Diablo III Directx 9 ES, DIP, SSS Hook -- By Bit_Hacker

[BitHacker]

// --- Directx Hook --- By: Bit_Hacker

Headers:

Code:

#include <Windows.h>
#include <d3d9.h>
#include <d3dx9.h>
#include <iostream>
#include <fstream>
#include <detours.h>

Libraries:

Code:

// If your source code calls out a function that is within both librarys
// you will need to specify which one to use by calling d3dx9.lib first
// then after loading d3d9.lib. As d3dx9.lib takes a higher priority.
// MSDN - Places a library-search record in the object file. This comment type must be accompanied by a commentstring parameter containing 
//        the name (and possibly the path) of the library that you want the linker to search. The library name follows the default library-search 
//        records in the object file; the linker searches for this library just as if you had named it on the command line provided that the library is 
//        not specified with /nodefaultlib. You can place multiple library-search records in the same source file; each record appears in the object file 
//        in the same order in which it is encountered in the source file.
//        If the order of the default library and an added library is important, compiling with the /Zl switch will prevent the default library name from being 
//        placed in the object module. A second comment pragma then can be used to insert the name of the default library after the added library. The libraries 
//        listed with these pragmas will appear in the object module in the same order they are found in the source code. 
#pragma comment (lib, "d3dx9.lib")
#pragma comment (lib, "d3d9.lib")

using namespace std;

Typedefs:

Code:

// --- Start of Typedef's --- 
typedef HRESULT ( WINAPI* SetStreamSource_t )( LPDIRECT3DDEVICE9 pDevice, UINT StreamNumber, IDirect3DVertexBuffer9* pStreamData, UINT OffsetInBytes, UINT Stride );
SetStreamSource_t oSetStreamSource;

typedef HRESULT ( WINAPI* EndScene_t )( LPDIRECT3DDEVICE9 pDevice );
EndScene_t oEndScene;

typedef HRESULT ( WINAPI* DrawIndexedPrimitive_t )( LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE PrimType, INT BaseVertexIndex, UINT MinVertexIndex, UINT NumVertices, UINT startIndex, UINT primCount );
DrawIndexedPrimitive_t oDrawIndexedPrimitive;
// -- End of Typedef's ---

Defines:

Code:

// --- Start of Defines ---
// the ## is just a concatenation operator
// PBYTE WINAPI DetourFunction(PBYTE pbTargetFunction, PBYTE pbDetourFunction);
#define HOOK( func, addy )	o##func = ( func##_t )DetourFunction( (PBYTE)addy, (PBYTE)hk##func )
#define ES         0
#define DIP        1
#define SSS        2
// --- End of Defines ---

DllMain:

Code:

// --- START OF DLL ---
// An optional entry point into a dynamic-link library (DLL). When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL 
// using the first thread of the process. The system also calls the entry-point function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions.
// 1st arg - A handle to the DLL module. The value is the base address of the DLL. The HINSTANCE of a DLL is the same as the HMODULE of the DLL, so hinstDLL can be used 
//           in calls to functions that require a module handle.
// 2nd arg - The reason code that indicates why the DLL entry-point function is being called.
// 3rd arg - If fdwReason is DLL_PROCESS_ATTACH, lpvReserved is NULL for dynamic loads and non-NULL for static loads. 
// return - When the system calls the DllMain function with the DLL_PROCESS_ATTACH value, the function returns TRUE if it succeeds or FALSE if initialization fails.
//          When the system calls the DllMain function with any value other than DLL_PROCESS_ATTACH, the return value is ignored.
BOOL WINAPI DllMain( HMODULE hModule, DWORD dwReason, LPVOID lpvReserved )
{
	if( dwReason == DLL_PROCESS_ATTACH )
   {
      // Windows api - CreateThread - Creates a thread to execute within the virtual address space of the calling process.
      // 1st arg - A pointer to a SECURITY_ATTRIBUTES structure that determines whether the returned handle can be inherited by child processes. 
      //           If lpThreadAttributes is NULL, the handle cannot be inherited.
      // 2nd arg - The initial size of the stack, in bytes. The system rounds this value to the nearest page. If this parameter is zero, the new thread uses 
      //           the default size for the executable. For more information, see Thread Stack Size.
      // 3rd arg - A pointer to the application-defined function to be executed by the thread. This pointer represents the starting address of the thread. 
      //           For more information on the thread function, see ThreadProc.
      // 4th arg - A pointer to a variable to be passed to the thread.
      // 5th arg - The flags that control the creation of the thread.
      // 6th arg - A pointer to a variable that receives the thread identifier. If this parameter is NULL, the thread identifier is not returned.
      // return - If the function succeeds, the return value is a handle to the new thread.
		CreateThread( 0, 0, MyThread, 0, 0, 0 );
	}

