By
RoverTurbo Author: Sheep / sheeps.reversing.info
A FEW WORDS
===========
Man, this tutorial is going to be a LONG one I can feel it in my bones!
Up until now there has been 0 tutorials on the subject of directX hooking, Now
Im sure you are all thinking that Im wrong, but rest assured ive checked
extensively and all there seems to be out there are BAD!!! documents written
by people that seem to have very little clue to what they are talking about OR!!
you get what I like to call a FAKE TUTORIAL, this tutorial will be written by
some complete fuckwitt who DOES seem to know what they are doing but has 0
interest in explaining anything fully, these tutorials are everywhere, they
are for 1 purpose and 1 purpose ONLY!! to SHOWOFF.. why people bother with
these is beyond me, rest assured though THIS ONE!! will tell u everything
you need to know.
BTW.. This is just 1 secure generic method, there are other ways of doing it.
TOOLS NEEDED: MASM, D3D9 SDK.
OTHER REQUIREMENTS: ASM CODING, C++ CODING.
WORK SUBJECT: SHAREWARE GAME.
locations...
SOFTICE.........................LOOK FOR IT!!! ITS ON THE WEB!!
MASM............................
WWW.WIN32ASM.CJB.NET
D3D9 SDK........................
WWW.MICROSOFT.COM
SHAREWARE GAME..................
WWW.SHAREWARE.COM
TUTORIAL START
**************
Here we go on another exciting adventure of discovery.. weeeeeeee..
To make sure that everyone understands EXACTLY whats going on in this
tutorial Ive set it out into 3 sections; LOADER, HOOK, D3D_DRAW. The
first section is an EXE and the following 2 are DLL's. They will all
follow the same format in layout.. so make sure u understand the first
section fully before moving on.
The format will look like this..
TITLE OF SECTION. ; Obviously, title of the section
DESCRIPTION. ; What the section is all about.
REQUIRED READING. ; Everything u will need to know before starting the section
; I cant teach u everything or the tutorial would become a
; bible length document, dont worry, its not huge amounts and
; to be honest its things u should already know if ur attempting
; this tutorial.
INDEX JOB LIST ; List of markers used to guide u through the source code.
SOURCE CODE ; The actual Source Code listings.
Its rather difficult to know how to explain all this without either
leaving the reader behind or NOT explaining things fully, so what
Ive decided to do is create the whole thing as I did originally. I
will first give a short explanation then explain each step of the
source code, I hope this is the best way...
Code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ SECTION 1 : THE LOADER (ASM) @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Description
===========
This is the initial program that you will load.
REQUIRED READING
================
Api
[---]
GetWindowThreadProcessId
DirectX
[-------]
Direct3DCreate8
GetAdapterDisplayMode (IDirect3D8) ; The brackets mean this function is a member of the IDirect3D8 interface,
CreateDevice (IDirect3D8) ; its just a guide so u look up the correct function because other interfaces
Release (IDirect3DDevice8) ; have the same functions such as IDirectInput8. Dont worry if this sounds
EndScene (IDirect3DDevice8) ; confusing, all u need to do is look in the SDK for the functions ive listed
; and make sure they have in BRACKETS the interface name ive specified.
LOADER INDEX JOB LIST
=====================
INDEX NUMBER (1) - CREATE DIALOG BOX
INDEX NUMBER (2) - OBTAIN ALL FUNCTION ADDRESSES FROM EXTERNAL DLL'S
INDEX NUMBER (3) - CREATE D3D_DEVICE POINTER
INDEX NUMBER (4) - CALCULATE THE RAW OFFSETS FOR EACH FUNCTION U WISH TO HOOK
INDEX NUMBER (5) - WAIT FOR GAME WINDOW THEN CALL MAIN HOOK FUNCTION FROM SHEEPYHOOK.DLL
LOADER SOURCE (ASM)
===================
.386 ;
.model flat,stdcall ; Usual Setup
option casemap:none ;
;
include d:\masm32\include\windows.inc ;
include d:\masm32\include\user32.inc ;
include d:\masm32\include\kernel32.inc ;
include d:\masm32\include\gdi32.inc ;
;
includelib d:\masm32\lib\user32.lib ;
includelib d:\masm32\lib\kernel32.lib ;
includelib d:\masm32\lib\gdi32.lib ;
D3DPRESENT_PARAMETERS STRUCT ;
BackBufferWidth dd ? ; This is the D3DPRESENT_PARAMETERS
BackBufferHeight dd ? ; structure used later to create
BackBufferFormat dd ? ; our D3DDEVICE.
