-
Notifications
You must be signed in to change notification settings - Fork 1k
DetourRestoreAfterWith
Restore the contents in memory import table after a process was started
with DetourCreateProcessWithDllEx
or
DetourCreateProcessWithDlls
.
BOOL DetourRestoreAfterWith(VOID);
Returns TRUE
if the necessary payload was found and the restore succeeded;
otherwise, returns FALSE
.
The function sets one of the following error codes if it was unable to
find the necessary payload or restore the import table. The error code
may be retrieved after the function has returned by calling
GetLastError
.
ERROR_MOD_NOT_FOUND : Could not find the necessary payload.
The DetourCreateProcessWithDllEx
API modifies the in-memory import table of the target PE binary program
in the new process it creates. For correct application compatibility, the
changes to the import table should be removed before the application
runs. To remove these changes,
DetourCreateProcessWithDllEx
copies relevant reversal data into a payload in the target process using
the DetourCopyPayloadToProcess
API. When called in the target process, DetourRestoreAfterWith
searches for the necessary payload and restores the contents of the
import table.
For correct results, DetourRestoreAfterWith
should be called in the
PROCESS_ATTACH
portion of the DllMain function of the DLL loaded into the target process.
FindFunc, Simple, Slept, Traceapi, Tracebld, Tracelnk, Tracemem, Tracereg, Traceser, Tracetcp, Tryman.