Hooking DirectX CreateDevice

[nitrogrlie]

This is in response to an older thread that I cannot reply to since it's too old.
Old Thread: LINK

You don't actually need to go to all the work of finding the device pointers etc. You can just hook CreateDevice using a regular API hook if you're injecting when the process is created. Otherwise I believe theres an API you can call that will return the current device pointer.

Either way, there are better ways to hook the D3D APIs that are fully generic (ie will work on any game without modification).

I think I'm going to code something up that does what Cypher describes. The way I see you would need to do the following:

1) Create a process that essentially loads another process
2) Start the second process in suspended state
3) Hook the LoadLibrary call so that you can monitor it for when the d3d9.dll gets loaded (some investigation showed that it gets loaded 3 times when WoW initializes, and the 3rd time is the proper base-address location for what WoW uses when its running)
4) Once you obtain the address where the d3d9.dll is loaded then you should use GetProcAddress(hD3D9DLL, "Direct3DCreate9"); and put in a hook at that place so that when the interface is created you can copy the pointer and then follow it to gain the virtual function table address.
5) Hook the CreateDevice virtual function to instantiate your own copy that passes through all future calls to that device except the ones you care about and want to add extra code for (e.g. EndScene). This will also allow you to draw/write into the game.

That would provide a game-agnostic approach for hooking any game that uses DirectX9 (or any DirectX really just switch the dll and function you are looking for). Additionally, you could use something else instead of DirectX with the same approach if you know a function that is called by the main thread for updating (I know of people that use PhysX API instead of DirectX with their games).

The disadvantage with this approach is that you must load the game every time through your loader.

Cypher, did you ever figure out that API call that will return the current device pointer?

[nitrogrlie]

Cypher, did you ever figure out that API call that will return the current device pointer?

I was search on web and perhaps this is the API call I've been searching for:

Code:

The instance of IDirect3D9 that created the device can be obtained with
the GetDirect3D method. You may need this to re-enumerate display modes
on the adapter if you didn't cache this information.

HRESULT GetDirect3D(IDirect3D9 **value)

[lanman92]

I'm positive it doesn't re-instantiate WoW's device, but since EndScene is a class function you don't have to worry about getting their device. Just use the object to grab the address of EndScene and then drop the DirectX device? I'm not so sure how this would work with the other functions you need for rendering, but I'm pretty sure this would work great for just a hook.

[_Mike]

I was looking through some unread threads and found this one, and I thought I'd share how I'm getting the d3d device.
The benefits of using this method instead of reversing games to find device pointers or hooking CreateDevice is that you never have to worry about updating any offsets, it's game/patch independant (as long as it's a DX8/9 game obviously), and you don't have to inject at process creation.
There are probably lots of other ways of doing the same thing, but it works so it's good enough for me

* Inject your dll
* Create a basic window
RegisterClassEx Function ()
CreateWindowEx Function ()
WindowProc Function ()
* In the WM_CREATE event:
* Get an IDirect3D9 pointer from d3d=Direct3DCreate9()
Direct3DCreate9
* Get a device pointer from d3d->CreateDevice()
IDirect3D9::CreateDevice
* Get the address of EndScene, or any other functions you need, from your device's vmt and hook them.
* Release the device and direct3d resources
* Destroy the window
* ???
* Profit

Note that the device you create is not the same device as the game is using, so you can't use it for rendering. If you want the actual device pointer just look at what the game is feeding to your hooked EndScene and you'll have it.

I was search on web and perhaps this is the API call I've been searching for:

Code:

The instance of IDirect3D9 that created the device can be obtained with
the GetDirect3D method. You may need this to re-enumerate display modes
on the adapter if you didn't cache this information.

HRESULT GetDirect3D(IDirect3D9 **value)

Code:

HRESULT IDirect3DDevice9::GetDirect3D(IDirect3D9** ppD3D9);

You need to already have the device to use that function though

[Cypher]

The problem with the approach above, is that when you create the device, it can interfere with the game.

Whether the device is set to be in Windowed mode or not causes this. As far as I can tell it's impossible to set 1 value that works across all games. Trust me, I've tried.