BackBufferCount dd ? ;
MultiSampleTdype dd ? ;
SwapEffect dd ? ;
hDeviceWindow dd ? ;
Windowed dd ? ;
EnableAutoDepthStencil dd ? ;
AutoDepthStencilFormat dd ? ;
Flags dd ? ;
FullScreen_RefreshRateInHz dd ? ;
FullScreen_PresentationInterval dd ? ;
D3DPRESENT_PARAMETERS ENDS ;
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD ; PROTOS for the functions.
xDlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD ;
EnumWindowsProc PROTO :DWORD,:DWORD ;
Error_Handling PROTO :DWORD ;
.data
hook_dll_name db "sheepyhook.dll",0 ; Name of the hookdll (we come to that next)
d3d8_dll_name db "d3d8.dll",0 ; Name of main DX dll
direct3dcreate8_function_name db "Direct3DCreate8",0 ; Function name used for GETPROCADDRESS.
hook_function_name db "install_hook",0 ; Function name within sheepyhook.dll (GETPROCADDRESS)
d3d_displaymode db 16 dup (0) ; Displaymode structure, its filled by
; data from a function call later so no need
; to write out its functions members.
main_hook_addy dd 0 ; Place to store the address of INSTALL_HOOK function.
d3d8_base_addy dd 0 ; Place to store the base address of the d3d8.dll
hInstance dd 0 ; hInstance.
g_pDirect3D dd 0 ; Storage for our Direct3D interface.
g_pDevice dd 0 ; Storage for our Device interface.
g_hwnd dd 0 ; HWND
presentparameters D3DPRESENT_PARAMETERS <0> ; Declare a NEW D3DPRESENT_PARAMETERS structure.
EndSceneRVA dd 0 ; Storage for our ENDSCENE RVA once its calculated.
ReleaseRVA dd 0 ; ****
game_running db 0 ; BOOL to store game running info.
hook_installed db 0 ; BOOL to store hook install info.
game_window db "dolphinvs: tweening vertex shader",0 ; Game Window Name
game_hwnd dd 0 ; game_hwnd
processId dd 0 ; ProcessId
act1 db "ACTIVE",0 ; TEXT to place onto our dialog window
wait1 db "WAITING FOR GAME",0 ; TEXT to place onto our dialog window
.data?
.const
IDC_EXIT equ 3002 ;
IDM_EXIT equ 32002 ;
;
;--------------------d3d8.dll ;
GetAdapterDisplayMode equ 20h ; Equates makes code easier
CreateDevice equ 3ch ; to read.
EndScene equ 8ch ;
Release equ 8 ;
;
D3D_SDK_VERSION EQU 220 ;
D3DADAPTER_DEFAULT EQU 0 ;
D3DDEVTYPE_HAL EQU 1 ;
D3DCREATE_SOFTWARE_VERTEXPROCESSING EQU 020h ;
D3DSWAPEFFECT_DISCARD EQU 1 ;
D3DFMT_D16 EQU 80 ;
timerid EQU 2244 ;
.code
start:
;INDEX NUMBER (1) - CREATE DIALOG BOX START
invoke GetModuleHandle, NULL ; Usual Dialog Creation shiate..
mov hInstance,eax ;
invoke DialogBoxParam, hInstance, 100,NULL,addr DlgProc,NULL ;
invoke ExitProcess,eax ;
;INDEX NUMBER (1) - CREATE DIALOG BOX END
DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM ; DIALOG MAIN FUNCTION.
.IF uMsg==WM_INITDIALOG ; Everything under WM_INITDIALOG is performed as soon
; as the dialog is created, but u should already know
; this.
invoke SetDlgItemText, hWnd, 667, offset act1 ; Set "ACTIVE" Text onto dialog.
invoke SetDlgItemText, hWnd, 668, offset wait1 ; Set "WAITING.." Text onto dialog.
