#include
#include
#pragma comment(lib, "d3dx8.lib")
BOOL DrawMyText(LPDIRECT3DDEVICE8 pDxdevice);
typedef HRESULT ( WINAPI* oPresent ) ( LPDIRECT3DDEVICE8 pDevice, CONST RECT* pSourceRect,CONST RECT* pDestRect,HWND hDestWindowOverride,CONST RGNDATA* pDirtyRegion);
oPresent pPresent;
void *DetourFunc(BYTE *src, const BYTE *dst, const int len)
{
BYTE *jmp = (BYTE*)malloc(len+5);
DWORD dwback;
VirtualProtect(src, len, PAGE_READWRITE, &dwback);
memcpy(jmp, src, len); jmp += len;
jmp[0] = 0xE9;
*(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
src[0] = 0xE9;
*(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
VirtualProtect(src, len, dwback, &dwback);
return (jmp-len);
}
HRESULT WINAPI myPresent ( LPDIRECT3DDEVICE8 pDevice, CONST RECT* pSourceRect, CONST RECT* pDestRect, HWND hDestWindowOverride, CONST RGNDATA* pDirtyRegion )
{
_asm pushad;
Sleep(100);
_asm popad;
DrawMyText(pDevice);//绘制文本
return pPresent( pDevice, pSourceRect, pDestRect, hDestWindowOverride, pDirtyRegion );
}
bool bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask )
return false;
return (*szMask) == NULL;
}
DWORD FindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
for(DWORD i=0; i < dwLen; i++)
if( bCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
return (DWORD)(dwAddress+i);
return 0;
}
int hookPresent()
{
DWORD* VTableHook = 0;
DWORD hD3D8 = (DWORD)GetModuleHandleA("d3d8.dll");
DWORD VIRTUALTABLE = FindPattern(hD3D8, 0x128000, (PBYTE)"\xC7\x06\x00\x00\x00\x00\x89\x86\x00\x00\x00\x00\x89\x86", "xx????xx????xx");
memcpy(&VTableHook, (void*)(VIRTUALTABLE+2), 4);
DWORD dwPresent = VTableHook[15];
pPresent = (oPresent)DetourFunc((PBYTE)dwPresent, (PBYTE)myPresent, 7);
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call){
case DLL_PROCESS_ATTACH:
hookPresent();
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
BOOL DrawMyText(LPDIRECT3DDEVICE8 pDxdevice)
{
ID3DXFont* font=NULL;
LOGFONT lf;
ZeroMemory(&lf, sizeof(LOGFONT));
lf.lfHeight = 25;
lf.lfWidth = 12;
lf.lfWeight = 500;
lf.lfItalic = false;
lf.lfUnderline = false;
lf.lfStrikeOut = false;
lf.lfCharSet = DEFAULT_CHARSET;
strcpy((char *)lf.lfFaceName, "宋体");
HFONT hFont;
hFont = CreateFontA(20,0,0,0,0,0,0,0,0,0,0,0,0,"Arial");
D3DXCreateFontIndirect( pDxdevice,&lf,&font);
if(D3D_OK!=D3DXCreateFontIndirect(pDxdevice, &lf, &font)) //创建字体对象
return false;
RECT rect = {10,10,200,200};
char szText[MAX_PATH] = "HookD3D8测试";
font->DrawTextA(szText,-1,&rect,DT_CENTER,D3DCOLOR_ARGB(255, 255, 255, 255));
pDxdevice->EndScene();//结束绘制
font->Release();//释放对象
return true;
}
原理:
查询特征 获取设备指针 得到这个指针想干啥就干啥 你懂的。
测试环境 win7-32位 武林外传、