Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.
Detours is a small, easy-to-use library for instrumenting arbitrary Win32 functions on IA64, x64, x86 computers. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.
Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.
We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.
Interception code is applied dynamically at runtime. Detours replaces the first few instructions of the target function with an unconditional jump to the user-provided detour function. Instructions from the target function are placed in a trampoline. The address of the trampoline is placed in a target pointer. The detour function can either replace the target function or extend its semantics by invoking the target function as a subroutine through the target pointer to the trampoline.
Detours are inserted at execution time. The code of the target function is modified in memory, not on disk, thus enabling interception of binary functions at a very fine granularity. For example, the procedures in a DLL can be detoured in one execution of an application, while the original procedures are not detoured in another execution running at the same time. Unlike DLL re-linking or static redirection, the interception techniques used in the Detours library are guaranteed to work regardless of the method used by application or system code to locate the target function.
In addition to basic detour functionality, Detours also includes functions to edit the DLL import table of any binary, to attach arbitrary data segments to existing binaries, and to load a DLL into a new process. Once loaded into a process, the instrumentation DLL can detour any function in the process, whether in the application or the system libraries, such as the Windows APIs.
Note: Detours is free for research, non-commercial, and non-production use on 32-bit code
What's New in This Release: [ read full changelog ]
· Complete documentation of the Detours API.
· Transactional model for attaching and detaching detours.
· Support for updating peer threads when attaching or detaching detours.
· Unification of dynamic and static detours into a single API.
· Support for detection of detoured processes.
· Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
· New APIs to copy payloads into target processes.
· Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
· Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).