;INDEX NUMBER (2) - OBTAIN ALL FUNCTION ADDRESSES FROM EXTERNAL DLL'S START
invoke LoadLibrary, offset hook_dll_name ; Load sheepyhook.dll
invoke GetProcAddress, eax, offset hook_function_name ; Find the main hook function from within the dll
mov main_hook_addy, eax ; Save location of hook function..
invoke LoadLibrary, offset d3d8_dll_name ; Load d3d8.dll
mov d3d8_base_addy,eax ; Save base address for later calculations.
invoke GetProcAddress, eax, offset direct3dcreate8_function_name ; Find address of D3DCREATE8 function,
; address is returned in EAX.
;INDEX NUMBER (2) - OBTAIN ALL FUNCTION ADDRESSES FROM EXTERNAL DLL'S END
;INDEX NUMBER (3) - CREATE D3D_DEVICE POINTER START
push D3D_SDK_VERSION ; First and Only param of D3DCREATE8 function.
call eax ; Call D3DCREATE8 function to create Direct3d.
mov g_pDirect3D,eax ; Save Direct3d interface pointer.
push offset d3d_displaymode ; Pointer to Store displaymode information.
push D3DADAPTER_DEFAULT ; Push Default Adapter.
mov eax,g_pDirect3D ; Move Direct3d interface pointer into EAX.
push eax ; Save Pointer.
mov eax,[eax] ; EAX now pointers to METHOD table of D3DCREATE8 interface.
call dword ptr [eax+GetAdapterDisplayMode] ; Call GetAdapterDisplayMode from METHOD table.
mov presentparameters.Windowed,TRUE ; This just fills in the presentparameters structure
mov presentparameters.SwapEffect, D3DSWAPEFFECT_DISCARD ; ready to be pushed as a param when making the actual
mov eax,dword ptr [d3d_displaymode+12] ; device.
mov presentparameters.BackBufferFormat,eax ; If u want more information on the members of this
mov presentparameters.EnableAutoDepthStencil,TRUE ; structure then look in the SDK help.
mov presentparameters.AutoDepthStencilFormat, D3DFMT_D16 ;
push offset g_pDevice ; Create Device
push offset presentparameters ;
push D3DCREATE_SOFTWARE_VERTEXPROCESSING ;
push hWnd ;
push D3DDEVTYPE_HAL ;
push D3DADAPTER_DEFAULT ;
mov eax,g_pDirect3D ; Move D3D interface pointer into eax
push eax ; Save pointer on the stack
mov eax,[eax] ; EAX now points to the METHOD table of the D3D interface.
call dword ptr [eax+CreateDevice] ; Call CREATEDEVICE from the METHOD table.
;INDEX NUMBER (3) - CREATE D3D_DEVICE POINTER END
;INDEX NUMBER (4) - CALCULATE THE RAW OFFSETS FOR EACH FUNCTION U WISH TO HOOK START
mov eax, g_pDevice ; Move D3D_DEVICE interface pointer into eax.
push eax ; Save pointer on stack.
mov eax,[eax] ; Get base address of D3D_DEVICE method table in eax.
; add all functions that needs hooking..
mov ecx,[eax+EndScene] ; Move relative address of ENDSCENE into ecx
sub ecx,d3d8_base_addy ; Subtract base address of d3d8.dll
mov EndSceneRVA, ecx ; Move ecx into RAW ADDRESS variable
mov ecx,[eax+Release] ; Move relative address of RELEASE into ecx
sub ecx,d3d8_base_addy ; Subtract base address of d3d8.dll
mov ReleaseRVA, ecx ; Move ecx into RAW ADDRESS variable
call dword ptr [eax+Release] ; Release D3D_DEVICE interface.
mov eax, g_pDirect3D
push eax
mov eax,[eax]
call dword ptr [eax+Release] ; Release D3D interface.
;INDEX NUMBER (4) - CALCULATE THE RAW OFFSETS FOR EACH FUNCTION U WISH TO HOOK END
invoke SetTimer, hWnd,timerid,300,0 ; Set timer.