If you're only using it for one game, then that approach is fine, but if you're trying to do it in a game-independent manner, you're going to run into problems.

[nitrogrlie]

I do the same thing as you, and actually posted code for how I do it, but in a different thread, hence I'm reposting my post here, as it is more appropriate.

I used to think that hooking D3D was gonne be somewhat-challenging and put it off too, until today. It turned out to be extremely easy actually with a simple trick. Instead of looking for the D3D9 device pointer, create your own inside of an injected DLL in the WoW process space. When you do that you can hook the virtual functions you are interested in based off of your D3D9 device and because it inherits from the same objects as WoW's D3D9 device the pointer to the VFT of your's and their device points to the same location. So VFT hooks to your device will also affect WoW's device.

Below is the code to do this:

Code:

typedef HRESULT ( WINAPI * tEndScene )( IDirect3DDevice9 * pThis );
tEndScene oEndScene = 0;
typedef HRESULT ( WINAPI * tReset )( IDirect3DDevice9 * pDevice, void * pPresentationParameters );
tReset oReset = 0;

void HookDevice( IDirect3DDevice9 * pDevice, HWND hFocusWindow )
{
	// Hook EndScene
	oEndScene = *(tEndScene*)( *(DWORD*)pDevice + 0xA8 );
	YOUR_DETOUR_LIB( &(PVOID&)oEndScene, (PBYTE)hook_EndScene, "EndScene" );

	// Hook Reset
	oReset = *(tReset*)( *(DWORD*)pDevice +  0x40 );
	YOUR_DETOUR_LIB( &(PVOID&)oReset, (PBYTE)hook_Reset, "Reset" );

	// Hook Anything else you like...
}

void InitDevice( IDirect3D9 * pD3D, HWND hWindow, IDirect3DDevice9 ** ppDevice, D3DPRESENT_PARAMETERS d3dPP )
{
	d3dPP.BackBufferCount = 1;
	d3dPP.MultiSampleType = D3DMULTISAMPLE_NONE;
	d3dPP.SwapEffect = D3DSWAPEFFECT_DISCARD;
	d3dPP.hDeviceWindow = hWindow;
	d3dPP.FullScreen_RefreshRateInHz = D3DPRESENT_RATE_DEFAULT;
	d3dPP.PresentationInterval = D3DPRESENT_INTERVAL_IMMEDIATE;
	d3dPP.BackBufferFormat = D3DFMT_R5G6B5;
	d3dPP.Windowed = TRUE;

	pD3D->CreateDevice( D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, hWindow, D3DCREATE_HARDWARE_VERTEXPROCESSING, &d3dPP, ppDevice );

	HookDevice( *ppDevice, hWindow );
}

void HookD3D()
{
	D3DPRESENT_PARAMETERS d3dPP;
	IDirect3DDevice9 * pDevice = 0;
	HWND hWindow = 0;

	IDirect3D9 * pD3D = Direct3DCreate9( D3D_SDK_VERSION );

	hWindow = FindWindow(NULL, TEXT("World of Warcraft") ); 

	if( !hWindow ) {
		MessageBox(0, "Failed to obtain WoW hWindow", "Error", 0);
	}

	memset( &d3dPP, 0, sizeof( D3DPRESENT_PARAMETERS ) );
	InitDevice( pD3D, hWindow, &pDevice, d3dPP );
}

Then after your bot-framework initializes just call HookD3D().

Obviously you will need to write you own hook_* functions.

[Flowerew]

Uhm, what about a simple unconditional jump?!

[kynox]

I do the same thing as you, and actually posted code for how I do it, but in a different thread, hence I'm reposting my post here, as it is more appropriate.

I used to think that hooking D3D was gonne be somewhat-challenging and put it off too, until today. It turned out to be extremely easy actually with a simple trick. Instead of looking for the D3D9 device pointer, create your own inside of an injected DLL in the WoW process space. When you do that you can hook the virtual functions you are interested in based off of your D3D9 device and because it inherits from the same objects as WoW's D3D9 device the pointer to the VFT of your's and their device points to the same location. So VFT hooks to your device will also affect WoW's device.

