-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdllmain.cpp
More file actions
205 lines (179 loc) · 7.72 KB
/
dllmain.cpp
File metadata and controls
205 lines (179 loc) · 7.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <thread>
#include <Windows.h>
#include <d3d11.h>
#include <MinHook.h>
#include "imgui.h"
#include "imgui_impl_win32.h"
#include "imgui_impl_dx11.h"
#include "./cs2dumper/offsets.hpp"
#include "./cs2dumper/client_dll.hpp"
#include "gui.h"
#include "esp.h"
#include "triggerbot.h"
#include "cusercmd.h"
#include "bhop.h"
#include "recoil.h"
static ID3D11Device* g_pd3dDevice = nullptr;
static ID3D11DeviceContext* g_pd3dDeviceContext = nullptr;
static IDXGISwapChain* g_pSwapChain = nullptr;
static ID3D11RenderTargetView* g_mainRenderTargetView = nullptr;
static HWND g_hwnd = nullptr;
bool isInitialized = false;
// 成员方法的第一个隐藏参数是对象的地址
using Present = HRESULT(__stdcall*)(IDXGISwapChain*, UINT, UINT);
void* origin_present = nullptr;// Present原函数的声明
// createmove原函数声明
static bool(__fastcall* fnOriginalCreateMove)(void*, int, CUserCMD*) = nullptr;//参数3 uint8_t为UserCMD的指针
// Forward declare message handler from imgui_impl_win32.cpp
extern IMGUI_IMPL_API LRESULT ImGui_ImplWin32_WndProcHandler(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam);
WNDPROC origin_wndProc;
// 自定义窗口过程
LRESULT __stdcall WndProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {
if (ImGui_ImplWin32_WndProcHandler(hwnd, uMsg, wParam, lParam)) { return true; }
return CallWindowProc(origin_wndProc, hwnd, uMsg, wParam, lParam);
}
// 自定义Present函数Hook替换IDXGISwapChain的成员函数Present
long __stdcall custom_present(IDXGISwapChain* _this, UINT SyncInterval, UINT Flags) {
if (!isInitialized) {
// Setup Platform/Renderer backends
_this->GetDevice(__uuidof(ID3D11Device), (void**)&g_pd3dDevice);
g_pd3dDevice->GetImmediateContext(&g_pd3dDeviceContext);
DXGI_SWAP_CHAIN_DESC sd;
_this->GetDesc(&sd);
g_hwnd = sd.OutputWindow;
ID3D11Texture2D* pBackBuffer;
_this->GetBuffer(0, __uuidof(ID3D11Texture2D), (LPVOID*)&pBackBuffer);
g_pd3dDevice->CreateRenderTargetView(pBackBuffer, NULL, &g_mainRenderTargetView);
pBackBuffer->Release();
// 替换原生的窗口过程为自定义窗口过程
origin_wndProc = (WNDPROC)SetWindowLongPtr(g_hwnd, GWLP_WNDPROC, (LONG_PTR)WndProc);
ImGui::CreateContext();
ImGuiIO& io = ImGui::GetIO();
io.ConfigFlags = ImGuiConfigFlags_NoMouseCursorChange;
ImGui_ImplWin32_Init(g_hwnd);
ImGui_ImplDX11_Init(g_pd3dDevice, g_pd3dDeviceContext);
isInitialized = true;
}
// Start the Dear ImGui frame
ImGui_ImplDX11_NewFrame();
ImGui_ImplWin32_NewFrame();
ImGui::NewFrame();
// 自定义作弊逻辑
make_menu();
make_esp();
// Rendering
ImGui::Render();
g_pd3dDeviceContext->OMSetRenderTargets(1, &g_mainRenderTargetView, nullptr);
ImGui_ImplDX11_RenderDrawData(ImGui::GetDrawData());
// MinHook要求必须要调用原生的函数
return ((Present)origin_present)(_this, SyncInterval, Flags);
}
// 自定义createmove函数hook
static bool __fastcall custom_createmove(void* pCSGOInput, int nSlot, CUserCMD* pcmd) {
// 写自己的作弊逻辑
bHop(pcmd);
// minhook要求当我们hook函数时,需要调用原函数
return fnOriginalCreateMove(pCSGOInput, nSlot, pcmd);
}
void hook() {
WNDCLASSEX windowClass;
windowClass.cbSize = sizeof(WNDCLASSEX);
windowClass.style = CS_HREDRAW | CS_VREDRAW;
windowClass.lpfnWndProc = DefWindowProc;
windowClass.cbClsExtra = 0;
windowClass.cbWndExtra = 0;
windowClass.hInstance = GetModuleHandle(NULL);
windowClass.hIcon = NULL;
