Question

我想从一项武断的直接X 9申请中删除<条码>EndScene,以造成小的超支。举例来说,你可以采用在游戏中显示的“非洲工程和工程”框架反超支。

我知道以下方法这样做:

Creating a new d3d9.dll, which is then copied to the games path. Since the current folder is searched first, before going to system32 etc., my modified DLL gets loaded, executing my additional code.
Downside: You have to put it there before you start the game.
Same as the first method, but replacing the DLL in system32 directly.
Downside: You cannot add game specific code. You cannot exclude applications where you don t want your DLL to be loaded.
Getting the EndScene offset directly from the DLL using tools like IDA Pro 4.9 Free. Since the DLL gets loaded as is, you can just add this offset to the DLL starting address, when it is mapped to the game, to get the actual offset, and then hook it.
Downside: The offset is not the same on every system.
Hooking Direct3DCreate9 to get the D3D9, then hooking D3D9->CreateDevice to get the device pointer, and then hooking Device->EndScene through the virtual table.
Downside: The DLL cannot be injected, when the process is already running. You have to start the process with the CREATE_SUSPENDED flag to hook the initial Direct3DCreate9.
Creating a new Device in a new window, as soon as the DLL gets injected. Then, getting the EndScene offset from this device and hooking it, resulting in a hook for the device which is used by the game.
Downside: as of some information I have read, creating a second device may interfere with the existing device, and it may bug with windowed vs. fullscreen mode etc.
Same as the third method. However, you ll do a pattern scan to get EndScene.
Downside: doesn t look that reliable.

How can I hook EndScene from an injected DLL, which may be loaded when the game is already running, without having to deal with different d3d9.dll s on other systems, and with a method which is reliable? How does FRAPS for example perform it s DirectX hooks? The DLL should not apply to all games, just to specific processes where I inject it via CreateRemoteThread.

Answer 1

你安装了一个系统广.。随着这项工作的进行,你将装上每一个过程。

现在,当有人叫 h时,你看着装满3d9.dll。

如果有人装满,你就会制造一个临时的D3D9物体,并步行,以获得最终用户法的地址。

然后,你可以用你自己的方法发出“终端”电话。 (用你的手法取代首项代谢指示。)

当你做工作时,你必须重新发出呼吁,把原有的最终用户方法称作。接着又回头.。

这就是森林资源评估的方法。 (Link )

你可以从接口的表找到功能地址。

因此,你可以做以下工作(Pseudo-Code):

IDirect3DDevice9* pTempDev = ...;
const int EndSceneIndex = 26 (?);

typedef HRESULT (IDirect3DDevice9::* EndSceneFunc)( void );

BYTE* pVtable = reinterpret_cast<void*>( pTempDev );
EndSceneFunc = pVtable + sizeof(void*) * EndSceneIndex;

EnSceneFunc目前确实载有该职能本身的一个要点。我们现在可以派遣所有电话站,也可以派遣这一功能。

认识到这一切都取决于对视窗内通信接口实施情况的了解。但是,这涉及所有窗口版本(即32或64,而不是同时进行)。

Answer 2

我知道这个问题是老的,但是,如果使用直接X9来实施任何方案,你就根本地树立了自己的榜样,然后把点推到可点上,那么你就只看着。你们将需要3名游客。 X btw:

//Just some typedefs:
typedef HRESULT (WINAPI* oEndScene) (LPDIRECT3DDEVICE9 D3DDevice);
static oEndScene EndScene;

//Do this in a function or whatever
HMODULE hDLL=GetModuleHandleA("d3d9");
LPDIRECT3D9(__stdcall*pDirect3DCreate9)(UINT) = (LPDIRECT3D9(__stdcall*)(UINT))GetProcAddress( hDLL, "Direct3DCreate9");

LPDIRECT3D9 pD3D = pDirect3DCreate9(D3D_SDK_VERSION);

D3DDISPLAYMODE d3ddm;
HRESULT hRes = pD3D->GetAdapterDisplayMode(D3DADAPTER_DEFAULT, &d3ddm );
D3DPRESENT_PARAMETERS d3dpp; 
ZeroMemory( &d3dpp, sizeof(d3dpp));
d3dpp.Windowed = true;
d3dpp.SwapEffect = D3DSWAPEFFECT_DISCARD;
d3dpp.BackBufferFormat = d3ddm.Format;

WNDCLASSEX wc = { sizeof(WNDCLASSEX),CS_CLASSDC,TempWndProc,0L,0L,GetModuleHandle(NULL),NULL,NULL,NULL,NULL,("1"),NULL};
RegisterClassEx(&wc);
HWND hWnd = CreateWindow(("1"),NULL,WS_OVERLAPPEDWINDOW,100,100,300,300,GetDesktopWindow(),NULL,wc.hInstance,NULL);

hRes = pD3D->CreateDevice( 
    D3DADAPTER_DEFAULT,
    D3DDEVTYPE_HAL,
    hWnd,
    D3DCREATE_SOFTWARE_VERTEXPROCESSING | D3DCREATE_DISABLE_DRIVER_MANAGEMENT,
    &d3dpp, &ppReturnedDeviceInterface);

pD3D->Release();
DestroyWindow(hWnd);

if(pD3D == NULL){
    //printf ("WARNING: D3D FAILED");
    return false;
}
pInterface = (unsigned long*)*((unsigned long*)ppReturnedDeviceInterface);


EndScene = (oEndScene) (DWORD) pInterface[42];
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)EndScene, newEndScene);
DetourTransactionCommit();

接着,你的职责是:

HRESULT WINAPI D3D9Hook::newEndScene(LPDIRECT3DDEVICE9 pDevice)
{   
    //Do your stuff here

    //Call the original (if you want)
    return EndScene(pDevice);
}

Answer 3

我知道一个略为老的问题——但是,如果有人有兴趣与C#一道这样做的话,这里是我在

我采用克里斯托弗通过小型C++助手提到的类似可变办法,积极确定IDirect3DDevice9功能的地址。这样做的办法是建立一个临时窗口,并在注入的大会内设立一个离去的IDirect3Device9,然后才能发挥预期的职能。这使你的申请能够忽略一个已经运行的目标(最新情况:注意到这完全有可能在C#中——也见关于相关页的评论)。

rel=“nofollow noreferer” Direct3D 9, 10 and 11 still usingvantHook and with SharpDX und SlimDX

友情链接