Detours | software package for monitoring and instrumenting API calls
kandi X-RAY | Detours Summary
kandi X-RAY | Detours Summary
Detours is a software package for monitoring and instrumenting API calls on Windows. Detours has been used by many ISVs and is also used by product teams at Microsoft. Detours is now available under a standard open source license (MIT). This simplifies licensing for programmers using Detours and allows the community to support Detours using open source tools and processes. Detours is compatible with the Windows NT family of operating systems: Windows NT, Windows XP, Windows Server 2003, Windows 7, Windows 8, and Windows 10. It cannot be used by Windows Store apps because Detours requires APIs not available to those applications. This repo contains the source code for version 4.0.1 of Detours. For technical documentation on Detours, see the Detours Wiki. For directions on how to build and run samples, see the samples README.txt file.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of Detours
Detours Key Features
Detours Examples and Code Snippets
Community Discussions
Trending Discussions on Detours
QUESTION
I have an university exercise, where I have to compare some hashing methods with their number of colisions in the hash table. Then I made theses Digit Analysis algorithms, but they are using A LOT of memory (I can't even run the code until the end, because it kills my computer). You can ignore the comments, but fell free if you want and knows portuguese.
Digit Analysis function 1 (Using dinamic matrix)
...ANSWER
Answered 2021-Dec-07 at 19:22I looked at this in valgrind, and it looks like you're missing five calls to free. This is the largest leak:
QUESTION
My DLL gets injected into a program and then hooks to connect, send, recv and closesocket functions using Detours. The point is to stop the program from connecting to some server and instead communicate with my DLL directly.
My recv function uses an infinite loop, just waiting for any data to send to the program. When closesocket is called that loop is broken and everything works fine.
But there's one program written in C# that just hangs when I close it. Its error log says:
SocketException: A request to send or receive data was disallowed because the socket is not connected and (when sending on a datagram socket using a sendto call) no address was supplied.
at System.Net.Sockets.Socket.Disconnect (Boolean reuseSocket) [0x00000] in :0
The exception is expected since the socket never connects to anything. But is there any workaround for this? What does System.Net.Sockets.Socket.Disconnect call under the hood? What other function do I need to hook to detect that?
I've tried hooking to shutdown, setsockopt, WSACancelBlockingCall, WSACleanup, WSASend, WSASendDisconnect, WSASendMsg, WSASendTo, WSARecv, WSARecvDisconnect and WSARecvFrom. None of them get called.
ANSWER
Answered 2021-May-29 at 07:58System.Net.Sockets.Socket.Disconnect calls DisconnectEx. And as the remarks say:
Note The function pointer for the DisconnectEx function must be obtained at run time by making a call to the WSAIoctl function with the SIO_GET_EXTENSION_FUNCTION_POINTER opcode specified. The input buffer passed to the WSAIoctl function must contain WSAID_DISCONNECTEX, a globally unique identifier (GUID) whose value identifies the DisconnectEx extension function. On success, the output returned by the WSAIoctl function contains a pointer to the DisconnectEx function. The WSAID_DISCONNECTEX GUID is defined in the Mswsock.h header file.
So if you want to do what I did you have to:
- hook to
WSAIoctl - check if
dwIoControlCodeisSIO_GET_EXTENSION_FUNCTION_POINTER - check if
lpvInBufferisWSAID_DISCONNECTEX:
QUESTION
I am trying to use the detours library in a visual studio empty windows project. I cloned the repository (https://github.com/microsoft/Detours), I added the include directory into Project Properties / C/C++ / Additional Include Directories, and I added the lib.X86 directory into Project Properties / Linker / Additional Library Directories. I get no errors visible on the file, but when I build I get
...ANSWER
Answered 2021-May-10 at 01:55You need to add the specific .lib file, which I'm guessing is "detours.lib" (or similar) to the "Additional Dependencies" line.
Properties->Linker->Input->Additional Dependencies.
QUESTION
This is the code:
...ANSWER
Answered 2020-Nov-29 at 03:22The static_assert declaration allows the message parameter to be omitted since C++17. cppreference
You need to enable C++17 in your compiler.
See also
QUESTION
I'm trying to write a DLL file that I can inject into a game. I'm pretty far but when I try to compile the code I always get the error
...ANSWER
Answered 2020-Nov-17 at 19:50You can't just replace function definition:
QUESTION
I am trying to hook a user-defined function of a program written in Delphi using C++ and Detours library. (DLL Injection)
However, I can't hook it because Delphi's and C++'s function calling conventions don't match.
Delphi uses the fastcall function calling convention, and C++ also provides a fastcall function calling convention.