	return TRUE;
}// --- END OF DLL ---

MyThread:

Code:

// --- Start of MyThread ---
DWORD WINAPI MyThread( LPVOID )
{
	DWORD VTable[ 3 ] = { 0 };

	while( GetModuleHandle( "d3d9.dll" ) == NULL )
	{
		Sleep( 250 ); // Sleep for ( 250 milliseconds ) = .250 seconds
	}

   // Take our VTable array of 3 elements and throw it into DX_Init for later use.
	DX_Init( VTable );

   // Detour our functions
   // These 3 lines of code use a macro defined above that will add a o onto each 1st argument after DetourFunction returns. This will hold a unsigned char result.
   // The macro assigns the detour return type to oEndScene, oDrawIndexedPrimitive, and oSetStreamSource.
   // The macro above will define how DetourFunction will call these functions above starting with orginal address from (VTable ES, then call hkEndScene), (Vtable DIP, then call hkDrawIndexedPrimitive),
   // and (Vtable SSS, then call hkSetStreamSource.)
   // If you understand this part, you should be able to follow the rest of the program. Good Luck.
   // maybe make a wall hack or chams with it. Draw a radar. 
	HOOK( EndScene, VTable[ ES ] ); // oEndScene, hkEndScene
	HOOK( DrawIndexedPrimitive, VTable[ DIP ] );
	HOOK( SetStreamSource, VTable[ SSS ] );

	return 0;
}// --- End of MyThread ---

DX_Init:

Code:

// --- Start of DX_Init ---
HRESULT DX_Init( DWORD* table )
{
   // --- Setup Windows Class Information.
   // WNDCLASSEX - Contains window class information. It is used with the RegisterClassEx and GetClassInfoEx  functions. 
   // 1st member  - Size in bytes of structure
   // 2nd member  - style
   // 3rd member  - pointer to Window Procedure.
   // 4th member  - The number of extra bytes to allocate following the window-class structure. The system initializes the bytes to zero.
   //               0L An unsigned long value. (This 'long' is _exactly_ 32 bits, which may differ from  what a local C compiler calls 'long'. If you want native-length longs, use the '!' suffix.)
   // 5th member  - The number of extra bytes to allocate following the window instance. The system initializes the bytes to zero.
   // 6th member  - A handle to the instance that contains the window procedure for the class. GetModuleHandle() has 1 arg - The name of the loaded module (either a .dll or .exe)
   //               If this parameter is NULL, GetModuleHandle returns a handle to the file used to create the calling process (.exe file).
   //               If the function succeeds, the return value is a handle to the specified module.
   // 7th member  - A handle to the class icon. This member must be a handle to an icon resource. If this member is NULL, the system provides a default icon.
   // 8th member  - A handle to the class cursor. This member must be a handle to a cursor resource. If this member is NULL, an application must 
   //               explicitly set the cursor shape whenever the mouse moves into the application's window. 
   // 9th member  - A handle to the class background brush. When this member is NULL, an application must paint its own background whenever it is requested 
   //               to paint in its client area. To determine whether the background must be painted, an application can either process the WM_ERASEBKGND message 
   //               or test the fErase member of the PAINTSTRUCT structure filled by the BeginPaint function.
   // 10th member - Pointer to a null-terminated character string that specifies the resource name of the class menu, as the name appears in the resource file. 
   //               If this member is NULL, windows belonging to this class have no default menu.
   // 11th member - A pointer to a null-terminated string or is an atom. If lpszClassName is a string, it specifies the window class name. The class name 
   //               can be any name registered with RegisterClass or RegisterClassEx, or any of the predefined control-class names. The maximum length for lpszClassName is 256.
   // 12th member - A handle to a small icon that is associated with the window class. If this member is NULL, the system searches the icon resource specified by the hIcon 
   //               member for an icon of the appropriate size to use as the small icon.
	WNDCLASSEX wc = { sizeof(WNDCLASSEX), CS_CLASSDC, MsgProc, 0L, 0L, GetModuleHandle(NULL), NULL, NULL, NULL, NULL, "DX", NULL };