;INDEX NUMBER (5) - WAIT FOR GAME WINDOW THEN CALL MAIN HOOK FUNCTION FROM SHEEPYHOOK.DLL
.ELSEIF uMsg==WM_TIMER
cmp hook_installed,1 ; Is hook installed?
jz end_dlg ; Jump if hook is already installed.
invoke FindWindow, NULL, ADDR game_window ; Find gamewindow.
mov game_hwnd, eax ; Save game HWND
or eax,eax ; Did we find the window?
jnz game_is_running ; If yes, then jump into hooking routine.
jmp end_dlg ; If no, jump over hook installation.
game_is_running:
mov hook_installed,1 ; Set BOOL to indicate hook installed.
invoke SetDlgItemText, hWnd, 668, offset act1 ; Set Dialog TEXT to "ACTIVE"
invoke GetWindowThreadProcessId, game_hwnd, offset processId ; Obtain game threadprocessID from game HWND
;pass all function RVAs to hook dll...
push ReleaseRVA ; All these variables are needed by the HOOK DLL
push processId ;
push EndSceneRVA ;
push eax ;
call dword ptr [main_hook_addy] ; Call HOOK FUNCTION!!
end_dlg:
;INDEX NUMBER (5) - WAIT FOR GAME WINDOW THEN CALL MAIN HOOK FUNCTION FROM SHEEPYHOOK.DLL
.ELSEIF uMsg==WM_CLOSE
invoke SendMessage,hWnd,WM_COMMAND,IDM_EXIT,0
.ELSEIF uMsg==WM_COMMAND
mov eax,wParam
.IF ax==102
invoke ExitProcess,0
.ENDIF
.ELSE
mov eax,FALSE
ret
.ENDIF
mov eax,TRUE
ret
DlgProc endp
end start
Code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ SECTION 2 : THE HOOK (ASM) @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Description
===========
This is the main machinary of the whole process.
REQUIRED READING
================
Api
[---]
GetWindowThreadProcessId
VirtualProtect
GetCurrentProcessId
GetModuleHandle
SetWindowsHookEx
General
[-------]
DLL Creation.
LOADER INDEX JOB LIST
=====================
INDEX NUMBER (1) - LOAD ALL FUNCTIONS FROM D3D_DRAW DLL
INDEX NUMBER (2) - WORK OUT ADDRESS FOR EACH FUNCTION U WISH TO HOOK
INDEX NUMBER (3) - INJECT CODE TO HOOK FUNCTIONS
INDEX NUMBER (4) - YOUR FUNCTIONS WITHIN HOOK
INDEX NUMBER (5) - SETWINDOWSHOOKEX KEYBOARD HOOK CODE
INDEX NUMBER (6) - MAIN DLL INSTALLTION FUNCTION
HOOK SOURCE (ASM)
=================
.386 ; Usual setup.
.model flat,stdcall ;
option casemap:none ;
include d:\masm32\include\windows.inc ;
include d:\masm32\include\user32.inc ;
include d:\masm32\include\kernel32.inc ;
include d:\masm32\include\gdi32.inc ;
;
includelib d:\masm32\lib\user32.lib ;
includelib d:\masm32\lib\kernel32.lib ;
includelib d:\masm32\lib\gdi32.lib ;
.const
TRUE equ 1
FALSE equ 0
.data
menutoggle db 4 ; Toggle state of Menu ON/OFF
EndScene dd 0 ; Endscene raw address. (passed by loader)
Release dd 0 ; Release raw address. (passed by loader)
ProcId dd 0 ; ProcessId. (passed by loader)
hInst dd 0 ; Storage for dll instance.
hHook dd 0 ; hHook
oldprotection dd 0 ; Old PAGE protection stage.
d3d8 db "d3d8.dll",0 ; d3d8.dll
dllname db "dxdx.dll",0 ; Our own D3D_DRAW DLL for drawing the menu onscreen.
h_dll dd 0 ; h_dll
draw_func db "DrawDX",0 ; Functions exported by DXDX.DLL
init_func db "InitDX",0 ;
obdevice_func db "ObtainDevice",0 ;
EndMe_func db "EndMe",0 ;
draw_func_addy dd 0 ; Address of each exported function.
init_func_addy dd 0 ;
obdevice_func_addy dd 0 ;
EndMe_func_addy dd 0 ;
init_done db 0 ; BOOL to indicate state of progress.
d3d8base dd 0 ; Base address of d3d8.dll used to calculate hooked function addresses.
endscene_code_buffer db 30 dup (0) ; Buffer to store original endscene code.
release_code_buffer db 30 dup (0) ; Buffer to store original release code.
.code
MAIN proc hInstDLL:HINSTANCE, reason:DWORD, reserved1:DWORD
push edi ; Save important regs..
push esi ;
push hInstDLL ; Save dll hInstance
pop hInst ;
cmp reason, DLL_PROCESS_ATTACH ; Check to see if main is being run because of attachment..
jnz not_attached ; if no, skip hook installation..
invoke GetCurrentProcessId ; Get the process id of the current running process
cmp ProcId,eax ; compare it with the games procid (passed by loader)
jnz not_game_process ; if no, skip hook installation..
