Microsoft Detours


Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by rewriting the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary dynamic-link libraries (DLLs) and data segments (called payloads) to any Win32 binary.

I came across a new technique that is quite useful for C and C++ developers.  It is called Detours by Microsoft.  As what the description above describes, Detours generally “redirect” WinAPI (or also known as Win32 API) functions.  The keyword “redirect” may be vague but it is basically what it does.  I have only tried a few commands on it and find it useful but not powerful.  It may be useful in the sense that you may do packet filtering, provide automated system in the middle of functions after the input and before the output.  However it is not powerful because there is already the Import Adress Table (IAT) which we can always choose to work in the kernel level.

What i have done so far was to try to capture the packets that is sent and received  from a simple client server application i made (you might want to try capture packets from MSN if you know your way around – look at reference 2).

How it works

Let us assume a send() or recv() function is called.  Detour helps us to intercept the function by getting its arguments such as buffer and buffer size.  We can then check the sniff / scan the buffer before we allow it to proceed to where it should actually goes.

References

Generally i have picked up this information from LeetCoders and did some research myself.  You may see alot of information in reference 2. as i got most of the knowledge there, you will be able to learn how to inject DLL in a remote process by using CreateRemoteThread as well as using Detour’s own way.  Primarily, you will be able to learn how to intercept MSN chat conversations, write them in a log of your own (you may even choose to block the conversation from coming in or out).  As for those that is curious on what IAT is check reference 1, it is more complicated as it is on a different level.  For playing around with Detours, you would need to download it at reference number 3.

1. http://jpassing.com/2008/01/06/using-import-address-table-hooking-for-testing/ (understanding IAT)
2. http://www.codeproject.com/KB/DLL/funapihook.aspx (reference to what Detour is, sample project)
3. http://www.microsoft.com/about/legal/en/us/IntellectualProperty/IPLicensing/Programs/Detours.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: