Direct3D10 Snapshot Hooking TechDemo


Sadly I will not be able to take part in the upcoming class. So here are my 2cent and best wishes for the next semester:
This is the untested pseudo code and concept of a dll hooking D3DX10CreateDevice and running D3DX10CreateDeviceAndSwapChain so you can get the buffer containing image data. It's a peek into what's behind FRAPS and how they do it.

In computer programming, the term hooking covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a "hook".
Hooking is used for many purposes, including debugging and extending functionality. Examples might include intercepting keyboard or mouse event messages before they reach an application, or intercepting operating system calls in order to monitor behavior or modify the function of an application or other component.
(Quoted from and further reading at http://en.wikipedia.org/wiki/Hook_function)

I've stumbled upon this very nice product called "Direct3D Ripper" at Deep Shadows [Mirrored; so it won't get lost: 3DRipperDXSetup.exe] and got blinded by the magic:

hello kitty gun
HelloKitty Gun

Keep in mind that most of the new games can be run on DirectX9 Runtime. The goal is to create the same thing for a) D3D10+ and b) 64Bit Games. That's where the source shall be taken to one day.
Ideas for projects are dancing soldiers in a hello kitty camouflage suite or a sniper rifle bent to a heart.
Besides, I would be very happy to see the audio grabbed and remixed from Duke Nukem (3D/Forever).
Please be careful out in the wilderness when looking for injectors. // virustotal.com

There will not be an update on this for a very long time (Duke Nukem-Forever-Soon).
Good luck and happy testing!

Download


Windows DownloadInjMe Dll Static Win32 MSVC2008 Build
3,61 KB (3.705 Bytes)

Sourcecode


injme.cpp
#include "injme.h"
#include <Qt/qstring.h>
#include <Qt/qtextdocumentwriter.h>
#include <Qt/qtextdocument.h>
#include <easyhook/easyhook.h>
#include <iostream>
using namespace std;
int s_FrameNumber = 0;
 
HRESULT D3DX10CreateDevice_Hook (
  IDXGIAdapter *pAdapter,
  D3D10_DRIVER_TYPE DriverType,
  HMODULE Software,
  UINT Flags,
  ID3D10Device **ppDevice
){
    DXGI_SWAP_CHAIN_DESC swapChainDesc;
    ZeroMemory(&swapChainDesc, sizeof(swapChainDesc));
 
    swapChainDesc.BufferCount = 2;
    swapChainDesc.BufferDesc.Width = 800;
    swapChainDesc.BufferDesc.Height = 600;
    swapChainDesc.BufferUsage = DXGI_USAGE_RENDER_TARGET_OUTPUT;
    swapChainDesc.BufferDesc.Format = DXGI_FORMAT_R8G8B8A8_UNORM;
    // refresh rate, sampling, output handle
    swapChainDesc.BufferDesc.RefreshRate.Numerator = 60;
    swapChainDesc.BufferDesc.RefreshRate.Denominator = 1;
    swapChainDesc.SampleDesc.Quality = 0;
    swapChainDesc.SampleDesc.Count = 1;
    swapChainDesc.OutputWindow = NULL;
    swapChainDesc.Windowed = true;
 
    IDXGISwapChain *swapCh;
    HRESULT hResult = D3DX10CreateDeviceAndSwapChain( pAdapter, DriverType, Software, Flags, &swapChainDesc, &swapCh, ppDevice );
    QString fileName;
    fileName = fileName.sprintf("%1.bmp").arg(s_FrameNumber);
    wchar_t* fName;
    fileName.toWCharArray(fName);
 
    CComPtr< ID3D10Texture2D > pBackBuffer;
    if (FAILED(swapCh->GetBuffer(0, __uuidof(ID3D10Texture2D), (LPVOID*)&pBackBuffer))) return false;
    if(FAILED(D3DX10SaveTextureToFile(pBackBuffer, D3DX10_IFF_BMP, fName ))) {
         return false;
    }
    return hResult;
}
 
InjMe::InjMe()
{
   HMODULE hD3d = LoadLibraryA("d3d10.dll");
   TRACED_HOOK_HANDLE hHook = new HOOK_TRACE_INFO();
   ULONG ACLEntries[1] = {0};
   FARPROC proc =  GetProcAddress(hD3d, "D3DX10CreateDevice");
   LhInstallHook(proc, D3DX10CreateDevice_Hook, (PVOID)0x12345678, hHook);
   LhSetInclusiveACL(ACLEntries, 1, hHook);
   // Use the debugger of your choice:
   LhUninstallAllHooks();
   LhUninstallHook(hHook);
   delete hHook;
}
 
injme.h
#ifndef INJME_H
#define INJME_H
#include <d3d/Include/D3D10.h>
#include <d3d/Include/D3DX10tex.h>
#include <Windows.h>
#include <atlstr.h>
#include <atlfile.h>
 
class InjMe {
public:
    InjMe();
};
 
#endif // INJME_H
 
pro
QT       -= gui core
 
TARGET = InjMe
TEMPLATE = lib
CONFIG += staticdll
 
SOURCES += injme.cpp
 
HEADERS += injme.h \
    easyhook/easyhook.h
 
LIBS += easyhook\EasyHook32.lib \
d3d\Lib\x86\d3dx10.lib \
msvc2008\lib\QtCore4.lib \
msvc2008\lib\QtGui4.lib