Analysis of game process injection and DX background principles

These two cases should be discussed together, because the real dx background (except dx to gdi) needs to be injected into the game process.
There are many ways to inject game processes, such as input method injection, network injection, and registry injection.
First, Hook, the API setwindowshookex, Baidu or MSDN used. It is best to check MSDN for details.
With a message injection process, you can do anything in the game. A parameter is input as a callback function, that is, when receiving a message, we first perform the tasks in our callback function. The function prototype is as follows:

 LRESULT CALLBACK HookProc 　　
( 　　
int nCode, 　　
WPARAM wParam, 　　
LPARAM lParam 　　
); 　

 

HookProc is the name of the callback function.
The nCode parameter is the Hook code. The Hook sub-process uses this parameter to determine the task. The value of this parameter depends on the Hook type. Each Hook has its own Hook code feature character set.
The values of wParam and lParam parameters depend on the Hook code, but their typical values contain information about the sent or *** message.
Another common method is remote thread. Use the API createremotethread
The function is prototype as follows:

 HANDLE CreateRemoteThread (
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId
);
Parameter description:
HProcess: handle of the target process
LpThreadAttributes: pointer to the thread's security description struct. Generally, it is set to NULL, indicating that the default security level is used.
DwStackSize: Specifies the thread stack size. Generally, it is set to 0, indicating that the default size is used. Generally, it is 1 MB.
LpStartAddress: Address of the thread function
LpParameter: thread Parameter
DwCreationFlags: thread Creation Method
The create_suincluded thread is created as a pending thread.
LpThreadId: output parameter, which records the ID of the created remote thread

 

Okay, injection first introduces these two types. Now we are in the game process, and then we can look at the background of DX that really interest us.
In fact, the principle is very simple. Blocking dx interface functions is to let dx functions execute our code before or after execution. For example, if you want to read and write screens, you must Hook them before execution, for example, if you want to send a keyboard and mouse message, you need to replace the data after the DInput Data Acquisition Interface is executed, so that it can transfer the data to the background DX keyboard or mouse.
There are only a few documents related to DX. I will list several key interfaces below. As long as I Hook the following interfaces, the background mouse and keyboard, background screenshot, screen writing, cpu downgrading, and so on, not a problem.
First, let's look at ddraw. You Need To Know That d3d is an inheritance of ddraw. So let's first look at ddraw. For 2D games, where can we hook up to get images? Of course, it is BLT, and fastblt. Usually fastblt gets a part of the screen image, such as a single image such as role and background. Therefore, you can get the memory image surface from BLT, the background image can be fully captured. By the way, the main surface is the display surface. Some people once said that DX directly writes the screen, so it is impossible to use the background, if you hook the main surface, what will block the game, And what image will be captured? Therefore, You need to hook it to the memory surface and read it before it is displayed, I am using Delphi, and there are few people using Delphi. I will not write the specific code. If you are interested, you are welcome to join a group to build projects.
Then let's take a look at d3d, which can be read through hook present. Of course, it can also reduce CPU usage, write screen usage, and so on, just like ddraw.
The last step is to get data from the dinput hook, mouse, keyboard, and handle. The hook target is getdevicedata, getdevicestate, buffer, instant, keyboard, and mouse, the handle values are all defined as constants in the dx sdk header file. For details, refer to the instructions in the DX background keyboard plug-in compressed package I released.
 
All these must be performed in the target process. Otherwise, the correct data cannot be intercepted.
 
This method has some drawbacks. First, modifying the game memory infringes on the memory method. Oh, I also heard Leo say. You may think, who cares so much? Well, let's say something more practical. Some NP files cannot be hooked, and many methods such as API restoration and brute-force cracking are available over NP. I don't want to study or like such things very much, at first, my software was often cracked, but I really wanted to work with people who liked this kind of thing. Later, the encryption was also guided by the hacker of the cracking organization!
I have read the story of programming guru, and may have some impressions that DLL ing in the memory is prone to problems, especially when multiple games are available.
Some people may not understand it, but the experts will know how to do it at a Glance. I hope you will discuss it more.