detours lib

D3D9Hook/D3D9Hook.vcxproj

@@ -72,13 +72,13 @@
   <PropertyGroup Label="UserMacros" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <LinkIncremental>true</LinkIncremental>
-    <IncludePath>C:\Users\hugo_\Documents\Dev\d9hook\imgui;C:\Program Files %28x86%29\Microsoft DirectX SDK %28June 2010%29\Include;C:\Users\hugo_\Documents\Dev\lib\detours-master\detours;$(IncludePath)</IncludePath>
-    <LibraryPath>C:\Program Files %28x86%29\Microsoft DirectX SDK %28June 2010%29\Lib\x86;C:\Users\hugo_\Documents\Dev\lib\detours-master\Win32\Release;$(LibraryPath)</LibraryPath>
+    <IncludePath>C:\Users\hugo_\Documents\Dev\GitHub\d9hook\imgui;C:\Program Files %28x86%29\Microsoft DirectX SDK %28June 2010%29\Include;C:\Users\hugo_\Documents\Dev\GitHub\d9hook\detours\detours;$(IncludePath)</IncludePath>
+    <LibraryPath>C:\Program Files %28x86%29\Microsoft DirectX SDK %28June 2010%29\Lib\x86;C:\Users\hugo_\Documents\Dev\GitHub\d9hook\detours\x86;$(LibraryPath)</LibraryPath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <LinkIncremental>false</LinkIncremental>
-    <IncludePath>C:\Users\hugo_\Documents\Dev\d9hook\imgui;C:\Program Files %28x86%29\Microsoft DirectX SDK %28June 2010%29\Include;C:\Users\hugo_\Documents\Dev\lib\detours-master\detours;$(IncludePath)</IncludePath>
-    <LibraryPath>C:\Program Files %28x86%29\Microsoft DirectX SDK %28June 2010%29\Lib\x86;C:\Users\hugo_\Documents\Dev\lib\detours-master\Win32\Release;$(LibraryPath)</LibraryPath>
+    <IncludePath>C:\Users\hugo_\Documents\Dev\GitHub\d9hook\imgui;C:\Program Files %28x86%29\Microsoft DirectX SDK %28June 2010%29\Include;C:\Users\hugo_\Documents\Dev\GitHub\d9hook\detours\detours;$(IncludePath)</IncludePath>
+    <LibraryPath>C:\Program Files %28x86%29\Microsoft DirectX SDK %28June 2010%29\Lib\x86;C:\Users\hugo_\Documents\Dev\GitHub\d9hook\detours\x86;$(LibraryPath)</LibraryPath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <LinkIncremental>true</LinkIncremental>

README.md

@@ -1,9 +1,21 @@
-# d9hook Concept 
+# d9hook POC 
 
-Internal hack for any game using DirectX9 and imgui to render a menu. It hook functions and steal the game's d3d device to render things like the menu and other stuff. It still only a concept and can be improved !<br/>
-I didn't spent a lot of time on it<br/>
-
-You will need to use the detour lib: `https://github.com/Nukem9/detours`.<br/>
-Make sure to included it in Visual Studio and build the detour lib 
+Internal hack for any game using DirectX9 and imgui to render a menu. It hook functions and steal the game's d3d device to render things like the menu and other stuff. It still only a concept and can be improved !
 
+## Setup:
+
+Project > Propreties > Configuration Properties > VC++ Directories:
+
+Inlcude Directories: 
+- Include the `imgui/` folder
+- Include the `detours/detours/` folder (detour lib: `https://github.com/Nukem9/detours`)
+- Install and Inlcude Microsoft DirectX SDK 2010 Include folder: `https://www.microsoft.com/en-us/download/details.aspx?id=6812`
+
+Library Directories:
+- Include `detours/x86/` folder (detours.lib is inside or recompile it and place it somewhere else)
+- Include Microsoft DirectX SDK 2010 Lib/x86/ folder
+
+(If you want to compile it using x64 recompile the detours lib and include the x64 lib of the Microsoft DirectX SDK)
 
+**Disclaimer**
+*This hook was written when I was beginning Game Hacking and can be improved, to understand how it works I suggest you to check out Guided Hacking and Null videos*

detours/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Nukem <Nukem@outlook.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

detours/README.md

@@ -0,0 +1,5 @@
+# Detours
+
+
+This project uses:
+- Zydis: https://github.com/zyantific/zydis

