遊戲修改器製作教程八:D3D函式hook
阿新 • • 發佈:2019-02-12
教程面向有C\C++基礎的人,最好還要懂一些Windows程式設計知識
程式碼一律用Visual Studio 2013編譯,如果你還在用VC6請趁早丟掉它...
寫這個教程只是為了讓玩家更好地體驗所愛的單機遊戲,順便學到些逆向知識,我不會用網路遊戲做示範,請自重
(_(:з」∠)_因為沉迷於學習和遊戲已經大半年沒有更新教程了,國慶有點時間就過來填下坑...)
目前講的內容已經足夠製作大部分遊戲的修改器了,主要看你對API的熟悉程度和逆向除錯的經驗
再深入講的話就是系統核心層了,比如SSDT hook什麼的,而一般單機遊戲不會用到核心層的保護(但是大部分網遊會),而且除錯和修改核心層的東西比較麻煩,很容易藍屏,所以不打算講核心的東西
本章介紹怎麼hook D3D函式,實現在遊戲畫面中顯示自己的文字,閱讀之前最好補習下D3D程式設計的知識,本章以D3D9、32位程式為例,編譯程式需要安裝DirectX 9 SDK
虛擬函式表hook
要在D3D程式裡繪製自己的東西一般要hook IDirect3DDevice9的EndScene函式,呼叫這個函式時原程式的繪製已經完成,可以輪到我們繪製了
可以用inline hook來hook這個函式,但是流行的做法是虛擬函式表hook
先來看看EndScene是怎麼被呼叫的:
虛擬函式表hook的原理就是修改虛擬函式表中的函式地址,使它指向我們的函式(是不是很像IAT hook)
這裡說明一下一般成員函式的呼叫約定預設是__thiscall,也就是從ecx暫存器傳入this指標
但是也可以手動宣告成其他呼叫約定,比如__stdcall,這時就從堆疊傳入this指標,相當於this指標是函式的第一個引數
D3D所有成員函式的呼叫約定都是__stdcall,這就方便了我們獲取this指標,直接宣告成第一個引數就行了(否則要用內聯彙編取ecx的值)
虛擬函式表hook實現
BOOL hookVTable(void* pInterface, int index, void* hookFunction, void** oldAddress) { void** address = &(*(void***)pInterface)[index]; if (address == NULL) return FALSE; // 儲存原函式地址 if (oldAddress != NULL) *oldAddress = *address; // 修改虛擬函式表中地址為hookFunction DWORD oldProtect, oldProtect2; VirtualProtect(address, sizeof(DWORD), PAGE_READWRITE, &oldProtect); *address = hookFunction; VirtualProtect(address, sizeof(DWORD), oldProtect, &oldProtect2); return TRUE; } BOOL unhookVTable(void* pInterface, int index, void* oldAddress) { // 修改回原函式地址 return hookVTable(pInterface, index, oldAddress, NULL); }
(其實就是拿IATHook改的)
hook EndScene
方法1
為了在程式初始化前hook我們要在主執行緒執行前遠執行緒注入,首先hook Direct3DCreate9,然後是CreateDevice和EndScene
typedef IDirect3D9* (WINAPI* Direct3DCreate9Type)(UINT SDKVersion);
typedef HRESULT(STDMETHODCALLTYPE* CreateDeviceType)(IDirect3D9* thiz, UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, IDirect3DDevice9** ppReturnedDeviceInterface);
typedef HRESULT(STDMETHODCALLTYPE* EndSceneType)(IDirect3DDevice9* thiz);
Direct3DCreate9Type RealDirect3DCreate9 = NULL;
CreateDeviceType RealCreateDevice = NULL;
EndSceneType RealEndScene = NULL;
IDirect3D9* g_d3d9 = NULL;
IDirect3DDevice9* g_device = NULL;
HRESULT STDMETHODCALLTYPE MyEndScene(IDirect3DDevice9* thiz)
{
// 這裡放我們的繪製程式碼
return RealEndScene(thiz);
}
HRESULT STDMETHODCALLTYPE MyCreateDevice(IDirect3D9* thiz, UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, IDirect3DDevice9** ppReturnedDeviceInterface)
{
unhookVTable(g_d3d9, 16, RealCreateDevice);
HRESULT res = RealCreateDevice(thiz, Adapter, DeviceType, hFocusWindow, BehaviorFlags, pPresentationParameters, ppReturnedDeviceInterface);
g_device = *ppReturnedDeviceInterface;
hookVTable(g_device, 42, MyEndScene, &RealEndScene); // EndScene是IDirect3DDevice9第43個函式
return res;
}
IDirect3D9* WINAPI MyDirect3DCreate9(UINT SDKVersion)
{
unhookIAT(GetModuleHandle(NULL), "d3d9.dll", "Direct3DCreate9");
g_d3d9 = RealDirect3DCreate9(SDKVersion);
hookVTable(g_d3d9, 16, MyCreateDevice, &RealCreateDevice); // CreateDevice是IDirect3D9第17個函式
return g_d3d9;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
hookIAT(GetModuleHandle(NULL), "d3d9.dll", "Direct3DCreate9", MyDirect3DCreate9, &RealDirect3DCreate9);
break;
case DLL_PROCESS_DETACH:
if (g_device != NULL && RealEndScene != NULL)
unhookVTable(g_device, 42, RealEndScene);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
方法2
這個方法不需要在主執行緒執行前注入,CE和直播軟體OBS也是用了這個方法,所以推薦使用
理論上同一個類的虛擬函式地址是一樣的,所以我們可以自己建立一個IDirect3DDevice9,然後就能獲取虛擬函式地址了
經測試不同IDirect3DDevice9的虛擬函式表指標不一樣,所以只能用inline hook,不能用虛擬函式表hook
void* endSceneAddr = NULL;
