 31, 2019
    Last edited: Feb 2, 2019
  2. trismund

    trismund King in the East
    Staff Member Administrator ROS VIP

    Joined:
    Oct 28, 2012
    Posts:
    2,724
    Likes Received:
    371
    Goodluck!
     
  3. captcha1

    captcha1 Leecher

    Joined:
    Feb 2, 2019
    Posts:
    1
    Likes Received:
    0
    Thanks for sharing, Its working!
     

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

Share This Page