DETOURS: Binary Interception of Win32 Functions
Galen Hunt, Doug Brubacher
Proceedings of the USENIX Windows NT Symposium, 1999.
Detours intercepts Win32 functions by replacing the first 5 bytes with a branch instruction. Using the trampoline technique, it preserves the original code to safely extend or modify functionality without needing the source code.
- Definition: Detours is a library for intercepting arbitrary Win32 functions by rewriting target function images in memory.
- Mechanism: It replaces the first few instructions of a target function with a 5-byte unconditional jump to a user-provided detour function.
- Trampoline: To preserve original functionality, it moves the overwritten instructions into a trampoline function, allowing the detour to call the original code if needed.
- Key Strength: It excels at interposition, enabling developers to extend system or application logic without access to the original source code.
- Versatility: It supports both dynamic (runtime) interception and static modification of import tables to force-load specific libraries.