However, Delphi's fastcall stores its arguments sequentially on EAX, EDX, ECX, and the stack, whereas C++'s fastcall stores its arguments sequentially on ECX, EDX, and stack. (This is because there is no standard for fastcall.)
Due to these differences, I have no way to get the arguments stored in EAX.
How can I solve this problem?
(This article has been translated by Google Translate.)
< dllmain.cpp >
...ANSWER
Answered 2020-Sep-30 at 15:49As per wikipedia:
Borland register Evaluating arguments from left to right, it passes three arguments via EAX, EDX, ECX. Remaining arguments are pushed onto the stack, also left to right.[12] It is the default calling convention of the 32-bit compiler of Delphi, where it is known as register. This calling convention is also used by Embarcadero's C++Builder, where it is called __fastcall.[13] In this compiler, Microsoft's fastcall can be used as __msfastcall.[14]
GCC and Clang can be made to use a similar calling convention by using __stdcall with the regparm function attribute or the -mregparm=3 switch. (The stack order is inverted.) It is also possible to produce a caller clean-up variant using cdecl or extend this to also use SSE registers.[15] A cdecl-based version is used by the Linux kernel on i386 since version 2.6.20 (released February 2007).
https://en.wikipedia.org/wiki/X86_calling_conventions#Borland_register
QUESTION
I am trying to hook a user-defined function. (via DLL injection and inline function hooking)
To do that, I need to get the address of the function to hook in process memory.
I tried various methods to find the address, and finally came up with the equation below.
(offset) = (Address of function in EXE file) - (Image base of EXE file)
(Address of function in process memory) = (GetModuleHandle(NULL)) + (offset)
However, I am not sure if this equation always holds. (For example, when DLL Relocation occurs, I am worried that this equation may be wrong.)
In conclusion, I want to know whether this equation always holds. And if not, I'd like to know how to fix this equation.
(This article has been translated by Google Translate.)
< testwinapi / main.cpp >
...ANSWER
Answered 2020-Sep-28 at 21:21Module relocation occurs as a whole. Individual sections are never moved with respect to the image base. The offsets (RVA) of each section are hardcoded in the module header.
For example:
QUESTION
I want to hook the Bitblt function with the Detours library.
https://github.com/microsoft/Detours/blob/master/samples/simple/simple.cpp
By referring to the example source above, I succeeded in creating a dll that hooks the Bitblt function, but the unhooking does not work properly.
I want the original function to be restored when the dll is detached from the target process, but the DetourDetach function throws an ERROR_INVALID_BLOCK error, and access violation of the target process occurs.
How can I fix this error?
Below is the source code I wrote.
...
ANSWER
Answered 2020-Sep-28 at 09:53I figured out what was the problem!
QUESTION
I've got a custom implementation of detours on macOS and a test application using it, which is written in C, compiled for macOS x86_64, running on an Intel i9 processor.
The implemention works fine with a multitude of functions. However, if I detour pthread_create, I encounter strange behaviour: threads that have been spawned via a detoured pthread_create do not execute instructions. I can step through instructions one by one but as soon as I continue it does not progress. There are no mutexes or synchronisation involved and the result of the function is 0 (success). The exact same application with detours turned off works fine so it's unlikely to be the culprit.
This does not happen all the time - sometimes they are fine but at other times the test applications stalls in the following state:
...ANSWER
Answered 2020-Sep-16 at 13:58I found that the reason why the spawned thread was not executing instructions was that the r8 register wasn't being cleared at the right time in the execution of pthread_create due to an issue with my detours implementation.
If we look at the disassembly of the function, it is split up to two parts - the "head" and the "body" that's found in an internal _pthread_create function. The head does two things - zeroes out r8 and jumps to the body:
QUESTION
In Microsoft Detours Library, they do: const ULONG DETOUR_REGION_SIGNATURE = 'Rrtd';
I'm trying to figure out exactly WHY they do this. When I print it on my system it prints: 1383232612
which is the same as:
(0x52 << 24) | (0x72 << 16) | (0x74 << 8) | 0x64
or
('R' << 24) + ('r' << 16) + ('t' << 8) + 'd'
Why do they do this? I read it's not portable and depends entirely on the endianness of the system and it gives warnings when compiling with GCC and Clang..
...ANSWER
Answered 2020-Apr-05 at 21:34When is a multi-character constant useful?
When you want some arbitrary constant integer value that looks like text when interpreted as a sequence of characters. This apparent "textuality" is occasionally useful for the programmer to quickly recognise the constant from binary soup.
For example, let's consider a binary protocol or file format that contains a message. Let's say there are N possible messages including "configure", "push" and "plop". We can encode the message as an integer. enum is useful here:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install Detours
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
