Detours is a library for intercepting arbitrary Win32 binary functions on x86 machines. Interception code is applied dynamically at runtime. Detours replaces the first few instructions of the target function with an unconditional jump to the user-provided detour function. Instructions from the target function are placed in a trampoline. The address of the trampoline is placed in a target pointer. The detour function can either replace the target function or extend its semantics by invoking the target function as a subroutine through the target pointer to the trampoline. Detours are inserted at execution time. The code of the target function is modified in memory, not on disk, thus enabling interception of binary functions at a fine granularity. For example, the procedures in a DLL can be detoured in one execution of an application, while the original procedures are not detoured in another execution running at the same time. Unlike DLL re-linking or static redirection, the interception techniques used in the Detours library are guaranteed to work regardless of the method used by application or system code to locate the target function. In addition to basic detour functionality, Detours also includes functions to edit the DLL import table of any binary, to attach arbitrary data segments to existing binaries, and to inject a DLL into a new or existing process. Once injected into a process, the instrumentation DLL can detour any function in the process, whether in the application or the system libraries, such as Windows APIs. The package includes the complete source code to the Detours Package, more than 20 samples using detours, and documentation. A commercial license for Detours is available upon request. To inquire about acquiring a commercial license to the Detours Package, e-mail Microsoft's Intellectual Property and Licensing Group, at
iplg@microsoft.com. Please include the text “DETOURS LICENSE REQUEST” in the subject line.