   // api - RegisterClassEx - Registers a window class for subsequent use in calls to the CreateWindow or CreateWindowEx function. 
   // 1st arg - A pointer to a WNDCLASSEX structure. You must fill the structure with the appropriate class attributes before passing it to the function.
   // return type - If the function succeeds, the return value is a class atom that uniquely identifies the class being registered. This atom can 
   //               only be used by the CreateWindow, CreateWindowEx, GetClassInfo, GetClassInfoEx, FindWindow, FindWindowEx, and 
   //               UnregisterClass functions and the IActiveIMMap::FilterClientWindows method. 
	RegisterClassEx(&wc);

   // api - CreateWindow - Creates an overlapped, pop-up, or child window. It specifies the window class, window title, window style, and (optionally) the 
   //                      initial position and size of the window. The function also specifies the window's parent or owner, if any, and the window's menu.
   // 1st arg  - A null-terminated string or a class atom created by a previous call to the RegisterClass or RegisterClassEx function.
   // 2nd arg  - The window name. If the window style specifies a title bar, the window title pointed to by lpWindowName is displayed in the title bar. 
   //           When using CreateWindow to create controls, such as buttons, check boxes, and static controls, use lpWindowName to specify the text of the control.
   // 3rd arg  - The style of the window being created. This parameter can be a combination of the window style values -> Window Styles (Windows)
   // 4th arg  - X coord - The initial horizontal position of the window. For an overlapped or pop-up window, the x parameter is the initial x-coordinate of the window's 
   //            upper-left corner, in screen coordinates. 
   // 5th arg  - Y coord - The initial vertical position of the window. For an overlapped or pop-up window, the y parameter is the initial y-coordinate of 
   //            the window's upper-left corner, in screen coordinates.
   // 6th arg  - The width, in device units, of the window. For overlapped windows, nWidth is either the window's width, in screen coordinates
   // 7th arg  - The height, in device units, of the window. For overlapped windows, nHeight is the window's height, in screen coordinates.
   // 8th arg  - A handle to the parent or owner window of the window being created. GetDesktopWindow() - Retrieves a handle to the desktop window. 
   //            The desktop window covers the entire screen. The desktop window is the area on top of which other windows are painted. Returns - The return value is a handle to the desktop window. 
   // 9th arg  - A handle to a menu, or specifies a child-window identifier depending on the window style. For an overlapped or pop-up window, hMenu 
   //            identifies the menu to be used with the window; it can be NULL if the class menu is to be used. 
   // 10th arg - A handle to the instance of the module to be associated with the window. Number 6 from above wc structure.
   // 11th arg - A pointer to a value to be passed to the window through the CREATESTRUCT structure (lpCreateParams member) pointed to by the lParam param of the WM_CREATE message.
   //             lpParam may be NULL if no additional data is needed.
   // return type - If the function succeeds, the return value is a handle to the new window.
	HWND hWnd = CreateWindow( "DX", NULL, WS_OVERLAPPEDWINDOW, 100, 100, 300, 300, GetDesktopWindow(), NULL, wc.hInstance, NULL );