Below is the code to do this:

Code:

typedef HRESULT ( WINAPI * tEndScene )( IDirect3DDevice9 * pThis );
tEndScene oEndScene = 0;
typedef HRESULT ( WINAPI * tReset )( IDirect3DDevice9 * pDevice, void * pPresentationParameters );
tReset oReset = 0;

void HookDevice( IDirect3DDevice9 * pDevice, HWND hFocusWindow )
{
    // Hook EndScene
    oEndScene = *(tEndScene*)( *(DWORD*)pDevice + 0xA8 );
    YOUR_DETOUR_LIB( &(PVOID&)oEndScene, (PBYTE)hook_EndScene, "EndScene" );

    // Hook Reset
    oReset = *(tReset*)( *(DWORD*)pDevice +  0x40 );
    YOUR_DETOUR_LIB( &(PVOID&)oReset, (PBYTE)hook_Reset, "Reset" );

    // Hook Anything else you like...
}

void InitDevice( IDirect3D9 * pD3D, HWND hWindow, IDirect3DDevice9 ** ppDevice, D3DPRESENT_PARAMETERS d3dPP )
{
    d3dPP.BackBufferCount = 1;
    d3dPP.MultiSampleType = D3DMULTISAMPLE_NONE;
    d3dPP.SwapEffect = D3DSWAPEFFECT_DISCARD;
    d3dPP.hDeviceWindow = hWindow;
    d3dPP.FullScreen_RefreshRateInHz = D3DPRESENT_RATE_DEFAULT;
    d3dPP.PresentationInterval = D3DPRESENT_INTERVAL_IMMEDIATE;
    d3dPP.BackBufferFormat = D3DFMT_R5G6B5;
    d3dPP.Windowed = TRUE;

    pD3D->CreateDevice( D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, hWindow, D3DCREATE_HARDWARE_VERTEXPROCESSING, &d3dPP, ppDevice );

    HookDevice( *ppDevice, hWindow );
}

void HookD3D()
{
    D3DPRESENT_PARAMETERS d3dPP;
    IDirect3DDevice9 * pDevice = 0;
    HWND hWindow = 0;

    IDirect3D9 * pD3D = Direct3DCreate9( D3D_SDK_VERSION );

    hWindow = FindWindow(NULL, TEXT("World of Warcraft") ); 

    if( !hWindow ) {
        MessageBox(0, "Failed to obtain WoW hWindow", "Error", 0);
    }

    memset( &d3dPP, 0, sizeof( D3DPRESENT_PARAMETERS ) );
    InitDevice( pD3D, hWindow, &pDevice, d3dPP );
}

Then after your bot-framework initializes just call HookD3D().

Obviously you will need to write you own hook_* functions.

DirectX doesn't complain when you try and create a second device on its window?

Why not go for the more generic approach and make your own window?:

Code:

    void D3D9Mgr::Startup()
    {
        ATOM classAtom                = 0;
        HWND hWnd                    = 0;

        IDirect3D9* pDirect3D9        = nullptr;
        IDirect3DDevice9* pDevice    = nullptr;

        try
        {
            WNDCLASSEX wndClass;
            std::fill_n( reinterpret_cast<PBYTE>(&wndClass), sizeof(wndClass),
                0 );

            wndClass.cbSize            = sizeof(wndClass);
            wndClass.style            = CS_CLASSDC;
            wndClass.lpfnWndProc    = DefWindowProc;
            wndClass.lpszClassName    = _T("AresWndClass");

            classAtom = RegisterClassEx( &wndClass );

            if ( !classAtom )
                throw std::runtime_error("RegisterClassEx failed");

            hWnd = CreateWindow(_T("AresWndClass"),_T("AresWindow"), 0, 0, 0,
                1, 1, HWND_DESKTOP, 0, 0, 0);

            if ( !hWnd )
                throw std::runtime_error("CreateWindow failed");

            pDirect3D9 = Direct3DCreate9(D3D_SDK_VERSION);

            if ( pDirect3D9 == nullptr )
                throw std::runtime_error("Failed to create Direct3D9");

            D3DPRESENT_PARAMETERS PresentParams;
            std::fill_n( reinterpret_cast<PBYTE>(&PresentParams),
                sizeof(D3DPRESENT_PARAMETERS), 0 );

