Posted by Strife.
DirectX VTable Hook that I made for FEAR using the device pointer that the game stores in memory. Went ahead and hooked a few as an example.
A benefit to this would be that you can hook at any time. In other words, no time critical hooks.
Currently undetected by PB
Code:
#include <Windows.h>
#include <d3d9.h>
#include <detours.h>
#pragma comment (lib, "d3d9.lib")
IDirect3DDevice9 * pGameDevice;
/*
FEARMP.exe
00501838 8B3D F06F5700 MOV EDI,DWORD PTR DS:[576FF0] //Device Pointer
0050183E 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
00501842 53 PUSH EBX
00501843 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
00501847 55 PUSH EBP
00501848 8B2F MOV EBP,DWORD PTR DS:[EDI]
0050184A 8BC3 MOV EAX,EBX
0050184C E8 CFFBFFFF CALL FEARMP.00501420
00501851 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
00501855 8B4C24 28 MOV ECX,DWORD PTR SS:[ESP+28]
00501859 50 PUSH EAX
0050185A 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+28]
0050185E 52 PUSH EDX
0050185F 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+28]
00501863 2BC8 SUB ECX,EAX
00501865 51 PUSH ECX
00501866 50 PUSH EAX
00501867 52 PUSH EDX
00501868 8BC3 MOV EAX,EBX
0050186A E8 91F3FFFF CALL FEARMP.00500C00
0050186F 50 PUSH EAX
00501870 57 PUSH EDI
00501871 FF95 48010000 CALL DWORD PTR SS:[EBP+148] //call to DrawIndexedPrimitive
*/
/**************************************************************************************************/
////////////////
///BeginScene///
////////////////
typedef HRESULT(WINAPI* BeginScene_)(LPDIRECT3DDEVICE9 pDevice);
BeginScene_ pBeginScene;
HRESULT WINAPI nBeginScene(LPDIRECT3DDEVICE9 pDevice)
{
_asm NOP;
HRESULT hRet = pBeginScene(pDevice);
return hRet;
}
/**************************************************************************************************/
//////////////
///EndScene///
//////////////
typedef HRESULT(WINAPI* EndScene_)(LPDIRECT3DDEVICE9 pDevice);
EndScene_ pEndScene;
HRESULT WINAPI nEndScene(LPDIRECT3DDEVICE9 pDevice)
{
_asm NOP;
HRESULT hRet = pEndScene(pDevice);
return hRet;
}
/**************************************************************************************************/
//////////////////////////
///DrawIndexedPrimitive///
//////////////////////////
typedef HRESULT(WINAPI* DrawIndexedPrimitive_)(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex,
UINT NumVertices, UINT StartIndex, UINT PrimitiveCount);
DrawIndexedPrimitive_ pDrawIndexedPrimitive;
HRESULT WINAPI nDrawIndexedPrimitive(LPDIRECT3DDEVICE9 pDevice, D3DPRIMITIVETYPE Type, INT BaseVertexIndex, UINT MinIndex,
UINT NumVertices, UINT StartIndex, UINT PrimitiveCount)
{
_asm NOP;
HRESULT hRet = pDrawIndexedPrimitive(pDevice, Type, BaseVertexIndex, MinIndex, NumVertices, StartIndex, PrimitiveCount);
return hRet;
}
/**************************************************************************************************/
/////////////////////
///SetStreamSource///
/////////////////////
typedef HRESULT(WINAPI* SetStreamSource_)(LPDIRECT3DDEVICE9 pDevice, UINT StreamNumber, IDirect3DVertexBuffer9 * pStreamData, UINT OffsetInBytes, UINT Stride);
SetStreamSource_ pSetStreamSource;
HRESULT WINAPI nSetStreamSource(LPDIRECT3DDEVICE9 pDevice, UINT StreamNumber, IDirect3DVertexBuffer9 * pStreamData, UINT OffsetInBytes, UINT Stride)
{
_asm NOP;
HRESULT hRet = pSetStreamSource(pDevice, StreamNumber, pStreamData, OffsetInBytes, Stride);
return hRet;
}
/**************************************************************************************************/
///////////
///Reset///
///////////
typedef HRESULT(WINAPI* Reset_)(LPDIRECT3DDEVICE9 pDevice, D3DPRESENT_PARAMETERS* pPresentationParameters);
Reset_ pReset;
HRESULT WINAPI nReset(LPDIRECT3DDEVICE9 pDevice, D3DPRESENT_PARAMETERS* pPresentationParameters)
{
_asm NOP;
HRESULT hRet = pReset(pDevice, pPresentationParameters);
return hRet;
}
/**************************************************************************************************/
DWORD dwWait(LPVOID lpArgs)
{
DWORD FearBase = NULL;
for (;FearBase == NULL;Sleep(100))
FearBase = (DWORD)GetModuleHandle("FEARMP.exe"); //get base address for FEARMP.exe
for(;pGameDevice == NULL; Sleep(500)) //do this to allow the game to get spun up, if we don't, pGameDevice will always equal 0x00000000(Necessary for injection on game launch)
{
DWORD dwProtect;
VirtualProtect((void*)(FearBase + 0x176FF0), 4, PAGE_EXECUTE_READWRITE, &dwProtect);
memcpy(&pGameDevice, (void*)(FearBase + 0x176FF0), 4);
VirtualProtect((void*)(FearBase + 0x176FF0), 4, dwProtect, NULL);
}
DWORD* pdwNewDevice = (DWORD*)pGameDevice;
pdwNewDevice = (DWORD*)pdwNewDevice[0]; //turn our pointer into an array for the vtable
//Hook accordingly
//Note: Requires MS Detours v1.5
//For further indexes, consult the d3d9.h
pReset = (Reset_)DetourFunction((PBYTE)pdwNewDevice[16],(PBYTE)nReset);
pBeginScene = (BeginScene_)DetourFunction((PBYTE)pdwNewDevice[41],(PBYTE)nBeginScene);
pEndScene = (EndScene_)DetourFunction((PBYTE)pdwNewDevice[42],(PBYTE)nEndScene);
pDrawIndexedPrimitive = (DrawIndexedPrimitive_)DetourFunction((PBYTE)pdwNewDevice[82],(PBYTE)nDrawIndexedPrimitive);
pSetStreamSource = (SetStreamSource_)DetourFunction((PBYTE)pdwNewDevice[100],(PBYTE)nSetStreamSource);
return 0;
}
bool WINAPI DllMain(HMODULE hMod, DWORD dwReason, LPVOID lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH)
{
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)dwWait, NULL, NULL, NULL);
return true;
}
return false;
}
Credits to DrUnKeN ChEeTaH for giving me the idea.
DirectX VTable hook using the games device pointer 
Linear Mode
