1
Detours: Binary Interception of Win32 Functions
Galen Hunt and Doug Brubacher
Microsoft Research
One Microsoft Way
Redmond, WA 98052
detours@microsoft.com
http://research.microsoft.com/sn/detours
Abstract
Innovative systems research hinges on the
ability to easily instrument and extend existing
operating system and application functionality.
With access to appropriate source code, it is often
trivial to insert new instrumentation or extensions
by rebuilding the OS or application. However, in
today’s world of commercial software,
researchers seldom have access to all relevant
source code.
We present Detours, a library for
instrumenting arbitrary Win32 functions on x86
machines. Detours intercepts Win32 functions by
re-writing target function images. The Detours
package also contains utilities to attach arbitrary
DLLs and data segments (called payloads) to any
Win32 binary.
While prior researchers have used binary
rewriting to insert debugging and profiling
instrumentation, to our knowledge, Detours is the
first package on any platform to logically
preserve the un-instrumented target function
(callable through a trampoline) as a subroutine
for use by the instrumentation. Our unique
trampoline design is crucial for extending existing
binary software.
We describe our experiences using Detours to
create an automatic distributed partitioning
system, to instrument and analyze the DCOM
protocol stack, and to create a thunking layer for
a COM-based OS API. Micro-benchmarks
demonstrate the efficiency of the Detours library.
1. Introduction
Innovative systems research hinges on the
ability to easily instrument and extend existing
operating system and application functionality
whether in an application, a library, or the
operating system DLLs. Typical reasons to
intercept functions are to add functionality,
modify returned results, or insert instrumentation
for debugging or profiling. With access to
appropriate source code, it is often trivial to insert
new instrumentation or extensions by rebuilding
the OS or application. However, in today’s world
of commercial development and binary-only
releases, researchers seldom have access to all
relevant source code.
Detours is a library for intercepting arbitrary
Win32 binary functions on x86 machines.
Interception code is applied dynamically at
runtime. Detours replaces the first few
instructions of the target function with an
unconditional jump to the user-provided detour
function. Instructions from the target function are
preserved in a trampoline function. The
trampoline function consists of the instructions
removed from the target function and an
unconditional branch to the remainder of the
target function. The detour function can either
replace the target function or extend its semantics
by invoking the target function as a subroutine
through the trampoline.
Detours are inserted at execution time. The
code of the target function is modified in memory,
not on disk, thus facilitating interception of binary
functions at a very fine granularity. For example,
the procedures in a DLL can be detoured in one
execution of an application, while the original
procedures are not detoured in another execution
The original publication of this paper was granted to
USENIX. Copyright to this work is retained by the authors.
Permission is granted for the noncommercial reproduction
of the complete work for educational or research purposes.
Published in Proceedings of the
3rd USENIX Windows NT
Symposium
. Seattle, WA, July 1999.
下载后可阅读完整内容,剩余8页未读,立即下载
weixin_38697063
- 粉丝: 5
- 资源: 956
我的内容管理
展开
最新资源
- 十种常见电感线圈电感量计算公式详解
- 军用车辆:CAN总线的集成与优势
- CAN总线在汽车智能换档系统中的作用与实现
- CAN总线数据超载问题及解决策略
- 汽车车身系统CAN总线设计与应用
- SAP企业需求深度剖析:财务会计与供应链的关键流程与改进策略
- CAN总线在发动机电控系统中的通信设计实践
- Spring与iBATIS整合:快速开发与比较分析
- CAN总线驱动的整车管理系统硬件设计详解
- CAN总线通讯智能节点设计与实现
- DSP实现电动汽车CAN总线通讯技术
- CAN协议网关设计:自动位速率检测与互连
- Xcode免证书调试iPad程序开发指南
- 分布式数据库查询优化算法探讨
- Win7安装VC++6.0完全指南:解决兼容性与Office冲突
- MFC实现学生信息管理系统:登录与数据库操作
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