            PresentParams.Windowed            = true;
            PresentParams.SwapEffect        = D3DSWAPEFFECT_DISCARD;
            PresentParams.BackBufferFormat    = D3DFMT_UNKNOWN;

            if ( FAILED(pDirect3D9->CreateDevice(D3DADAPTER_DEFAULT,
                D3DDEVTYPE_HAL, hWnd, D3DCREATE_SOFTWARE_VERTEXPROCESSING,
                &PresentParams, &pDevice)) )
                throw std::runtime_error("Failed to create device");

            PDWORD_PTR Vtable = *reinterpret_cast<PDWORD_PTR*>( pDevice );

            m_OrigEndScene = Vtable[42];
            m_OrigReset = Vtable[16];

            m_TrampEndScene = reinterpret_cast<tOrigEndScene>(
                Detours::DetourFunc( reinterpret_cast<PBYTE>(m_OrigEndScene),
                reinterpret_cast<PBYTE>(HkEndScene), 5 ) );

            m_TrampReset = reinterpret_cast<tOrigReset>(
                Detours::DetourFunc( reinterpret_cast<PBYTE>(m_OrigReset),
                reinterpret_cast<PBYTE>(HkReset), 5 ) );
        } catch( const std::exception& e )
        {
            std::cout << "D3D9Hook: Exception: " << e.what() << std::endl;
        }

        // TODO: Implement RAII on these variables

        if ( pDevice != nullptr )
            pDevice->Release();

        if ( pDirect3D9 != nullptr )
            pDirect3D9->Release();

        if ( hWnd != 0 )
            DestroyWindow(hWnd);

        if ( classAtom != 0 )
            UnregisterClass( _T("AresWndClass"), 0 );
    }

[Cypher]

DirectX doesn't complain when you try and create a second device on its window?

Why not go for the more generic approach and make your own window?:

Code:

    void D3D9Mgr::Startup()
    {
        ATOM classAtom                = 0;
        HWND hWnd                    = 0;

        IDirect3D9* pDirect3D9        = nullptr;
        IDirect3DDevice9* pDevice    = nullptr;

        try
        {
            WNDCLASSEX wndClass;
            std::fill_n( reinterpret_cast<PBYTE>(&wndClass), sizeof(wndClass),
                0 );

            wndClass.cbSize            = sizeof(wndClass);
            wndClass.style            = CS_CLASSDC;
            wndClass.lpfnWndProc    = DefWindowProc;
            wndClass.lpszClassName    = _T("AresWndClass");

            classAtom = RegisterClassEx( &wndClass );

            if ( !classAtom )
                throw std::runtime_error("RegisterClassEx failed");

            hWnd = CreateWindow(_T("AresWndClass"),_T("AresWindow"), 0, 0, 0,
                1, 1, HWND_DESKTOP, 0, 0, 0);

            if ( !hWnd )
                throw std::runtime_error("CreateWindow failed");

            pDirect3D9 = Direct3DCreate9(D3D_SDK_VERSION);

            if ( pDirect3D9 == nullptr )
                throw std::runtime_error("Failed to create Direct3D9");

            D3DPRESENT_PARAMETERS PresentParams;
            std::fill_n( reinterpret_cast<PBYTE>(&PresentParams),
                sizeof(D3DPRESENT_PARAMETERS), 0 );

            PresentParams.Windowed            = true;
            PresentParams.SwapEffect        = D3DSWAPEFFECT_DISCARD;
            PresentParams.BackBufferFormat    = D3DFMT_UNKNOWN;

            if ( FAILED(pDirect3D9->CreateDevice(D3DADAPTER_DEFAULT,
                D3DDEVTYPE_HAL, hWnd, D3DCREATE_SOFTWARE_VERTEXPROCESSING,
                &PresentParams, &pDevice)) )
                throw std::runtime_error("Failed to create device");

