Software packaged for detouring Win32 and application APIs.
What's New?
Detours 2.1 is now available. Detours 2.1 includes the following new features:
- Complete documentation of the Detours API.
- Transactional model for attaching and detaching detours.
- Support for updating peer threads when attaching or detaching detours.
- Unification of dynamic and static detours into a single API.
- Support for detection of detoured processes.
- Significant robustness improvements in APIs that start a process with a DLL containing detour functions.
- New APIs to copy payloads into target processes.
- Support for 64-bit code on x64 and IA64 processors (available in Professional edition only).
- Supports building detours with Visual Studio 2005, Visual Studio .NET 2003, Visual Studio .NET (VC8), and Visual Studio (VC7).
Detours 2.1 comes in two editions:
- Detours Express 2.1 is available for immediate download under a no-fee, click-through license for research, non-commercial, and non-production use on 32-bit code.
- Detours Professional 2.1 includes a license for use in production environments and the right to distribute detour functions in products. In addition to support for 32-bit x86 code, Detours Professional 2.1 includes support for 64-bit code on x64 and IA64 processors. For information on licensing Detours Professional 2.1 visit Microsoft's IP Licensing Group at www.microsoft.com/iplicensing and search under Detours.
Overview
Innovative systems research hinges on the ability to easily instrument and extend existing operating system and application functionality. With access to appropriate source code, it is often trivial to insert new instrumentation or extensions by rebuilding the OS or application. However, in today's world systems researchers seldom have access to all relevant source code.
Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.
Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.
We have used Detours to create an automatic distributed partitioning system, to instrument and analyze the DCOM protocol stack, and to create a thunking layer for a COM-based OS API. Detours is used widely within Microsoft and within the industry.
- Galen Hunt and Doug Brubacher, Detours: Binary Interception of Win32 Functions, in Third USENIX Windows NT Symposium, USENIX, July 1999
