както сам с этим ебался, - решил поделиться =) // // Generated with Reproject v 1.0 // Copyright (c) 2009 by sn0w. All Rights Reserved. // 2funny@inbox.ru // #include <windows.h> #include <tlhelp32.h> #pragma optimize("gsy", on) #pragma comment(linker, "/MERGE:.rdata=.data") #pragma comment(linker,"/MERGE:.text=.data") #pragma comment(linker,"/SECTION:.data,ERW") #pragma comment(linker, "/BASE:0x14150000") #pragma comment(linker, "/ENTRY:WinMain") #pragma comment(linker, "/VERSION:1.0") #define BASEADDR 0x14150000 #define GUID_SysKeyboard 0x6F1D2B61 #include "inject.h" #include "functions.h" #include "syshook.h" ULONG oldGetDeviceData;//buffered method HRESULT WINAPI xGetDeviceData(DWORD d1, DWORD d2, DWORD d3, DWORD d4, DWORD d5) { HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD,DWORD,DWORD))oldGetDeviceData)(d1,d2,d3,d4,d5); return hr; } ULONG oldGetDeviceState;//immediate method HRESULT WINAPI xGetDeviceState(DWORD d1, DWORD bufsize, DWORD lpbuf) { HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD))oldGetDeviceState)(d1,bufsize,lpbuf); if(!FAILED(hr)){ char *pkbbuf = (char*)lpbuf; pkbbuf[0x3B] = pkbbuf[0x3B] | 0x80; } return hr; } ULONG oldCreateDevice; HRESULT WINAPI xCreateDevice(DWORD d1, DWORD d2, DWORD d3, DWORD d4) { HRESULT hr = ((HRESULT(WINAPI*)(DWORD,DWORD,DWORD,DWORD))oldCreateDevice)(d1,d2,d3,d4); // hook only if keyboard requested if(*(DWORD*)d2 != GUID_SysKeyboard) return hr; DWORD dwKeybTable = *(DWORD*)(*(DWORD*)d3); DWORD oldprot; VirtualProtect((LPVOID)dwKeybTable, 0x2C, PAGE_EXECUTE_READWRITE, &oldprot); // already hooked? if((DWORD)xGetDeviceState == *((DWORD*)(dwKeybTable+0x24))) goto ex1; // hook it! oldGetDeviceState = *((DWORD*)(dwKeybTable+0x24)); *((DWORD*)(dwKeybTable+0x24)) = (DWORD)xGetDeviceState; ex1: // already hooked? if((DWORD)xGetDeviceData == *((DWORD*)(dwKeybTable+0x28))) goto ex2; // hook it! oldGetDeviceData = *((DWORD*)(dwKeybTable+0x28)); *((DWORD*)(dwKeybTable+0x28)) = (DWORD)xGetDeviceData; ex2: return hr; } ULONG oldDirectInput8Create; HRESULT WINAPI xDirectInput8Create(HINSTANCE hinst, DWORD dwVersion, REFIID riidltf, VOID **ppvOut, LPUNKNOWN punkOuter) { HRESULT ret = ((HRESULT(WINAPI*)(HINSTANCE,DWORD,REFIID,VOID**,LPUNKNOWN))oldDirectInput8Create)(hinst,dwVersion,riidltf,ppvOut,punkOuter); DWORD dwFuncTable = (DWORD)*((DWORD*)*ppvOut); DWORD oldprot; VirtualProtect((LPVOID)dwFuncTable, 0x10, PAGE_EXECUTE_READWRITE, &oldprot); //already hooked? if((DWORD)xCreateDevice == *((DWORD*)(dwFuncTable+0x0c))) goto ex; //hook it oldCreateDevice = *((DWORD*)(dwFuncTable+0x0c)); *((DWORD*)(dwFuncTable+0x0c)) = (DWORD)xCreateDevice; ex: return ret; } /* ULONG oldLoadLibraryA; HMODULE WINAPI xLoadLibraryA(LPCSTR lpFileName) { HMODULE ret = ((HMODULE(WINAPI*)(LPCSTR))oldLoadLibraryA)(lpFileName); WriteLog("loaded: %s\n", lpFileName); if (lstrcmpiA(lpFileName,"dinput.dll") == 0){ if(oldDirectInput8Create==0){ ThreadControl(TRUE); WriteLog("splicing DirectInput8Create...\n"); Splice((ULONG)GetProcAddress(ret,"DirectInput8Create"), xDirectInput8Create, &oldDirectInput8Create); WriteLog("done\n"); ThreadControl(FALSE); } } return ret; } */ DWORD WINAPI RemoteMain(LPVOID lpParam) { LoadLibrary("kernel32.dll"); LoadLibrary("user32.dll"); LoadLibrary("advapi32.dll"); Splice_Init(); Splice((ULONG)GetProcAddress(LoadLibrary("dinput8.dll"),"DirectInput8Create"), xDirectInput8Create, &oldDirectInput8Create); ThreadControl(FALSE); // resume execution return 0; } int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { SpawnCSProcess(RemoteMain); return 0; } сорцы- http://www.sendspace.com/file/3l3e6x