其實很簡單.主要針對D3D遊戲.主要思路:Hook IDirect3DDevice9:
resent,在其中加入sleep函數.讓系統獲得更多的CPU時間片.
試驗遊戲:劍網三(以D3D9為例)
具體實作步驟:
1.HOOK Direct3DCreate9來獲得類型為LPDIRECT3D9的Direct3D對象的接口指針,它有一個成員函數為 IDirect3D9::CreateDevice,是以,隻要根據Direct3D對象接口指針找到Direct3D對象的虛函數表,再根據虛函數表确定IDirect3D9::CreateDevice的記憶體位址,就可以hook這個函數,進而獲得類型為LPDIRECT3DDEVICE9的裝置對象指針,然後根據裝置對象指針找到裝置對象的虛函數表,根據虛函數表找到IDirect3DDevice9:
resent在記憶體中的位址,對其進行 HOOK,在其中加入sleep函數.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
//代碼參考runjin
#include
#include
#pragma comment(lib, "D3D9.lib")
#pragma comment(lib, "D3Dx9.lib")
void GameD3D_HOOK();
IDirect3D9 * _stdcall New_Direct3DCreate9(UINT SDKVersion);
HRESULT _stdcall New_CreateDevice(
LPDIRECT3D9 pDx9,
UINT Adapter,
D3DDEVTYPE DeviceType,
HWND hFocusWindow,
DWORD BehaviorFlags,
D3DPRESENT_PARAMETERS * pPresentsentationParameters,
IDirect3DDevice9 ** pPresentturnedDeviceInterface
);
HRESULT _stdcall New_Present(
LPDIRECT3DDEVICE9 pDxdevice,
CONST RECT * pSourceRect,
CONST RECT * pDestRect,
HWND hDestWindowOverride,
CONST RGNDATA * pDirtyRegion
);
LPDIRECT3D9 m_pD3D=NULL; //Direct3D對象的接口指針
void * pDirect3DCreate9=NULL;//Direct3DCreate9函數位址指針
void * pCreateDevice=NULL;//IDirect3D9::CreateDevice函數位址指針
void * pPresent=NULL;//IDirect3DDevice9:
resent函數位址指針
int Sleeptime=50;//延時時間
BYTE Direct3DCreate_Begin[5];//用于儲存Direct3DCreate9入口的5位元組
BYTE CreateDevice_Begin[5];//用于儲存IDirect3D9::CreateDevice入口的位元組
BYTE Present_Begin[5];//用于儲存IDirect3DDevice9:
resent入口的5位元組
void GameD3D_HOOK()
{
//hook Direct3DCreate9
pDirect3DCreate9=GetProcAddress(GetModuleHandle("d3d9.dll"),"Direct3DCreate9");
DWORD oldproc=0;
memcpy(Direct3DCreate_Begin,pDirect3DCreate9,5);
VirtualProtect(pDirect3DCreate9,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pDirect3DCreate9=0xe9;
*(DWORD*)((BYTE*)pDirect3DCreate9+1)=(DWORD)New_Direct3DCreate9-(DWORD)pDirect3DCreate9-5;
}
//當運作到Direct3DCreate9時跳轉到這裡
IDirect3D9 * _stdcall New_Direct3DCreate9(
UINT SDKVersion
)
{
__asm pushad
memcpy(pDirect3DCreate9,Direct3DCreate_Begin,5);//首先還原入口的5個位元組
m_pD3D=Direct3DCreate9(SDKVersion);
if(m_pD3D){//如果成功
pCreateDevice=(void*)*(DWORD*)(*(DWORD*)m_pD3D+0x40);//獲得IDirect3D9::CreateDevice的位址指針
DWORD oldpro=0;
memcpy(CreateDevice_Begin,pCreateDevice,5);//儲存IDirect3D9::CreateDevice入口5個位元組
VirtualProtect(pCreateDevice,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pCreateDevice=0xe9;
*(DWORD*)((BYTE*)pCreateDevice+1)=(DWORD)New_CreateDevice-(DWORD)pCreateDevice-5;
}else{//如果失敗就再hook一次
DWORD oldpro=0;
VirtualProtect(pDirect3DCreate9,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pDirect3DCreate9=0xe9;
*(DWORD*)((BYTE*)pDirect3DCreate9+1)=(DWORD)New_Direct3DCreate9-(DWORD)pDirect3DCreate9-5;
}
__asm popad
return m_pD3D;
}
//hook CreateDevice
HRESULT _stdcall New_CreateDevice(
LPDIRECT3D9 pDx9,
UINT Adapter,
D3DDEVTYPE DeviceType,
HWND hFocusWindow,
DWORD BehaviorFlags,
D3DPRESENT_PARAMETERS * pPresentsentationParameters,
IDirect3DDevice9 ** pPresentturnedDeviceInterface
)
{
__asm pushad
memcpy(pCreateDevice,CreateDevice_Begin,5);//先還原入口的5個位元組
HRESULT ret=pDx9->CreateDevice( //建立裝置
Adapter,
DeviceType,
hFocusWindow,
BehaviorFlags,
pPresentsentationParameters,
pPresentturnedDeviceInterface);
if (ret==D3D_OK){//如果建立裝置成功
LPDIRECT3DDEVICE9 m_pDevice=*pPresentturnedDeviceInterface;
pPresent=(void*)*(DWORD*)(*(DWORD*)m_pDevice+0x44);//獲得IDirect3DDevice9:
resent的位址指針
memcpy(Present_Begin,pPresent,5);//儲存IDirect3DDevice9:
resent入口的5個位元組
DWORD oldpro=0;
VirtualProtect(pPresent,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pPresent=0xe9;
*(DWORD*)((BYTE*)pPresent+1)=(DWORD)New_Present-(DWORD)pPresent-5;
}else{//如果失敗再hookIDirect3D9::CreateDevice一次
DWORD oldpro=0;
VirtualProtect(pCreateDevice,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pCreateDevice=0xe9;
*(DWORD*)((BYTE*)pCreateDevice+1)=(DWORD)New_CreateDevice-(DWORD)pCreateDevice-5;
}
__asm popad
return ret;
}
//當程式運作到IDirect3DDevice9:
resent入口處将跳轉到這裡
HRESULT _stdcall New_Present(
LPDIRECT3DDEVICE9 pDxdevice,//類的this指針
CONST RECT * pSourceRect,//此參數請參考dx sdk
CONST RECT * pDestRect,//同上
HWND hDestWindowOverride,//同上
CONST RGNDATA * pDirtyRegion//同上
)
{
Sleep(Sleeptime);
__asm pushad
if(pDirect3DCreate9 && pCreateDevice && pPresent)
memcpy(pPresent,Present_Begin,5);//先還原IDirect3DDevice9:
resent入口的5位元組
HRESULT retdata= pDxdevice->
resent(pSourceRect,pDestRect,hDestWindowOverride,pDirtyRegion);
if(pDirect3DCreate9 && pCreateDevice && pPresent){
//DWORD oldpro=0;
//VirtualProtect(pPresent,5,PAGE_EXECUTE_READWRITE,&oldpro);
//調用完IDirect3DDevice9:
resent後再hook一次
*(BYTE*)pPresent=0xe9;
*(DWORD*)((BYTE*)pPresent+1)=(DWORD)New_Present-(DWORD)pPresent-5;
}
__asm popad
return retdata;
}