            PDWORD_PTR Vtable = *reinterpret_cast<PDWORD_PTR*>( pDevice );

            m_OrigEndScene = Vtable[42];
            m_OrigReset = Vtable[16];

            m_TrampEndScene = reinterpret_cast<tOrigEndScene>(
                Detours::DetourFunc( reinterpret_cast<PBYTE>(m_OrigEndScene),
                reinterpret_cast<PBYTE>(HkEndScene), 5 ) );

            m_TrampReset = reinterpret_cast<tOrigReset>(
                Detours::DetourFunc( reinterpret_cast<PBYTE>(m_OrigReset),
                reinterpret_cast<PBYTE>(HkReset), 5 ) );
        } catch( const std::exception& e )
        {
            std::cout << "D3D9Hook: Exception: " << e.what() << std::endl;
        }

        // TODO: Implement RAII on these variables

        if ( pDevice != nullptr )
            pDevice->Release();

        if ( pDirect3D9 != nullptr )
            pDirect3D9->Release();

        if ( hWnd != 0 )
            DestroyWindow(hWnd);

        if ( classAtom != 0 )
            UnregisterClass( _T("AresWndClass"), 0 );
    }

That still suffers from the Windowed vs Fullscreen problem.

[_Mike]

The problem with the approach above, is that when you create the device, it can interfere with the game.

Whether the device is set to be in Windowed mode or not causes this. As far as I can tell it's impossible to set 1 value that works across all games. Trust me, I've tried.

If you're only using it for one game, then that approach is fine, but if you're trying to do it in a game-independent manner, you're going to run into problems.

What type of interference are you refereing to?
I haven't noticed any problems yet, although that might be because of my limited selection of games to test.

[Cypher]

What type of interference are you refereing to?
I haven't noticed any problems yet, although that might be because of my limited selection of games to test.

Try Call of Duty 4. I seem to remember that creating my own device under that game caused problems if the Windowed parameter wasn't set correctly.

There are a bunch of other games too which also do it, but I've got so many I forget which ones caused it and which didn't...

[galpha]

Probably a less cleaner way to do it is to make your injector monitor every 10ms or so for when your process is created and inject your dll as soon as is it. Makes things a lot easier and I haven't encountered any problems so far.

[boredevil]

Or you could just forget about the device and grab it later in your endscenehook

I found this nice tutorial by accident, it is written in German, but that shouldn´t be a big problem. The magic happens on the last page and the code is pretty much self explaining:

D3D9 Hooking Tutorial by purple.d1amond - google for it, it´s a pdf

It comes all down to this:

Code:

HMODULE hModule = NULL;
while(!hModule)
{
	hModule = GetModuleHandleA("d3d9.dll");
	Sleep(100);
}
DWORD* VTableStart = 0;
DWORD FoundByGordon = dwFindPattern((DWORD)hModule, 0x128000,
			(PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

memcpy(&VTableStart, (void*)(FoundByGordon+2), 4);

dwDrawIndexedPrimitive = (DWORD)VTableStart[82];	
dwEndScene = (DWORD)VTableStart[42];

It´s not my work, credits go to others:

purple.d1amond
GameDeception.net – Azorbix
MP-hacks.net – Gordon

[Cypher]

Or you could just forget about the device and grab it later in your endscenehook

I found this nice tutorial by accident, it is written in German, but that shouldn´t be a big problem. The magic happens on the last page and the code is pretty much self explaining:

D3D9 Hooking Tutorial by purple.d1amond - google for it, it´s a pdf

It comes all down to this:

Code:

HMODULE hModule = NULL;
while(!hModule)
{
	hModule = GetModuleHandleA("d3d9.dll");
	Sleep(100);
}
DWORD* VTableStart = 0;
DWORD FoundByGordon = dwFindPattern((DWORD)hModule, 0x128000,
			(PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");

memcpy(&VTableStart, (void*)(FoundByGordon+2), 4);

dwDrawIndexedPrimitive = (DWORD)VTableStart[82];	
dwEndScene = (DWORD)VTableStart[42];

It´s not my work, credits go to others:

purple.d1amond
GameDeception.net – Azorbix
MP-hacks.net – Gordon

Not generic or portable. Could be broken by a DX update.

Imo a better method would be to download symbols on the fly from the Microsoft symbol servers using the debugging APIs, however that would require you to have an internet connection available whenever you loaded the application for the first time, or after a DX update.