看了pediy3000大牛发表在看雪的关于hookdx的帖子,同时下载了源程序,受益匪浅。现在想模仿这个程序,再添加对direct input8的hook。通过对变量的跟踪,发觉他
写的 *(DWORD*)((BYTE*)pC+1)=(DWORD)hookedDirect3DCreate9-(DWORD)pC-5;//目标地址-原地址-5 程序能执行到 hookedDirect3DCreate9里面去 我照着仿写的
*(DWORD*)((BYTE*)pDinput+1)=(DWORD)hookDirectInput8Create-(DWORD)pDinput-5; 程序就是执行不到
hookDirectInput8Create 我测试用来hook的程序是普通的dx9游戏同时调用d3d9和dinput8的。附上改写的程序 。请各位大牛百忙中看看,到底问题出在哪里 附上改写的程序
// HookDx.cpp : 定义 DLL 应用程序的入口点。
//
#include "stdafx.h"
#include <d3d9.h>
#include <D3dx9core.h>]
#include <dinput.h>
#include "stdio.h "
#pragma comment(lib, "dinput8.lib")
#ifdef _MANAGED
#pragma managed(push, off)
#endif
void OnHookInit();
void OnUnHook();
HRESULT _stdcall hookDirectInput8Create(HINSTANCE hinst,
DWORD dwVersion,
REFIID riidltf,
LPVOID * ppvOut,
LPUNKNOWN punkOuter
);
HRESULT _stdcall hookDInputCreateDevice(REFGUID rguid,LPDIRECTINPUTDEVICE *lplpDirectInputDevice,LPUNKNOWN pUnkOuter);
IDirect3D9 * _stdcall hookedDirect3DCreate9(UINT SDKVersion);
BOOL _stdcall DrawMyText(LPDIRECT3DDEVICE9 pDxdevice,TCHAR* strText ,int nbuf);
HRESULT _stdcall hookedCreateDevice(
LPDIRECT3D9 pDx9,
UINT Adapter,
D3DDEVTYPE DeviceType,
HWND hFocusWindow,
DWORD BehaviorFlags,
D3DPRESENT_PARAMETERS * pPresentationParameters,
IDirect3DDevice9 ** ppReturnedDeviceInterface
);
HRESULT _stdcall hookedPresent(
LPDIRECT3DDEVICE9 pDxdevice,
CONST RECT * pSourceRect,
CONST RECT * pDestRect,
HWND hDestWindowOverride,
CONST RGNDATA * pDirtyRegion
);
HRESULT _stdcall HookGetDeviceState(LPVOID *ppvOut,DWORD cbData,
LPVOID lpvData);
LPDIRECT3D9 m_pD3D=NULL; //Direct3D对象的接口指针
LPDIRECTINPUT8 g_pDI = NULL; // DirectInput interface
LPDIRECTINPUTDEVICE8 g_pMouse = NULL; // Device interface
void * pC=NULL;//Direct3DCreate9函数地址指针
void * pCdev=NULL;//IDirect3D9::CreateDevice函数地址指针
void * pPre=NULL;//IDirect3DDevice9::Present函数地址指针
void * pDinput=NULL;//Directinput8Create函数地址指针
void * pDinputDev=NULL;//Directinput8 Createdevice函数地址指针
void * pDinputGetDeviceState=NULL; //Directinput GetDeviceState 函数地址指针
BYTE d3dcen5bytes[5];//用于保存Direct3DCreate9入口的5字节
BYTE devcen5bytes[5];//用于保存IDirect3D9::CreateDevice入口的字节
BYTE pren5bytes[5];//用于保存IDirect3DDevice9::Present入口的5字节
BYTE dinput5bytes[5];//用于保存Directinput8Create入口的5字节
BYTE dinputDev5bytes[5];//用于保存Directinput createdevice入口的5字节
BYTE dinputGetDeviceState5bytes[5];//用于保存Directinput GetDeviceState入口的5字节
HMODULE module_self = NULL;
