Dangerous Detours, Wrap-Up
This concludes the little series about the limitations of Detours:
- Part 1: Introduction
- Part 2: Unexpected Behaviour
- Part 3: Messing execution flow
- Part 4: Undetouring
Granted, the probability of experiencing any of the problems described in these posts is rather low. Whether these problems should be considered bugs of Detours or rather an inherent problem of the concept is not quite easy to judge – on the one hand, Detours indeed acts a little naive and especially the unhooking problem could have been easily avoided. Addressing the problems depicted in the previous posts, however, would require a sinificantly more precise analysis of the binary code, which is expensive and comes with its own risks.
Concluding from these facts, my evaluation is that Detours is a decent technology for hooking explicitly chosen functions – functions you may know the disassembly of and whose “detourability” can be tested. In contrast to this, I consider Detours an inappropriate technology for hooking functions determined at runtime, i.e. functions you may not know and whose “detourability” cannot be tested. Using Detours for implementing tracing functionality, as suggested by one of the samples, should thus be considered not a particularly good idea.