;INDEX NUMBER (1) - LOAD ALL FUNCTIONS FROM D3D_DRAW DLL START
invoke GetModuleHandle,offset d3d8 ; Get base address of d3d8.dll..
mov d3d8base,eax ; Save base addy.
invoke LoadLibraryA,offset dllname ; Load the D3D_DRAW dll into the game process.
mov h_dll,eax ; Save handle.
invoke GetProcAddress,eax,offset draw_func ; Work out and Save all exported functions
mov draw_func_addy,eax ; from the D3D_DRAW dll.
;
invoke GetProcAddress,h_dll,offset init_func ;
mov init_func_addy,eax ;
;
invoke GetProcAddress,h_dll,offset obdevice_func ;
mov obdevice_func_addy,eax ;
;
invoke GetProcAddress,h_dll,offset EndMe_func ;
mov EndMe_func_addy,eax ;
;INDEX NUMBER (1) - LOAD ALL FUNCTIONS FROM D3D_DRAW DLL END
;INDEX NU<BER (2) - WORK OUT ADDRESS FOR EACH FUNCTION U WISH TO HOOK START
mov ecx, EndScene ; Move offset of ENDSCENE() into ecx
add ecx,eax ; add base address of d3d8.dll to offset ENDSCENE()
mov EndScene, ecx ; save new REAL ENDSCENE ADDRESS..
mov ecx, Release ; Move offset of RELEASE() into ecx
add ecx,eax ; add base address of d3d8.dll to offset ENDSCENE()
mov Release, ecx ; save new REAL RELEASE ADDRESS..
;INDEX NU<BER (2) - WORK OUT ADDRESS FOR EACH FUNCTION U WISH TO HOOK END
;INDEX NUMBER (3) - INJECT CODE TO HOOK FUNCTIONS START
;-- copy first bytes of hooked functions into buffers..
;ENDSCENE..
mov ecx,5 ; Move 5 into ecx (amount to copy)
mov edi, offset endscene_code_buffer ; Buffer to store copied code into
mov esi, EndScene ; Location to copy from
mov edx,esi ; Save addy
add edx,5 ; Jmp position = endscene+5
rep movsb ; Do copy ..
;(calculates jmp back inside buffer)
mov byte ptr [edi],0e9h ; e9 = first opcode of a far jmp
sub edx,edi ; Work out other 4 op codes from calculation
sub edx,5 ; Sub length of actual instruction (5 opcodes e9,xx,xx,xx,xx)
inc edi ; Move 1 past 0e9h
mov dword ptr [edi],edx ; Complete jmp opcodes now will read (e9,xx,xx,xx,xx)
invoke VirtualProtect, EndScene, 5, PAGE_EXECUTE_READWRITE,offset oldprotection
;(calculates jmp back inside dll)
mov eax,EndScene ; Move REAL endscene address into eax
mov edi,eax ; Destination of hook..
mov ecx,offset EndSceneHook ; Move location to jmp to into ecx
sub ecx,eax ; Calculate last 4 opcodes for far jmp
mov byte ptr [edi],0e9h ; Insert first opcode for far jmp
sub ecx,5 ; Subtract instruction length
inc edi ; Move 1 past 0e9h
mov dword ptr [edi],ecx ; Complete far jmp instruction...
invoke VirtualProtect, EndScene, 5, oldprotection, offset oldprotection
;RELEASE
mov ecx,6 ; Move 6 into ecx (amount to copy)
mov edi, offset release_code_buffer ; Buffer to store copied code
mov esi, Release ; Location to copy from
mov edx,esi ; Save addy
add edx,5 ; Jmp back position = release+5
rep movsb ; Do copy ..
