Direct Composition Hook Writeup

What Is DirectComposition?

DirectComposition is typically used by native windows applications to render bitmap graphics and is seldom used by games. Its less of a graphics pipeline and more of a composition engine that moves around and animates already rendered scenes from a graphics pipeline like DirectX or Direct2D. It is referred to as a bitmap composition engine by Microsoft.

We Can't Use DirectX Hooks

<br/> Using a DirectX hook would be more conventional, as when running in this type of hook we could also read memory from the application without an additional context switch, and synchronize perfectly with the frame-rate of the target application. However, DirectX function calls in modern windows versions are no longer routed through data pointers in win32k (instead preffering a direct jump), meaning DirectX hooks are not feasible.

We Can Use DirectComposition Hooks

<br/> DirectComposition functions are still routed through data pointers in win32k, meaning we can place hooks on functions involved in this bitmap composition engine. Even though DirectComposition isn’t directly involved in scene rendering it still manipulates already rendered scenes and this is why certain functions (like Present) are synchronized with the refresh rate of the calling application.

Normal Graphical Applications Do Not Use DirectComposition

An application may choose to render a window, but its very unlikely to be using DirectComposition in this process. Few applications use DirectComposition in Windows, but DWM (Desktop Window Manager) is always running and convienently its present function calls are synchronized with the refresh rate of the display/monitor. Therefore if we hook DirectComposition's present function and check to make sure the calling process is DWM, every time our function is called, a new frame has already started.

Resolving DirectCompositions Hook issues

DirectComposition hooks do not sync perfectly with the refresh rate of the target application. Applications may render frames faster or slower than the refresh rate of monitor, depending on GPU load and application settings. The main goal here is the synchronization of kernel drawing, which does occur when hooking DirectComposition's present function. We can prevent the code in the hook from running slower or faster than the application by turning on VSYNC (in the app), or by limiting the refresh rate of the application to match the monitors (75 fps, 75hz). This will ensure that the hook is synchronized with the monitors refresh rate, and the refresh rate of the target application.

Motiviation

<br/> The intention was to create something simmilar to VMCALL's DirectX Hook, where you hook a function in a graphics pipeline to synchronize with the refresh rate of the application, but universal. VMCALL's method worked great on games which use DirectX but not for applications which can use a variety of rendering methods. After searching through NT functions in win32k, you can see there is a whole set of DirectComposition functions that can be used. Present looked like the best canidate here and after some testing it was determined that multiple programs call it (mostly native windows applications). DWM (Desktop Window Manager) is a process that calls DirectComposition's Present, after hooking and recording each call (only for this process) for 1 second. It was determined that it is called roughly 75 times a second on a monitor rendering at 75 hz, which is synchronized with the refresh rate of the monitor. This is process is an ideal canidate because its always running, never closed, and chooses to render at the refresh rate of the monitor.

POC

This POC uses DirectComposition to synchronize with the refresh rate of the moitor, and GDI functions to draw to the screen every frame. Another hook is placed on a random function in win32k for communication to change the color of the drawing, optionally memory reading could be easily added to extend the functionality.