BYTE endSceneOldCode[sizeof(JmpCode)];
HRESULT STDMETHODCALLTYPE MyEndScene(IDirect3DDevice9* thiz)
{
// 這裡放我們的繪製程式碼
unhook(endSceneAddr, endSceneOldCode);
HRESULT hr = thiz->EndScene();
hook(endSceneAddr, MyEndScene, endSceneOldCode);
return hr;
}
DWORD WINAPI initHookThread(LPVOID dllMainThread)
{
// 等待DllMain(LoadLibrary執行緒)結束
WaitForSingleObject(dllMainThread, INFINITE);
CloseHandle(dllMainThread);
// 建立一個視窗用於初始化D3D
WNDCLASSEX wc = {};
wc.cbSize = sizeof(wc);
wc.style = CS_OWNDC;
wc.hInstance = GetModuleHandle(NULL);
wc.lpfnWndProc = DefWindowProc;
wc.lpszClassName = _T("DummyWindow");
if (RegisterClassEx(&wc) == 0)
{
MessageBox(NULL, _T("註冊視窗類失敗"), _T(""), MB_OK);
return 0;
}
HWND hwnd = CreateWindowEx(0, wc.lpszClassName, _T(""), WS_OVERLAPPEDWINDOW, 0, 0, 640, 480, NULL, NULL, wc.hInstance, NULL);
if (hwnd == NULL)
{
MessageBox(NULL, _T("建立視窗失敗"), _T(""), MB_OK);
return 0;
}
// 初始化D3D
IDirect3D9* d3d9 = Direct3DCreate9(D3D_SDK_VERSION);
if (d3d9 == NULL)
{
MessageBox(NULL, _T("建立D3D失敗"), _T(""), MB_OK);
DestroyWindow(hwnd);
return 0;
}
D3DPRESENT_PARAMETERS pp = {};
pp.Windowed = TRUE;
pp.SwapEffect = D3DSWAPEFFECT_COPY;
IDirect3DDevice9* device;
if (FAILED(d3d9->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, hwnd,
D3DCREATE_SOFTWARE_VERTEXPROCESSING, &pp, &device)))
{
MessageBox(NULL, _T("建立裝置失敗"), _T(""), MB_OK);
d3d9->Release();
DestroyWindow(hwnd);
return 0;
}
// hook EndScene
endSceneAddr = (*(void***)device)[42]; // EndScene是IDirect3DDevice9第43個函式
hook(endSceneAddr, MyEndScene, endSceneOldCode);
// 釋放
d3d9->Release();
device->Release();
DestroyWindow(hwnd);
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
// 取當前執行緒控制代碼
HANDLE curThread;
if (!DuplicateHandle(GetCurrentProcess(), GetCurrentThread(), GetCurrentProcess(), &curThread, SYNCHRONIZE, FALSE, 0))
return FALSE;
// DllMain中不能使用COM元件,所以要在另一個執行緒初始化
CloseHandle(CreateThread(NULL, 0, initHookThread, curThread, 0, NULL));
break;
case DLL_PROCESS_DETACH:
if (endSceneAddr != NULL)
unhook(endSceneAddr, endSceneOldCode);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}繪製文字
這部分就直接用D3D的API了,不懂的去看看D3D教程...
HRESULT STDMETHODCALLTYPE MyEndScene(IDirect3DDevice9* thiz)
{
static RECT rect = { 0, 0, 200, 200 };
g_font->DrawText(NULL, _T("Hello World"), -1, &rect, DT_TOP | DT_LEFT, D3DCOLOR_XRGB(255, 0, 0));
return RealEndScene(thiz);
}
HRESULT STDMETHODCALLTYPE MyCreateDevice(IDirect3D9* thiz, UINT Adapter, D3DDEVTYPE DeviceType, HWND hFocusWindow, DWORD BehaviorFlags, D3DPRESENT_PARAMETERS* pPresentationParameters, IDirect3DDevice9** ppReturnedDeviceInterface)
{
unhookVTable(g_d3d9, 16, RealCreateDevice);
HRESULT res = RealCreateDevice(thiz, Adapter, DeviceType, hFocusWindow, BehaviorFlags, pPresentationParameters, ppReturnedDeviceInterface);
g_device = *ppReturnedDeviceInterface;
D3DXFONT_DESC d3dFont = {};
d3dFont.Height = 25;
d3dFont.Width = 12;
d3dFont.Weight = 500;
d3dFont.Italic = FALSE;
d3dFont.CharSet = DEFAULT_CHARSET;
wcscpy_s(d3dFont.FaceName, L"Times New Roman");
D3DXCreateFontIndirect(g_device, &d3dFont, &g_font);
// 測試中不知道為什麼第一次呼叫DrawText後device的虛擬函式表會恢復,沒辦法只好在hook前呼叫一次
static RECT rect = { 0, 0, 200, 200 };
g_font->DrawText(NULL, _T("Hello World"), -1, &rect, DT_TOP | DT_LEFT, D3DCOLOR_XRGB(255, 0, 0));
hookVTable(g_device, 42, MyEndScene, &RealEndScene); // EndScene是IDirect3DDevice9第43個函式
return res;
}
效果
注意左上角出現了我們繪製的"Hello World"
hook D3D函式可以實現在遊戲中顯示自己的UI(播放Bad Apple),或者在繪製某些東西的時候禁用Z軸緩衝實現透視