detours/detours.sln

@@ -0,0 +1,91 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.28922.388
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "detours", "detours\detours.vcxproj", "{06E30C65-D79A-4FEC-8A60-B36D907E6601}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug Kernel|Win32 = Debug Kernel|Win32
+		Debug Kernel|x64 = Debug Kernel|x64
+		Debug MD DLL|Win32 = Debug MD DLL|Win32
+		Debug MD DLL|x64 = Debug MD DLL|x64
+		Debug MD|Win32 = Debug MD|Win32
+		Debug MD|x64 = Debug MD|x64
+		Debug MT DLL|Win32 = Debug MT DLL|Win32
+		Debug MT DLL|x64 = Debug MT DLL|x64
+		Debug MT|Win32 = Debug MT|Win32
+		Debug MT|x64 = Debug MT|x64
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release Kernel|Win32 = Release Kernel|Win32
+		Release Kernel|x64 = Release Kernel|x64
+		Release MD DLL|Win32 = Release MD DLL|Win32
+		Release MD DLL|x64 = Release MD DLL|x64
+		Release MD|Win32 = Release MD|Win32
+		Release MD|x64 = Release MD|x64
+		Release MT DLL|Win32 = Release MT DLL|Win32
+		Release MT DLL|x64 = Release MT DLL|x64
+		Release MT|Win32 = Release MT|Win32
+		Release MT|x64 = Release MT|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug Kernel|Win32.ActiveCfg = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug Kernel|Win32.Build.0 = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug Kernel|x64.ActiveCfg = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug Kernel|x64.Build.0 = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MD DLL|Win32.ActiveCfg = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MD DLL|Win32.Build.0 = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MD DLL|x64.ActiveCfg = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MD DLL|x64.Build.0 = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MD|Win32.ActiveCfg = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MD|Win32.Build.0 = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MD|x64.ActiveCfg = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MD|x64.Build.0 = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MT DLL|Win32.ActiveCfg = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MT DLL|Win32.Build.0 = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MT DLL|x64.ActiveCfg = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MT DLL|x64.Build.0 = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MT|Win32.ActiveCfg = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MT|Win32.Build.0 = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MT|x64.ActiveCfg = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug MT|x64.Build.0 = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug|Win32.ActiveCfg = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug|Win32.Build.0 = Debug|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug|x64.ActiveCfg = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Debug|x64.Build.0 = Debug|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release Kernel|Win32.ActiveCfg = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release Kernel|Win32.Build.0 = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release Kernel|x64.ActiveCfg = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release Kernel|x64.Build.0 = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MD DLL|Win32.ActiveCfg = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MD DLL|Win32.Build.0 = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MD DLL|x64.ActiveCfg = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MD DLL|x64.Build.0 = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MD|Win32.ActiveCfg = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MD|Win32.Build.0 = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MD|x64.ActiveCfg = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MD|x64.Build.0 = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MT DLL|Win32.ActiveCfg = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MT DLL|Win32.Build.0 = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MT DLL|x64.ActiveCfg = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MT DLL|x64.Build.0 = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MT|Win32.ActiveCfg = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MT|Win32.Build.0 = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MT|x64.ActiveCfg = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release MT|x64.Build.0 = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release|Win32.ActiveCfg = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release|Win32.Build.0 = Release|Win32
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release|x64.ActiveCfg = Release|x64
+		{06E30C65-D79A-4FEC-8A60-B36D907E6601}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {2402E94B-CD88-4BB5-9788-486639B544FB}
+	EndGlobalSection
+EndGlobal