   // Create a Direct3D object. This is a COM interface of type IDirect3D9.
   // Directx api - Direct3DCreate9 - Create an IDirect3D9 object and return an interface to it.
   // 1st arg - The value of this parameter should be D3D_SDK_VERSION.
   // return type - If successful, this function returns a pointer to an IDirect3D9 interface; otherwise, a NULL pointer is returned.
	LPDIRECT3D9 pD3D = NULL;
	if( NULL == ( pD3D = Direct3DCreate9( D3D_SDK_VERSION )))
      return E_FAIL;

   // --- Presentation Parameters ---
   // Create an object of the structure and then zero the memory. 
   // ZeroMemory Macro - Fills a block of memory with zeros.
   // 3rd member - The back buffer format. For more information about formats, see D3DFORMAT. This value must be one of the render-target formats as validated 
   //              by CheckDeviceType. You can use GetDisplayMode to obtain the current format. In fact, D3DFMT_UNKNOWN can be specified for the BackBufferFormat 
   //              while in windowed mode. This tells the runtime to use the current display-mode format and eliminates the need to call GetDisplayMode.
   // 7th member - Member of the D3DSWAPEFFECT enumerated type structure. The runtime will guarantee the implied semantics concerning buffer swap behavior; 
   //              therefore, if Windowed is TRUE and SwapEffect is set to D3DSWAPEFFECT_FLIP, the runtime will create one extra back buffer and 
   //              copy whichever becomes the front buffer at presentation time. D3DSWAPEFFECT_DISCARD will be enforced in the debug runtime by filling any buffer with noise after it is presented.
   //        D3DSWAPEFFECT Structure - Defines swap effects.
   //              When a swap chain is created with a swap effect of D3DSWAPEFFECT_FLIP 
   //              or D3DSWAPEFFECT_COPY, the runtime will guarantee that an IDirect3DDevice9::Present operation will not affect the content of any of 
   //              the back buffers. Unfortunately, meeting this guarantee can involve substantial video memory or processing overheads, especially when 
   //              implementing flip semantics for a windowed swap chain or copy semantics for a full-screen swap chain. An application may use the 
   //              D3DSWAPEFFECT_DISCARD swap effect to avoid these overheads and to enable the display driver to select the most efficient presentation 
   //              technique for the swap chain. This is also the only swap effect that may be used when specifying a value other than D3DMULTISAMPLE_NONE 
   //              for the MultiSampleType member of D3DPRESENT_PARAMETERS. 
   // 9th member - Windowed - TRUE if the application runs windowed; FALSE if the application runs full-screen. 
	D3DPRESENT_PARAMETERS d3dpp; 
	ZeroMemory( &d3dpp, sizeof(d3dpp) );
	d3dpp.BackBufferFormat = D3DFMT_UNKNOWN; // just sets it to zero
	d3dpp.SwapEffect       = D3DSWAPEFFECT_DISCARD;
	d3dpp.Windowed         = TRUE;
	
   // Create the most important object: the Direct3D device. This is a COM interface of type IDirect3DDevice9 and it’s essential if you expect
   // to actually draw anything on the screen. It represents a computer’s graphics card or some other graphical hardware.
	LPDIRECT3DDEVICE9 pd3dDevice;