;(calculates jmp back inside buffer)
mov byte ptr [edi],0e9h ; e9 = first opcode of a far jmp
sub edx,edi ; Work out other 4 op codes from calculation
sub edx,5 ; Sub length of actual instruction (5 opcodes e9,xx,xx,xx,xx)
inc edi ; Move 1 past 0e9h
mov dword ptr [edi],edx ; Complete jmp opcodes now will read (e9,xx,xx,xx,xx)
;(calculates jmp back inside dll)
invoke VirtualProtect, Release, 5, PAGE_EXECUTE_READWRITE,offset oldprotection
mov eax,Release ; Move REAL release address into eax
mov edi,eax ; Destination of hook..
mov ecx,offset ReleaseHook ; Move location to jmp to into ecx
sub ecx,eax ; Calculate last 4 opcodes for far jmp
mov byte ptr [edi],0e9h ; Insert first opcode for far jmp
sub ecx,5 ; Subtract instruction length
inc edi ; Move 1 past 0e9h
mov dword ptr [edi],ecx ; Complete far jmp instruction...
add edi,4
mov byte ptr [edi],090h ; Because Release has 6 opcodes to copy not 5,
; we just nop the last opcode.
;restore old page protection..
invoke VirtualProtect, Release, 5, oldprotection, offset oldprotection
;INDEX NUMBER (3) -INJECT CODE TO HOOK FUNCTIONS END
not_attached:
not_game_process:
pop esi ; Restore regs
pop edi ;
mov eax,TRUE ; Return TRUE
ret
MAIN Endp
;INDEX NUMBER (4) - YOUR FUNCTIONS WITHIN HOOK START
;RELEASE HOOK FUNCTION CODE....
ReleaseHook:
pushfd ; Save Flagstatus.
pushad ; Save Regstatus.
; do ur stuff here. ; Any code u wish to execute goes here.
popad ; Restore Regstatus.
popfd ; Restore Flagstatus.
mov eax, offset release_code_buffer ; Jmp to RELEASE() stub.
jmp eax ; Do jmp.
;ENDSCENE HOOK FUNCTION CODE....
EndSceneHook:
pushfd ; Save Flagstatus.
pushad ; Save Regstatus.
cmp menutoggle,4 ; Check if menu is in initial state.
jz nodraw ; If yes then no drawing is done.
cmp init_done,1 ; Check if all is initialised.
jz @already_init ; If yes then skip init functions.
push DWORD PTR [esp+028h] ; Push the games Device interface pointer.
call [obdevice_func_addy] ; Call obtain device function to pass the pointer
; to the D3D_DRAW dll.
add esp,4 ; balance stack.
call [init_func_addy] ; Initalise everything inside the D3D_DRAW dll.
mov init_done,1 ; Set BOOL for initialisation.
@already_init:
cmp menutoggle,0 ; Check if menu is turned on.
jz nodraw ; If no then no drawing is done.
call [draw_func_addy] ; Call draw function from the D3D_DRAW dll.
nodraw:
popad ; Restore Regstatus.
popfd ; Restore Flagstatus.
mov eax, offset endscene_code_buffer ; Jmp to ENDSCENE() stub.
jmp eax ; Do jmp.
;INDEX NUMBER (4) - YOUR FUNCTIONS WITHIN HOOK END
;INDEX NUMBER (5) - SETWINDOWSHOOKEX KEYBOARD HOOK CODE START
hook_processing PROC code:DWORD, wparam:WPARAM, lparam:LPARAM
cmp wparam,VK_F1 ; Was F1 pressed?
jnz nkey1 ; If no then jmp to next check.
mov menutoggle,1 ; Toggle menu ON!
nkey1:
cmp wparam,VK_F2 ; Was F2 pressed?
jnz end_fn ; If no then end checks.
mov menutoggle,0 ; Toggle menu OFF!
end_fn:
ret ; return.
hook_processing endp
;INDEX NUMBER (5) - SETWINDOWSHOOKEX KEYBOARD HOOK CODE END
;INDEX NUMBER (6) - MAIN DLL INSTALLTION FUNCTION START
install_hook PROC ThreadId:DWORD, EndSceneRVA:DWORD, ProcID:DWORD, ReleaseRVA:DWORD
push ReleaseRVA ; Save releaserva worked out in the Loader section...
pop Release ;
push EndSceneRVA ; Save endscenerva worked out in the Loader section...
pop EndScene ;
push ProcID ; Save procid
pop ProcId ;
invoke SetWindowsHookEx, WH_KEYBOARD, offset hook_processing , hInst, ThreadId ; Install keyboard hook...
mov hHook, eax ; Save hook process handle..
ret ; return..
install_hook endp
;INDEX NUMBER (6) - MAIN DLL INSTALLTION FUNCTION END
End MAIN
Code:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ SECTION 3 : THE D3D_DRAW DLL (C++) @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Description
===========
This is a C++ dll created to do all the D3D work, its passed the games
D3D Device interface and uses it to DRAW things to the screen.