detours/detours/Detours.cpp

@@ -0,0 +1,177 @@
+#include "stdafx.h"
+
+namespace Detours
+{
+	uint32_t GlobalOptions;
+
+	void SetGlobalOptions(uint32_t Options)
+	{
+		InterlockedExchange(&GlobalOptions, Options & OPT_MASK);
+	}
+
+	uint32_t GetGlobalOptions()
+	{
+		return GlobalOptions;
+	}
+
+	uint64_t DetourAlignAddress(uint64_t Address, uint8_t Align)
+	{
+		if (Address % Align != 0)
+			Address += Align - Address % 8;
+
+		return Address;
+	}
+
+	bool DetourCopyMemory(uintptr_t Target, uintptr_t Memory, size_t Length)
+	{
+		auto pvTarget = reinterpret_cast<void *>(Target);
+		auto pvMemory = reinterpret_cast<void *>(Memory);
+
+		DWORD dwOld = 0;
+		if (!VirtualProtect(pvTarget, Length, PAGE_EXECUTE_READWRITE, &dwOld))
+			return false;
+
+		memcpy(pvTarget, pvMemory, Length);
+
+		// Ignore if this fails, the memory was copied either way
+		VirtualProtect(pvTarget, Length, dwOld, &dwOld);
+		return true;
+	}
+
+	bool DetourFlushCache(uintptr_t Target, size_t Length)
+	{
+		return FlushInstructionCache(GetCurrentProcess(), reinterpret_cast<void *>(Target), Length) != FALSE;
+	}
+
+	uintptr_t IATThunkHook(uintptr_t Module, PIMAGE_THUNK_DATA NameTable, PIMAGE_THUNK_DATA ImportTable, const char *API, uintptr_t Detour)
+	{
+		for (; NameTable->u1.Ordinal != 0; ++NameTable, ++ImportTable)
+		{
+			if (!IMAGE_SNAP_BY_ORDINAL(NameTable->u1.Ordinal))
+			{
+				auto importName = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(Module + NameTable->u1.ForwarderString);
+				auto funcName = &importName->Name[0];
+
+				// If this is the function name we want, hook it
+				if (!strcmp(funcName, API))
+				{
+					// Copy the pointer variable itself, not the function bytes
+					uintptr_t originalFunc = ImportTable->u1.AddressOfData;
+					uintptr_t newPointer = Detour;
+
+					if (!DetourCopyMemory(reinterpret_cast<uintptr_t>(&ImportTable->u1.AddressOfData), reinterpret_cast<uintptr_t>(&newPointer), sizeof(ImportTable->u1.AddressOfData)))
+						return 0;
+
+					// Done
+					return originalFunc;
+				}
+			}
+		}
+
+		return 0;
+	}
+
+	uintptr_t IATHook(uintptr_t Module, const char *ImportModule, const char *API, uintptr_t Detour)
+	{
+		auto dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(Module);
+		auto ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(Module + dosHeader->e_lfanew);
+
+		// Validate PE Header and (64-bit|32-bit) module type
+		if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+			return 0;
+
+		if (ntHeaders->Signature != IMAGE_NT_SIGNATURE)
+			return 0;
+
+		if (ntHeaders->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
+			return 0;
+
+		// Get the load configuration section which holds the imports
+		auto dataDirectory = ntHeaders->OptionalHeader.DataDirectory;
+		auto sectionRVA = dataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
+		auto sectionSize = dataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
+
+		if (sectionRVA == 0 || sectionSize == 0)
+			return 0;
+
+		// https://jpassing.com/2008/01/06/using-import-address-table-hooking-for-testing/
+		// https://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/interception/interception_win.cc
+		//
+		// Iterate over each import descriptor
+		auto importDescriptor = reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(Module + sectionRVA);
+
+		for (size_t i = 0; importDescriptor[i].Name != 0; i++)
+		{
+			auto dllName = reinterpret_cast<PSTR>(Module + importDescriptor[i].Name);
+
+			// Is this the specific module the user wants?
+			if (!_stricmp(dllName, ImportModule))
+			{
+				if (!importDescriptor[i].FirstThunk)
+					return 0;
+
+				auto nameTable = reinterpret_cast<PIMAGE_THUNK_DATA>(Module + importDescriptor[i].OriginalFirstThunk);
+				auto importTable = reinterpret_cast<PIMAGE_THUNK_DATA>(Module + importDescriptor[i].FirstThunk);
+
+				auto originalFunc = IATThunkHook(Module, nameTable, importTable, API, Detour);
+
+				if (!originalFunc)
+					continue;
+
+				return originalFunc;
+			}
+		}
+
+		// API or module name wasn't found
+		return 0;
+	}
+
+	uintptr_t IATDelayedHook(uintptr_t Module, const char *ImportModule, const char *API, uintptr_t Detour)
+	{
+		auto dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(Module);
+		auto ntHeaders = reinterpret_cast<PIMAGE_NT_HEADERS>(Module + dosHeader->e_lfanew);
+
+		// Validate PE Header and (64-bit|32-bit) module type
+		if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
+			return 0;
+
+		if (ntHeaders->Signature != IMAGE_NT_SIGNATURE)
+			return 0;
+
+		if (ntHeaders->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
+			return 0;
+
+		// Get the load configuration section which holds the imports
+		auto dataDirectory = ntHeaders->OptionalHeader.DataDirectory;
+		auto sectionRVA = dataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress;
+		auto sectionSize = dataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].Size;
+
+		if (sectionRVA == 0 || sectionSize == 0)
+			return 0;
+
+		// Iterate over each delayed import descriptor
+		auto importDescriptor = reinterpret_cast<PIMAGE_DELAYLOAD_DESCRIPTOR>(Module + sectionRVA);
+
+		for (size_t i = 0; importDescriptor[i].DllNameRVA != 0; i++)
+		{
+			auto dllName = reinterpret_cast<PSTR>(Module + importDescriptor[i].DllNameRVA);
+
+			// Is this the specific module the user wants?
+			if (!_stricmp(dllName, ImportModule))
+			{
+				auto nameTable = reinterpret_cast<PIMAGE_THUNK_DATA>(Module + importDescriptor[i].ImportNameTableRVA);
+				auto importTable = reinterpret_cast<PIMAGE_THUNK_DATA>(Module + importDescriptor[i].ImportAddressTableRVA);
+
+				auto originalFunc = IATThunkHook(Module, nameTable, importTable, API, Detour);
+
+				if (!originalFunc)
+					continue;
+
+				return originalFunc;
+			}
+		}
+
+		// API or module name wasn't found
+		return 0;
+	}
+}