Microsoft Research Detours Package

 

Detours have been utilized by several ISVs and are also used by product groups at Microsoft. Detours are now available under a typical open source license (MIT). This simplifies licensing for programmers using Detours and enables the community to support Detours using open source tools and processes.

Detour is a library for intercepting binary functions on the ARM, x86, x64, and IA64 machines. Detours are most frequently used to intercept Win32 APIs calls within an application, like to include debugging instrumentation. Interception code is applied dynamically at runtime. Detours replace the first few instructions of this target function with an unconditional jump into the user-provided detour function. Directions from the target function are placed on a trampoline. The address of the trampoline is set in a target pointer. The detour function can either replace the target function or extend its semantics by invoking the target function as a subroutine throughout the target pointer to the trampoline.

Detours are added at execution time. The code of the goal function is altered in memory, not on disk, thus enabling interception of binary purposes at a very fine granularity. By way of instance, the procedures in a DLL could be detoured in 1 implementation of a program, whereas the original procedures are not detoured in another implementation running in the exact same time. Unlike DLL re-linking or static redirection, the interception techniques used from the Detours library are guaranteed to operate regardless of the method used by application or system code to locate the target function.

In addition to basic detour functionality, Detours also includes functions to edit the DLL import table of almost any binary, to attach arbitrary data sections to existing binaries, and to load a DLL to a new process. Once loaded into a process, the instrumentation DLL can detour any role from the procedure, whether in the program or the system libraries, like the Windows APIs.

Detours can be used with all the Windows NT family of operating systems: Windows NT, Windows XP, Windows Server 2003, Windows 7, Windows, Windows 8, and Windows 10. It cannot be used by Window Store programs because Detours needs APIs not available to those applications.

You May Also Like

About the Author: Steve West