REQUIRED READING
================
LOADER INDEX JOB LIST
=====================
D3D_DRAW DLL (C++)
==================
#include "stdafx.h" // Standard header files.
#include "dxdx.h" //
#include <D3DX8.h> // DirectX8 SDK header file.
class CSimpleSprite // Sprite class.
{ //
public: //
CSimpleSprite(); // Constructor
~CSimpleSprite(); // Deconstructor
// Class METHODS.
HRESULT Initialize(void); // Initialize function
HRESULT Render(); // Render function
HRESULT dosprite(); // Create Sprite
D3DXVECTOR2 m_RotCenter; // Class MEMBERS.
D3DXVECTOR2 m_Translation; //
D3DXVECTOR2 m_Scaling; //
float m_Rotation; //
D3DCOLOR m_ModulateColor; //
LPD3DXSPRITE m_pSprite; //
LPDIRECT3DTEXTURE8 m_pTexture; //
BOOL m_bInitialized; //
};
CSimpleSprite Sprite; // Declare new sprite from CSimpleSprite class.
static unsigned char stars_1[]={ FILL IN DATA HERE PNG FORMAT ARRAY }; // Sprite image data (texture)
IDirect3DDevice8 *g_pDevice; // Storage for GAME D3D_Device.
// This enables us to write to the screen using the
// games device.
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
void ObtainDevice(IDirect3DDevice8 *g_pDevice2) // Obtain device Function
{
g_pDevice=g_pDevice2; // Pass game D3D_Device interface to our DLL.
}
void EndMe() // General empty Function.
{
}
void InitDX() // Init DX Function.
{
Sprite.Initialize(); // Initialise sprite.
}
void DrawDX(void) // Draw DX routine.
{
Sprite.dosprite(); // Create Sprite.
Sprite.Render(); // Render Sprite.
Sprite.m_pSprite->Release(); // Release Sprite.
}
// SPRITE CLASS METHODS.
CSimpleSprite::CSimpleSprite() // Sprite constructor.
{
m_pSprite = 0; // Set up all initial Sprite variables.
m_pTexture = 0; //
m_bInitialized = false; //
m_RotCenter.x = 00.0f; //
m_RotCenter.y = 00.0f; //
m_Translation.x = 50.0f; //
m_Translation.y = 150.0f; //
m_Scaling.x = 1.0f; //
m_Scaling.y = 1.0f; //
m_ModulateColor = D3DCOLOR_XRGB(255,255,255); //
m_Rotation = 0.0f; //
}
CSimpleSprite::~CSimpleSprite() // Sprite deconstructor.
{
}
HRESULT CSimpleSprite::Initialize(void) // Sprite Init function.
{
HRESULT hr = 0;
D3DXCreateTextureFromFileInMemoryEx (g_pDevice, // Load Sprite Texture.
&stars_1, //
sizeof stars_1 , //
NULL, //
NULL, //
D3DX_DEFAULT, //
0, //
D3DFMT_A8R8G8B8, //
D3DPOOL_MANAGED, //
D3DX_DEFAULT, //
D3DX_DEFAULT, //
0xffff344f, //
NULL, //
NULL, //
&m_pTexture); //
m_bInitialized = TRUE; // Set BOOL
return S_OK;
}
HRESULT CSimpleSprite::dosprite() // Sprite dosprite function.
{
D3DXCreateSprite(g_pDevice, &m_pSprite); // Create Sprite
return S_OK;
}
HRESULT CSimpleSprite::Render() // Sprite render function.
{
if(!m_bInitialized) // check BOOL
return E_FAIL;
HRESULT hr = 0;
m_pSprite->Begin(); // Init Sprite Drawing.
hr = m_pSprite->Draw(m_pTexture, // Sprite texture.
NULL, //
&m_Scaling, // Scaling variable.
&m_RotCenter, // RotCenter variable.
m_Rotation, // Rotation variable.
&m_Translation, // translation variable.
m_ModulateColor); // modulatecolor variable.
m_pSprite->End(); // End Sprite Drawing.
return S_OK;
}
Download .txt here 
C++/ASM D3D8 Hooking Tutorial 
Linear Mode