   // Directx api - CreateDevice - Creates a device to represent the display adapter.
   // 1st arg - Ordinal number that denotes the display adapter. D3DADAPTER_DEFAULT is always the primary display adapter. 
   // 2nd arg - Member of the D3DDEVTYPE enumerated type that denotes the desired device type. If the desired device type is not available, the method will fail. 
   // 3rd arg - The focus window alerts Direct3D when an application switches from foreground mode to background mode. 
   // 4th arg - Combination of one or more options that control device creation. For more information, see D3DCREATE.
   // 5th arg - Pointer to a D3DPRESENT_PARAMETERS structure, describing the presentation parameters for the device to be created.
   // 6th arg - Address of a pointer to the returned IDirect3DDevice9 interface, which represents the created device.
   // return - If the method succeeds, the return value is D3D_OK. If the method fails, the return value can be one of the following: D3DERR_DEVICELOST, D3DERR_INVALIDCALL, D3DERR_NOTAVAILABLE, D3DERR_OUTOFVIDEOMEMORY
	if( FAILED( pD3D->CreateDevice( D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, hWnd, D3DCREATE_SOFTWARE_VERTEXPROCESSING, &d3dpp, &pd3dDevice )))
   {
      return D3DERR_INVALIDCALL;
   }

   // Put the d3dDevice's poitner as a dword address into pVTable
	DWORD* pVTable = (DWORD*)pd3dDevice;

   // Put the dword address into pVTable for referencing these 118 direct3d devices functions. 
	pVTable = (DWORD*)pVTable[0];

   // These values are on the stack as a copy of what is inside the d3d9.h as a virtual function table.
   // I'm only putting reference to what and where I'm referencing this virtual table. Mostly where I'm getting 0, 42, 82, and 100 from.
   // This is our DWORD VTable[ 3 ] = { 0 }; from the Mythread function we saved for later and passed to DX_Init. Now we will fill it.
	table[ES]	= pVTable[42]; // Address into ES from Vtable. Later used in DetourFunction. Ref: End Scene inside d3d9.h line 752 
	table[DIP]	= pVTable[82]; // Address into DIP from Vtable. Later used in DetourFunction. Ref: DrawIndexedPrimitive inside d3d9.h line 792
	table[SSS]	= pVTable[100]; // Address into SSS from Vtable. Later used in DetourFunction. Ref: SetStreamSource inside d3d9.h line 810

   // Windows api - DestroyWindow - Destroys the specified window. The function sends WM_DESTROY and WM_NCDESTROY messages to the window to deactivate 
   //                               it and remove the keyboard focus from it. The function also destroys the window's menu, flushes the thread message queue, 
   //                               destroys timers, removes clipboard ownership, and breaks the clipboard viewer chain (if the window is at the top of the viewer chain).
   // 1st arg - A handle to the window to be destroyed. 
   // return type - If the function succeeds, the return value is nonzero.
	DestroyWindow(hWnd);
}// --- End of DX_Init ---

MsgProc:

Code:

// --- Start of MsgProc ---
// Api - WindowProc
// Return type - The return value is the result of the message processing and depends on the message sent.
// Callback - _stdcall
// 1st arg - A handle to the window. 
// 2nd arg - The message -> http://msdn.microsoft.com/en-us/library/ms644927(v=VS.85).aspx#system_defined
// 3rd arg - Additional message-specific information. The contents depend on the value of uMsg.
// 4th arg - Additional message-specific information. The contencts depend on the value of uMsg.
LRESULT CALLBACK MsgProc( HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam )
{
   // DefWindowProc is called with the same parameters received by WindowProc.
   // Return type - The return value is the result of the message processing and depends on the message. 
   return DefWindowProc( hwnd, uMsg, wParam, lParam );
}// --- End of MsgProc ---

EndScene:

Code:

// --- Start End Scene ---
HRESULT WINAPI hkEndScene( LPDIRECT3DDEVICE9 pDevice )
{
 
        // Make your code do whatever here

	return oEndScene( pDevice );
} // --- End of End Scene ---

DrawIndexedPrimitive:

Code:

