Comments on: Drawing on another Direct3D program’s viewport

By: Sylar

Sylar — Tue, 23 Feb 2010 06:23:21 +0000

Hi Greg,
Thanks for your great work! It looks pretty cool.
You said this dll could work on nearly all d3d9 games which use present or swapchainpresent to present screen. But how can I get it working? I’m just working on Direct3D and have no idea about dll injection. I wanna use the dll to do this: when any d3d9 game starts, inject this dll into the game and hook the d3d9 api. Any suggestion for me? otherwise, it would be very nice if you could send me a example with source code showing how to using this dll to hook d3d9 games. My email is: chenliangnjbj@tom.com .

By: Greg

Greg — Fri, 06 Feb 2009 11:49:36 +0000

Filip, this is likely due to a service pack or hotfix upgrade. Any new build of the target binary will in all likelihood cause this check to fail.

Indeed, this is the whole purpose of VerifyAddresses – to minimise the fallout in the case of a version mismatch. However, it is probably safe enough to ignore this check altogether if the program is for personal consumption only.

If you need something more scalable, I’d recommend using Microsoft Detours to install equivalent hooks.

By: Filip

Filip — Fri, 30 Jan 2009 01:09:55 +0000

When I try to inject into an application I get that the VerifyAddresses function returns false. Any idea why this might be happening?

By: Ring3 Circus » Blog Archive » Direct3D 9 Hook v1.1

Ring3 Circus » Blog Archive » Direct3D 9 Hook v1.1 — Fri, 07 Mar 2008 08:46:50 +0000

[...] By popular demand, I’ve updated the Direct3D 9 Hooking Sample to accommodate Windows Vista. The same binary should work on both Vista and XP. I’ve only tested it on Vista 64-bit, so it’d be nice to know if it works with Vista 32 or not. Other than this, most of the same caveats apply as last time. [...]

By: matt

matt — Fri, 07 Mar 2008 00:18:53 +0000

hook Direct3DCreate9->CreateDevice->ppReturnedDeviceInterface

interface are in order in the d3d9.h

By: Greg

Greg — Tue, 26 Feb 2008 08:47:41 +0000

Austin. Take a look here. There’s currently a little doubt surrounding the effectiveness of this method as I’ve received (but not yet investigated) reports of it producing entirely erroneous results. It worked for me though, so it’s certainly worth a try.

If that doesn’t work out for you, it should be simple enough to code up a program with a call to the virtual function in question immediately after something easily identifiable (say, two successive calls to IsDebuggerPresent). Now by throwing the resulting executable at your debugger and setting an appropriate breakpoint you can trace into the call (which will almost certainly be of the form CALL ) and see where you end up. Once you have the absolute address of the function, subtract the base address of the DLL (where the PE header begins in memory) for the relative offset which can be used under all circumstances.

For the record, it’s not generally too easy to find these function locations in a debugger using somebody else’s binary as the compiler trashes all easily processable mappings of function names to addresses. If for some reason you are entirely unable to debug your own Direct3D program then you’ll have to be a little creative and reverse-engineer the target to find the pertinent call, paying attention to stack parameters and comparing the arguments with those specified by the Direct3D docs.

By: Austin

Austin — Mon, 25 Feb 2008 19:48:49 +0000

I am also interested how you got the offsets for the three functions you hooked, in order to hook the other functions using this method.

By: Greg

Greg — Sat, 09 Feb 2008 17:45:30 +0000

That's a little worrying. Perhaps there is more than one version of d3d9.dll in the wild for 32-bit Vista. If that's the case, I'll have to resort to using the method in this post (which you evidently found and I hope answers your questions). That would involve a compromise somewhere along the line, though, as it requires an initialised IDirect3DDevice9 object in order to function. So indeed, can anybody confirm that the new offsets are causing problems?

By: Alexandre

Alexandre — Fri, 08 Feb 2008 20:47:12 +0000

I forgot to specify that it does work under XP with the same code. Can anyone else confirm?

Thanks,
Alexandre

By: Alexandre

Alexandre — Fri, 08 Feb 2008 20:39:27 +0000

Greg,

The offsets you provided for Vista do not work under Vista x86. I can get a HMODULE of d3d9.dll just fine within the remote process so I add up the offset to it and the memcmp between the opcodes you provided and what is actually there is different. I even tried using your code directly instead of mine and the result is exactly the same. Does this have to do with what matt was saying regarding dynamic offsets? I didn’t quite get it.

Additionally, was it hard for you to get those offsets? I’m not expecting you to show me how but I’m just wondering if it’s within the scope of a guy like me or if it requires quite a bit of reverse engineering experience. The reason I’m asking is because I will most likely need to intercept other methods. I think you mentionned OllyBdg, would that do that?

Thanks,
Alexandre