1
Detours: Binary Interception of Win32 Functions
Galen Hunt and Doug Brubacher
Microsoft Research
One Microsoft Way
Redmond, WA 98052
detours@microsoft.com
http://research.microsoft.com/sn/detours
Abstract
Innovative systems research hinges on the
ability to easily instrument and extend existing
operating system and application functionality.
With access to appropriate source code, it is often
trivial to insert new instrumentation or extensions
by rebuilding the OS or application. However, in
today’s world of commercial software,
researchers seldom have access to all relevant
source code.
We present Detours, a library for
instrumenting arbitrary Win32 functions on x86
machines. Detours intercepts Win32 functions by
re-writing target function images. The Detours
package also contains utilities to attach arbitrary
DLLs and data segments (called payloads) to any
Win32 binary.
While prior researchers have used binary
rewriting to insert debugging and profiling
instrumentation, to our knowledge, Detours is the
first package on any platform to logically
preserve the un-instrumented target function
(callable through a trampoline) as a subroutine
for use by the instrumentation. Our unique
trampoline design is crucial for extending existing
binary software.
We describe our experiences using Detours to
create an automatic distributed partitioning
system, to instrument and analyze the DCOM
protocol stack, and to create a thunking layer for
a COM-based OS API. Micro-benchmarks
demonstrate the efficiency of the Detours library.
1. Introduction
Innovative systems research hinges on the
ability to easily instrument and extend existing
operating system and application functionality
whether in an application, a library, or the
operating system DLLs. Typical reasons to
intercept functions are to add functionality,
modify returned results, or insert instrumentation
for debugging or profiling. With access to
appropriate source code, it is often trivial to insert
new instrumentation or extensions by rebuilding
the OS or application. However, in today’s world
of commercial development and binary-only
releases, researchers seldom have access to all
relevant source code.
Detours is a library for intercepting arbitrary
Win32 binary functions on x86 machines.
Interception code is applied dynamically at
runtime. Detours replaces the first few
instructions of the target function with an
unconditional jump to the user-provided detour
function. Instructions from the target function are
preserved in a trampoline function. The
trampoline function consists of the instructions
removed from the target function and an
unconditional branch to the remainder of the
target function. The detour function can either
replace the target function or extend its semantics
by invoking the target function as a subroutine
through the trampoline.
Detours are inserted at execution time. The
code of the target function is modified in memory,
not on disk, thus facilitating interception of binary
functions at a very fine granularity. For example,
the procedures in a DLL can be detoured in one
execution of an application, while the original
procedures are not detoured in another execution
The original publication of this paper was granted to
USENIX. Copyright to this work is retained by the authors.
Permission is granted for the noncommercial reproduction
of the complete work for educational or research purposes.
Published in Proceedings of the
3rd USENIX Windows NT
Symposium
. Seattle, WA, July 1999.