// --- Start of DrawIndexedPrimitive ---
HRESULT WINAPI hkDrawIndexedPrimitive( LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE PrimType, INT BaseVertexIndex, UINT MinVertexIndex, UINT NumVertices, UINT startIndex, UINT primCount )
{
	__asm nop
        HRESULT hRet = oDrawIndexedPrimitive( pDevice, PrimType, BaseVertexIndex, MinVertexIndex, NumVertices, startIndex, primCount );

       // Make your code do whatever here

	return hRet;
}// --- End of DrawIndexedPrimitive ---

SetSreamSource:

Code:

// --- Start of SetStreamSource ---
HRESULT WINAPI hkSetStreamSource( LPDIRECT3DDEVICE9 pDevice, UINT StreamNumber, IDirect3DVertexBuffer9* pStreamData, UINT OffsetInBytes, UINT Stride )
{
	__asm nop

       // Make your code do whatever here

	return oSetStreamSource( pDevice, StreamNumber, pStreamData, OffsetInBytes, Stride );
}// --- End of SetStreamSource

Now you can make a menu after injecting this into the game or whatever... Good Luck...

Added: HRESULT hRet = oDrawIndexedPrimitive( pDevice, PrimType, BaseVertexIndex, MinVertexIndex, NumVertices, startIndex, primCount );

So, you kiddies will stop saying it doesn't work..


-Bit_Hacker

[zewt]

Thanks BitHacker.

Compiles fine.

Note: Requires Detours 1.5

[Arakkoa]

Are you sure you want to be doing this with Detours? That's a very easy method of hooking to detect..

[BitHacker]

Arakkoa,

its undetected Arakkoa, it doesn't use the game at all. Unless your injector is detected? This code overlays your desktop window..


-Bit_Hacker

[broomop]

this is hooking directx.... its HIGHLY detectable.

[Sychotix]

Now you can make a menu after injecting this into the game or whatever... Good Luck...
-Bit_Hacker

Arakkoa,
its undetected Arakkoa, it doesn't use the game at all. Unless your injector is detected? This code overlays your desktop window..
-Bit_Hacker

These two sentences contradict each other. This can easily be detected.

[broomop]

whats even more funny is how can someone code this and not know it hooks directx and thinks its undetectable... and just to be a bitch.. how is the injector going to get detected if you inject and before the process even loads up correctly... it should have already unloaded? lol

[BitHacker]

I think its funny how everyone says they have a better way and don't post 1 line of code. lmao...

[zewt]

I think its funny how everyone says they have a better way and don't post 1 line of code. lmao...

Amen!!!!!!!!!!!!!!!!!!!!!!!

[Sychotix]

I think its funny how everyone says they have a better way and don't post 1 line of code. lmao...

I think its funny how nobody said they had a better way.

Hooking endscene is a good way to do things, its just far from undetectable.

[BitHacker]

Sychotix,

Well your implying you know of other ways of not being detected. Some references would be nice. As for the people who would like to learn other ways?

-Bit_Hacker

[Sychotix]

Sychotix,

Well your implying you know of other ways of not being detected. Some references would be nice. As for the people who would like to learn other ways?

-Bit_Hacker

No I'm not. Saying that something is detectable says nothing about there being ways of not being detected. There are ways however. Try using the search function on bypassing Warden. There isn't that much information afaik, but there is a little here and there. Its kinda one of those things you need to learn on your own.

[BitHacker]

EXAMPLE of my code,





I just played with my code for an hour... I WASN'T BANNED... UNDETECTABLE...


Damn, WTF do people have to post to get plus REP around here... Jesus... I just hand feed all you guys...

-Bit_Hacker

[andy012345]

You won't get banned for hooking endscene, there are plenty of legit programs which hook it.

One thing I have to mention is CreateThread in DLLMain, you have so many comments in your code, yet you must have missed the documents Microsoft have roaming around for what not to do in DLLMain, and calling CreateThread, even without synchronisation between threads, is one of the things Microsoft call "risky".

[zewt]

Not sure detectability of this.. just know its working fine. Thank you for being generous enough to share it BitHacker