windowClass.hCursor = NULL;
windowClass.hbrBackground = NULL;
windowClass.lpszMenuName = NULL;
windowClass.lpszClassName = "YinZhiXia";
windowClass.hIconSm = NULL;
::RegisterClassEx(&windowClass);
HWND window = ::CreateWindow(windowClass.lpszClassName, "YinZhiXia Window", WS_OVERLAPPEDWINDOW, 0, 0, 100, 100, NULL, NULL, windowClass.hInstance, NULL);
// Setup swap chain
DXGI_SWAP_CHAIN_DESC sd;
ZeroMemory(&sd, sizeof(sd));
sd.BufferCount = 2;
sd.BufferDesc.Width = 0;
sd.BufferDesc.Height = 0;
sd.BufferDesc.Format = DXGI_FORMAT_R8G8B8A8_UNORM;
sd.BufferDesc.RefreshRate.Numerator = 60;
sd.BufferDesc.RefreshRate.Denominator = 1;
sd.Flags = DXGI_SWAP_CHAIN_FLAG_ALLOW_MODE_SWITCH;
sd.BufferUsage = DXGI_USAGE_RENDER_TARGET_OUTPUT;
sd.OutputWindow = window;
sd.SampleDesc.Count = 1;
sd.SampleDesc.Quality = 0;
sd.Windowed = TRUE;
sd.SwapEffect = DXGI_SWAP_EFFECT_DISCARD;
UINT createDeviceFlags = 0;
//createDeviceFlags |= D3D11_CREATE_DEVICE_DEBUG;
D3D_FEATURE_LEVEL featureLevel;
const D3D_FEATURE_LEVEL featureLevelArray[2] = { D3D_FEATURE_LEVEL_11_0, D3D_FEATURE_LEVEL_10_0, };
HRESULT res = D3D11CreateDeviceAndSwapChain(nullptr, D3D_DRIVER_TYPE_HARDWARE, nullptr, createDeviceFlags, featureLevelArray, 2, D3D11_SDK_VERSION, &sd, &g_pSwapChain, &g_pd3dDevice, &featureLevel, &g_pd3dDeviceContext);
if (res == DXGI_ERROR_UNSUPPORTED) // Try high-performance WARP software driver if hardware is not available.
res = D3D11CreateDeviceAndSwapChain(nullptr, D3D_DRIVER_TYPE_WARP, nullptr, createDeviceFlags, featureLevelArray, 2, D3D11_SDK_VERSION, &sd, &g_pSwapChain, &g_pd3dDevice, &featureLevel, &g_pd3dDeviceContext);
if (g_pSwapChain) {
// 通过IDXGISwapChain对象拿到虚函数表指针,虚函数表是一个指针数组,虚函数表指针会多加一层
auto vtable_ptr = (void***)(g_pSwapChain);
auto vtable = *vtable_ptr;
// 根据虚函数表找到Present函数的位置,google后发现是在第8个位置
auto present = vtable[8];
// 使用MinHook进行Hook IDXGISwapChain的Present函数
MH_Initialize();
MH_CreateHook(present, custom_present, &origin_present);
MH_EnableHook(present);
g_pd3dDevice->Release();
g_pd3dDevice = nullptr;
g_pSwapChain->Release();
g_pSwapChain = nullptr;
g_pd3dDeviceContext->Release();
g_pd3dDeviceContext = nullptr;
::DestroyWindow(window);
::UnregisterClass(windowClass.lpszClassName, windowClass.hInstance);
}
// vtable hook createmove实现完美连跳、自瞄等
const auto client = reinterpret_cast<uintptr_t>(GetModuleHandle("client.dll"));
void* pCCSGOInput = reinterpret_cast<void*>(client + cs2_dumper::offsets::client_dll::dwCSGOInput);// dwCSGOInput虚函数表
void* pfnCreateMove = (*reinterpret_cast<void***>(pCCSGOInput))[21]; // or 5, 它们参数不同(createmove有2个)
MH_CreateHook(pfnCreateMove, custom_createmove, reinterpret_cast<void**>(&fnOriginalCreateMove));
MH_EnableHook(pfnCreateMove);
}
void console() {
AllocConsole();
FILE* f;
freopen_s(&f, "CONOUT$", "w", stdout);
freopen_s(&f, "CONIN$", "r", stdin);
while (true) {
std::string input;
std::cin >> input;
if (input == "exit") {
break;
}
}
FreeConsole();
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)hook, nullptr, 0, nullptr);
CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)triggerBot, nullptr, 0, nullptr);
CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)recoil, nullptr, 0, nullptr);
//CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)console, nullptr, 0, nullptr);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
FreeLibraryAndExitThread(hModule, 0);
break;
}
return TRUE;
}