0

So, I’ve been studying DLL Injection lately. There are a lot of online examples with source code. However many of them stop after successful injection. I’d like to know, after injecting code into an applications memory; how does one take control of (or acquire) existing objects in the target applications memory?

Take DirectX for example. Let’s say I wanted to give myself unlimited ammo in a game, or I wanted to draw some other graphics over the window. To do the latter, I’d have to get a reference to the IDXGISwapChain object.

Would something like this work, where we use GetProcAddress() to get the object reference from d3d11.dll? (Note, I haven't tested this code, not sure it will even work)

FNC3DC11 IDXGISwapChain_out;
TCHAR szDllPath[MAX_PATH] = { 0 };

GetSystemDirectory(szDllPath, MAX_PATH);

// We have to specify the full path to avoid the search order (found in Win32 folder)
lstrcat(szDllPath, "\\d3d11.dll");
HMODULE hDll = LoadLibrary(szDllPath);

if(hDll == NULL)
{
    return FALSE;
}

// Pointer to the original function
IDXGISwapChain_out = (FND3DC9)GetProcAddress(hDll, "IDXGISwapChain");
if(IDXGISwapChain_out == NULL)
{
   FreeLibrary(hDll);
   return FALSE;
}

//Do things with IDXGISwapChain_out...
junfanbl
  • 451
  • 3
  • 21
  • 3
    You have to study and understand the code that you are injecting into. Probably have to spend many hours to weeks with your debugger. – drescherjm Jun 17 '20 at 13:53
  • hmm, I didn't notice this thread before posting my question: https://stackoverflow.com/questions/18033536/draw-directx-opengl-graphics-on-an-existing-graphics-application?rq=1 Is hooking the answer I am looking for by any chance? My understanding of hooking is that it just listens to a function; it doesn't actually obtain an object. Could be wrong though. – junfanbl Jun 17 '20 at 14:09
  • `GetProcAddress` of an interface is suspicious. I never saw that. – Phil1970 Jun 17 '20 at 23:49

0 Answers0