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call){
case DLL_PROCESS_ATTACH:
module_self = hModule;
OnHookInit();
break;
case DLL_PROCESS_DETACH:
OnUnHook();
break;
}
return TRUE;
}
HRESULT _stdcall HookGetDeviceState(LPVOID *ppvOut,DWORD cbData, LPVOID lpvData)
{
_ HRESULT retdata=g_pMouse->GetDeviceState( cbData, lpvData);
return retdata;
}
//当程序运行到IDirect3DDevice9::Present入口处将跳转到这里
HRESULT _stdcall hookedPresent(
LPDIRECT3DDEVICE9 pDxdevice,//类的this指针
CONST RECT * pSourceRect,//此参数请参考dx sdk
CONST RECT * pDestRect,//同上
HWND hDestWindowOverride,//同上
CONST RGNDATA * pDirtyRegion//同上
)
{
__asm pushad
if(pCdev && pC && pPre){
char strdraw[]="The drawing in directx game\nAuthor:RunJin\nEmail:pediy3000@hotmail.com";
DrawMyText(pDxdevice,strdraw,sizeof strdraw-1);//绘制文本
//在这里写入您的其它绘图代码
}
if(pC && pCdev && pPre)
memcpy(pPre,pren5bytes,5);//先还原IDirect3DDevice9::Present入口的5字节
HRESULT retdata= pDxdevice->Present(pSourceRect,pDestRect,hDestWindowOverride,pDirtyRegion);
if(pC && pCdev && pPre){
//DWORD oldpro=0;
//VirtualProtect(pPre,5,PAGE_EXECUTE_READWRITE,&oldpro);
//调用完IDirect3DDevice9::Present后再hook一次
*(BYTE*)pPre=0xe9;
*(DWORD*)((BYTE*)pPre+1)=(DWORD)hookedPresent-(DWORD)pPre-5;
}
__asm popad
return retdata;
}
//我自己的绘制文本的过程
BOOL _stdcall DrawMyText(LPDIRECT3DDEVICE9 pDxdevice,TCHAR* strText ,int nbuf)
{
if(m_pD3D && pDxdevice){
RECT myrect;
myrect.top=150; //文本块的y坐标
myrect.left=0; //文本块的左坐标
myrect.right=500+myrect.left;
myrect.bottom=100+myrect.top;
pDxdevice->BeginScene();//开始绘制
D3DXFONT_DESCA lf;
ZeroMemory(&lf, sizeof(D3DXFONT_DESCA));
lf.Height = 24; //字体高度
lf.Width = 12; // 字体宽度
lf.Weight = 100;
lf.Italic = false;
lf.CharSet = DEFAULT_CHARSET;
strcpy(lf.FaceName, "Times New Roman"); // 字型
ID3DXFont* font=NULL;
if(D3D_OK!=D3DXCreateFontIndirect(pDxdevice, &lf, &font)) //创建字体对象
return false;
font->DrawText(
NULL,
strText, // 要绘制的文本
nbuf,
&myrect,
DT_TOP | DT_LEFT, // 字符居中显示
D3DCOLOR_ARGB(255,255,255,0));
pDxdevice->EndScene();//结束绘制
font->Release();//释放对象
}
return true;
}
//下面的开始重写
HRESULT _stdcall hookDirectInput8Create(HINSTANCE hinst,
DWORD dwVersion,
REFIID riidltf,
LPVOID * ppvOut,
LPUNKNOWN punkOuter
)
{
{//错误就在这里 程序死活不执行到这里 另外几个hook根本就无效了__asm pushad
memcpy(pDinput,dinput5bytes,5);//首先还原入口的5个字节
HRESULT hr;
// Register with the DirectInput subsystem and get a pointer
// to a IDirectInput interface we can use.
