Dangerous Detours, Wrap-Up

This concludes the little series about the limitations of Detours:

Granted, the probability of experiencing any of the problems described in these posts is rather low. Whether these problems should be considered bugs of Detours or rather an inherent problem of the concept is not quite easy to judge — on the one hand, Detours indeed acts a little naive and especially the unhooking problem could have been easily avoided. Addressing the problems depicted in the previous posts, however, would require a sinificantly more precise analysis of the binary code, which is expensive and comes with its own risks.

Concluding from these facts, my evaluation is that Detours is a decent technology for hooking explicitly chosen functions — functions you may know the disassembly of and whose “detourability” can be tested. In contrast to this, I consider Detours an inappropriate technology for hooking functions determined at runtime, i.e. functions you may not know and whose “detourability” cannot be tested. Using Detours for implementing tracing functionality, as suggested by one of the samples, should thus be considered not a particularly good idea.

Like this:

Be the first to like this post.

About me

Johannes Passing, M.Sc., living in Berlin, Germany.

Besides his consulting work, Johannes mainly focusses on Win32, COM, and NT kernel mode development, along with Java and .Net. He also is the author of cfix, a C/C++ unit testing framework for Win32 and NT kernel mode, Visual Assert, a Visual Studio Unit Testing-AddIn, and NTrace, a dynamic function boundary tracing toolkit for Windows NT/x86 kernel/user mode code.

Contact Johannes: jpassing (at) acm org

Johannes' GPG fingerprint is BBB1 1769 B82D CD07 D90A 57E8 9FE1 D441 F7A0 1BB1.