Sample Code - Another way of getting the EndScene address

[_Mike]

No binaries provided because
1) It would be pointless; This is just some proof of concept code.
2) I don't want to deal with all the retards yelling keylogger! because it makes http connections to the MS symbol server.

Uses dbghelp.dll and symsrv.dll from Hardware Developer Debugging Tools for Windows 32-bit version
You probably want to change the symbol search path to your own preference..

Credits:
Cypher - Stole his exception handling code from HadesMem
MSDN

SymbolHandler.h

Code:

#pragma once

#include <Windows.h>
// Set DbgHelp to use unicode strings
#define DBGHELP_TRANSLATE_TCHAR
#include <DbgHelp.h>
#include <string>
#include <boost/exception/all.hpp>

namespace MSoft
{
	// Exception handling code stolen from HadesMem
	typedef boost::error_info<struct TagErrorString, std::string> ErrorString;
	typedef boost::error_info<struct TagErrorCode, DWORD> ErrorCode;

	class SHError : public virtual std::exception, public virtual boost::exception
	{
	};

	class SymbolHandler
	{
	public:
		SymbolHandler();
		SymbolHandler(HANDLE process);
		SymbolHandler(HANDLE process, const std::wstring& searchPath);
		~SymbolHandler();

		void LoadSymbolsForModule(const std::wstring& moduleName);
		LPVOID GetAddressFromSymbol(const std::wstring& name, bool throwOnFailure = true);

	private:
		void Init(HANDLE process, const std::wstring& searchPath);
		void Cleanup();

		HANDLE _process;
	};
}

SymbolHandler.cpp

Code:

#include "SymbolHandler.h"
#include <vector>

#pragma comment(lib, "dbghelp")

namespace MSoft
{
	SymbolHandler::SymbolHandler()
	{
		_process = NULL;
		Init(GetCurrentProcess(), NULL);
	}

	SymbolHandler::SymbolHandler(HANDLE process)
	{
		_process = NULL;
		Init(process, NULL);
	}

	SymbolHandler::SymbolHandler(HANDLE process, const std::wstring& searchPath)
	{
		_process = NULL;
		Init(process, searchPath);
	}

	SymbolHandler::~SymbolHandler()
	{
		Cleanup();
	}

	void SymbolHandler::Init(HANDLE process, const std::wstring& searchPath)
	{
		if(_process)
			Cleanup();

		// SYMOPT_DEBUG is not really needed, but debug output is always good
		// if something goes wrong
		SymSetOptions(SYMOPT_DEBUG | SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME);
		if(!SymInitialize(process, searchPath.c_str(), FALSE))
			BOOST_THROW_EXCEPTION(SHError() << ErrorString("SymInitialize() failed") << ErrorCode(GetLastError()));
		_process = process;
	}

	void SymbolHandler::Cleanup()
	{
		if(_process)
		{
			if(!SymCleanup(_process))
				BOOST_THROW_EXCEPTION(SHError() << ErrorString("SymCleanup() failed") << ErrorCode(GetLastError()));
			_process = NULL;
		}
	}

	void SymbolHandler::LoadSymbolsForModule(const std::wstring& moduleName)
	{
		HMODULE h = GetModuleHandle(moduleName.c_str());
		if(!SymLoadModuleEx(_process, NULL, moduleName.c_str(), NULL, (DWORD64)h, 0, NULL, 0))
			BOOST_THROW_EXCEPTION(SHError() << ErrorString("SymLoadModuleEx() failed") << ErrorCode(GetLastError()));
	}

	LPVOID SymbolHandler::GetAddressFromSymbol(const std::wstring& name, bool throwOnFailure)
	{
		std::vector<char> buffer;
		buffer.resize(sizeof(SYMBOL_INFO) + name.length() * sizeof(wchar_t) + 1);
		PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer.data();
		pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
		pSymbol->MaxNameLen = name.length() * sizeof(wchar_t) + 1;
		LPVOID ret = NULL;
		if(!SymFromName(_process, name.c_str(), pSymbol))
		{
			// If you know your symbol name is valid then this most likely happens
			// because symsrv.dll isn't loaded.
			if(throwOnFailure)
				BOOST_THROW_EXCEPTION(SHError() << ErrorString("SymFromName() failed") << ErrorCode(GetLastError()));
			else
				return NULL;
		}
		return (LPVOID)pSymbol->Address;
	}
}

DllMain.cpp

Code:

#include "SymbolHandler.h"

using MSoft::SymbolHandler;

BOOL WINAPI DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID)
{
	return TRUE;
}

void __declspec(dllexport) Load(const char* str)
{
	std::wstring searchPath = L"SRV*C:\\ProgramData\\Symbols*http://msdl.microsoft.com/download/symbols";
	try
	{
		SymbolHandler sh(GetCurrentProcess(), searchPath);
		sh.LoadSymbolsForModule(L"d3d9");
		LPVOID address = sh.GetAddressFromSymbol(L"CD3DBase::EndScene");
		std::wostringstream str;
		str << "EndScene address: 0x" << std::hex << address;
		MessageBox(NULL, str.str().c_str(), L"Info", MB_ICONINFORMATION);
	}
	catch(std::exception const& e)
	{
		MessageBoxA(NULL, boost::diagnostic_information(e).c_str(), "Error!", MB_ICONERROR);
	}
}

[Cypher]

Nice job! (Totally gonna steal your idea for HadesMem )

[Shenlok]

Seems like quite a nice solution, thanks for sharing _Mike.

[Cypher]

Oh btw, for reading the symbol path, you should try checking the '_NT_SYMBOL_PATH' environmental var.

[_Mike]

Yes I know, that's why I have the SymbolHandler::SymbolHandler(HANDLE process) constructor.
SymInitialize Function (Windows)

UserSearchPath [in, optional]
The path, or series of paths separated by a semicolon (;), that is used to search for symbol files. If this parameter is NULL, the library attempts to form a symbol path from the following sources:

The current working directory of the application
The _NT_SYMBOL_PATH environment variable
The _NT_ALTERNATE_SYMBOL_PATH environment variable

The explicit path in the op was just there to demonstrate usage.

Also, if anyone is having problems with the dbghelp library functions failing; You need to have matching versions of dbghelp.dll and symsrv.dll in the same directory. symsrv.dll will NOT be loaded from the standard search path.
Calling the DbgHelp Library (Windows)

[Cypher]

Ah right, didn't read closely enough. Cool.

[_Mike]

Update:
Serious bug in the original code.. (Note to self; Test before posting) NULL references are baad.
Replacement methods

Code:

SymbolHandler::SymbolHandler(HANDLE process, const std::wstring& searchPath)
{
	_process = NULL;
	Init(process, &searchPath);
}

void SymbolHandler::Init(HANDLE process, const std::wstring* searchPath)
{
	if(_process)
		Cleanup();

	const wchar_t* path = searchPath ? searchPath->c_str() : NULL;

	SymSetOptions(SYMOPT_DEBUG | SYMOPT_DEFERRED_LOADS | SYMOPT_UNDNAME);
	if(!SymInitialize(process, path, FALSE))
		BOOST_THROW_EXCEPTION(SHError() << ErrorString("SymInitialize() failed") << ErrorCode(GetLastError()));
	_process = process;
}

[MaiN]

Cool. This way looks much better than creating a new device and getting it like that, much less invasive. Still, the 2 offsets required for this particular address (in WoW) seems much easier. I guess this would be useful for a generic EndScene hook though.

[_Mike]

Cool. This way looks much better than creating a new device and getting it like that, much less invasive. Still, the 2 offsets required for this particular address (in WoW) seems much easier. I guess this would be useful for a generic EndScene hook though.

Yeah you won't have the same issues as if you happen to create a device that has parameters incompatible with the original d3d device so it works on any d3d* game. (There might be issues if the game uses a custom wrapper with the same module name as the d3d dlls; I haven't tested)
It's also not limited to EndScene hooking obviously. Microsoft has symbol libraries for almost all of the public windows apis, and lots of the undocumented internals as well. For example, ntdll!ShowSnaps is a variable I found very useful when debugging my dll injector.
But then there's the drawback of needing an internet connection, or having the relevant symbols pre-downloaded. And then there's all the "experts" who will claim that your dll is a keylogger because their firewall tells them it tries to connect to microsoft.com

As to using static offsets being easier or not; I guess that depends on how you define easier.
It would make the code a lot less complicated and less sources for errors. But for someone like me, who isn't that good at reverse engineering, this method would be a lot easier. I could probably find the device pointers myself, but it would take a lot longer than it took for me writing this class.
I guess I could always just come here and look through the info dump threads after a patch, but that would be cheating And I'd be to dependent on others to do the work for me.

[Cypher]

I always prefer generic solutions over game-specific ones because whilst it's more work up-front it's less work overall if you're working on a lot of targets.

The fact that an internet connection is required for this is definitely a downside, but it's not like it needs to download it every time, after the first download it'll usually just be able to pull it from your symbol cache (unless of course the DLL is updated). Besides, who doesn't have an always-on internet connection nowadays?

[Greyman]

Besides, who doesn't have an always-on internet connection nowadays?

People who let the Blizzard Downloader bork their internet download limits leap to mind :P

[Cypher]

People who let the Blizzard Downloader bork their internet download limits leap to mind :P

As if that's my fault. I was asleep! >.<

That's one of the downsides of having a fast internet connection. When something like that happens you're pretty much ****ed in regards to your monthly usage quota.

[adaephon]

That's one of the downsides of having a fast internet connection. When something like that happens you're pretty much ****ed in regards to your monthly usage quota.

Fast internet connection and low download quota....that sounds like Telstra....

[jjaa]

ewwww telstra, i'll stick with iinet, reasonably fast connection, large quota . However, i wonder do Americans know what a download quota is? i hear they have it pretty good over there.

[dook123]

30Meg Connection and no Quota
Aka- America