if(SUCCEEDED( hr = DirectInput8Create( hinst, dwVersion,riidltf,
( VOID** )&g_pDI, NULL ) ))
{//如果成功
pDinputDev=(void*)*(DWORD*)(*(DWORD*)g_pDI+0x0c);//获得dinput::CreateDevice的地址指针
DWORD oldpro=0;
memcpy(dinputDev5bytes,pDinputDev,5);//保存 入口5个字节
VirtualProtect(pDinputDev,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pDinputDev=0xe9;
*(DWORD*)((BYTE*)pDinputDev+1)=(DWORD)hookDInputCreateDevice-(DWORD)pDinputDev-5;
}else{//如果失败就再hook一次
DWORD oldpro=0;
VirtualProtect(pDinput,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pDinput=0xe9;//0xe9在汇编中是跳转指令操作码
*(DWORD*)((BYTE*)pDinput+1)=(DWORD)hookDirectInput8Create-(DWORD)pDinput-5;//目标地址-原地址-5
}
__asm popad
return hr;}
HRESULT _stdcall hookDInputCreateDevice(REFGUID rguid,LPDIRECTINPUTDEVICE *lplpDirectInputDevice,LPUNKNOWN pUnkOuter)
{
//同样照抄 因为都没执行到这里
。。。。。
return ret;
}
//当运行到Direct3DCreate9时跳转到这里
IDirect3D9 * _stdcall hookedDirect3DCreate9(
UINT SDKVersion
)
{
__asm pushad
memcpy(pC,d3dcen5bytes,5);//首先还原入口的5个字节
m_pD3D=Direct3DCreate9(SDKVersion);
if(m_pD3D){//如果成功
pCdev=(void*)*(DWORD*)(*(DWORD*)m_pD3D+0x40);//获得IDirect3D9::CreateDevice的地址指针
DWORD oldpro=0;
memcpy(devcen5bytes,pCdev,5);//保存IDirect3D9::CreateDevice入口5个字节
VirtualProtect(pCdev,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pCdev=0xe9;
*(DWORD*)((BYTE*)pCdev+1)=(DWORD)hookedCreateDevice-(DWORD)pCdev-5;
}else{//如果失败就再hook一次
DWORD oldpro=0;
VirtualProtect(pC,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pC=0xe9;
*(DWORD*)((BYTE*)pC+1)=(DWORD)hookedDirect3DCreate9-(DWORD)pC-5;
}
__asm popad
return m_pD3D;
}
//当运行到IDirect3D9::CreateDevice的时候跳转到这里
HRESULT _stdcall hookedCreateDevice(
LPDIRECT3D9 pDx9,
UINT Adapter,
D3DDEVTYPE DeviceType,
HWND hFocusWindow,
DWORD BehaviorFlags,
D3DPRESENT_PARAMETERS * pPresentationParameters,
IDirect3DDevice9 ** ppReturnedDeviceInterface
)
{
__asm pushad
memcpy(pCdev,devcen5bytes,5);//先还原入口的5个字节
HRESULT ret=pDx9->CreateDevice( //创建设备
Adapter,
DeviceType,
hFocusWindow,
BehaviorFlags,
pPresentationParameters,
ppReturnedDeviceInterface);
if (ret==D3D_OK){//如果创建设备成功
LPDIRECT3DDEVICE9 m_pDevice=*ppReturnedDeviceInterface;
pPre=(void*)*(DWORD*)(*(DWORD*)m_pDevice+0x44);//获得IDirect3DDevice9::Present的地址指针
memcpy(pren5bytes,pPre,5);//保存IDirect3DDevice9::Present入口的5个字节
DWORD oldpro=0;
VirtualProtect(pPre,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pPre=0xe9;
*(DWORD*)((BYTE*)pPre+1)=(DWORD)hookedPresent-(DWORD)pPre-5;
}else{//如果失败再hookIDirect3D9::CreateDevice一次
DWORD oldpro=0;
VirtualProtect(pCdev,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pCdev=0xe9;
*(DWORD*)((BYTE*)pCdev+1)=(DWORD)hookedCreateDevice-(DWORD)pCdev-5;
}
__asm popad
return ret;
}
void OnHookInit()
{
//这里只是hookDirect3DCreate9
pC=GetProcAddress(GetModuleHandle("d3d9.dll"),"Direct3DCreate9");//获得内存地址
DWORD oldpro=0;
memcpy(d3dcen5bytes,pC,5);
VirtualProtect(pC,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pC=0xe9;//0xe9在汇编中是跳转指令操作码
*(DWORD*)((BYTE*)pC+1)=(DWORD)hookedDirect3DCreate9-(DWORD)pC-5;//目标地址-原地址-5
oldpro=0;
//这里只是hookDirectInputCreate
pDinput=GetProcAddress(GetModuleHandle("dinput8.dll"),"DirectInput8Create");//获得内存地址
memcpy(dinput5bytes,pDinput,5);
VirtualProtect(pDinput,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pDinput=0xe9;//0xe9在汇编中是跳转指令操作码
*(DWORD*)((BYTE*)pDinput+1)=(DWORD)hookDirectInput8Create-(DWORD)pDinput-5;//目标地址-原地址-5
}
void OnUnHook()
{
}
#ifdef _MANAGED
#pragma managed(pop)
#endif
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
