Whilst partaking in my normal stroll through the Interweb I came across this truly interesting little development from Microsoft Research. Detours from Microsoft Research.
How nice! This little development allows you to basically proxy calls from an application to DLLs it loads (by way of interception).
Here’s the official blurb:
“Detours is a library for intercepting arbitrary Win32 binary functions on x86 machines. Interception code is applied dynamically at runtime. Detours replaces the first few instructions of the target function with an unconditional jump to the user-provided detour function. Instructions from the target function are placed in a trampoline. The address of the trampoline is placed in a target pointer. The detour function can either replace the target function or extend its semantics by invoking the target function as a subroutine through the target pointer to the trampoline.”
This is a little blast from the past for me – I used to write/collaborate on Win32 defensive measures (obfuscation, anti-tampering).
This is a classic approach and one which is interesting to play with. The others are between Windows Subclassing/SendMessage and DLL Injection (similar but slightly different concept).
..and just when you thought it couldn’t be any more interesting, Detours also throws in:
“Payloads and DLL Import Editing
In addition to APIs for attaching and detaching detours functions, the Detours package also include APIs for attaching arbitrary data segments, called payloads, to Windows binary files and for editing DLL import tables. The binary editing APIs in Detours are fully reversible; Detours stores recovery information within the binary to enable removal of the edits at any time in the future.”
Watch out though – it won’t work on Windows 95, 98 or ME (because those OSes have “primitive virtual memory systems” and also – who cares!).
Check back once I’ve had a bit of a play with this excellent utility!