-
Notifications
You must be signed in to change notification settings - Fork 1k
OverviewHelpers
The most common usage scenario for Detours is to detour functions in an
existing application without modifying the original application binaries.
In these scenarios, the user-supplied detour functions are packaged in a
DLL that is loaded into the application at startup time using the
DetourCreateProcessWithDll
API.
The DetourCreateProcessWithDll
API
is called from the parent process; it alters the in-memory copy of the
application by inserting an import table entry for the detour DLL. This
new import table entry causes the OS loader to load the DLL after the
application process has started, but before any of the application code
can run. The detour DLL then has a chance to hook target functions in
the target process.
In computers with 64-bit processors, Windows supports both 32-bit and
64-bit applications. To support both 32-bit and 64-bit applications, you
must create both 32-bit and 64-bit versions of your detour DLL. You must
also replace all uses of the
DetourCreateProcessWithDll
API
with either the
DetourCreateProcessWithDllEx
API
or DetourCreateProcessWithDlls
API. The
DetourCreateProcessWithDllEx
and
DetourCreateProcessWithDlls
APIs
chooses between the 32-bit or 64-bit versions of your DLL as appropriate
for the target application.
To support both 32-bit and 64-bit applications on a single system, you
must create two DLLs. One DLL must contain 32-bit code, the other DLL
must contain 64-bit code. The DLLs must reside in the same directory and
must have identical names except that the name of the 32-bit DLL should
end with "32" and the name of the 64-bit DLL should end with "64". For
example, matching DLLs would be named foo32.dll
and foo64.dll
.
You should use the
DetourCreateProcessWithDllEx
or
DetourCreateProcessWithDlls
API
to start a process with your DLL. Furthermore, your DLLs must:
Export the
DetourFinishHelperProcess
API as
export ordinal 1.
Call the DetourIsHelperProcess
API
in your DllMain
function. Immediately return TRUE
if
DetourIsHelperProcess
return TRUE
.
Call the
DetourCreateProcessWithDllEx
or
DetourCreateProcessWithDlls
API
instead of
DetourCreateProcessWithDll
to
create new target processes.
In the case where both the parent process and the target process are the
same, such as both 32-bit or both 64-bit, the
DetourCreateProcessWithDllEx
API
works the same as the
DetourCreateProcessWithDll
API.
When the parent process is 32-bit and the target is 64-bit or the parent
is 64-bit and the target is 32-bit,
DetourCreateProcessWithDllEx
creates a helper process by loading your DLL into a rundll32.exe
process, and calling
DetourFinishHelperProcess
through
export Ordinal 1. This API patches up the application's import table
using the correct 32-bit or 64-bit code.
To give helper processes a try, first build the Detours samples for
32-bit using a 32-bit build environment. Then build the samples for
64-bit using a 64-bit build environment. Then in the samples\tryman
directory, in the 64-bit environment type "nmake size64
" to run a
recursive set of processes that alternate between 32-bit and 64-bit
processes.
For more information on rundll32.exe
, see
http://support.microsoft.com/kb/164787.
DetourCreateProcessWithDllEx
,
DetourCreateProcessWithDlls
,
DetourFinishHelperProcess
,
DetourIsHelperProcess
,
DetourRestoreAfterWith
.
FindFunc, Simple, Slept, Traceapi, Tracebld, Tracelnk, Tracemem, Tracereg, Traceser, Tracetcp, Tryman.