How to get rid of Microsoft Detours’ detoured.dll

If you don’t know what DLL injection, API hooking, instrumentation, or the Detours library is, then you might wanna skip this post.

The story

Microsoft has a nifty library called Detours which helps you intercept function calls using something called inline-function-hooking or detouring. Basically, it finds the target function, and overwrites its memory with a JMP instruction pointing to a different function. Anyway, Detours provides a nice little API to do this for you.

Sucky thing is, it comes with a detoured.dll library which needs to be present for detours to work. This, in essence, flags whatever process you use Detours to detour. When detoured.dll shows up in your process’ loaded module list you know you’ve been detoured.

This may or may not be an issue for you depending what you’re trying to accomplish. Well, it was an issue for me. After a bunch of googling, I found only a few people mentioned the same issue. Some of them sounded smart, some not so smart, but all of them sounded like they believed this dll was necessary and were sad because processes would be marked.

Well it’s not necessary, and it’s really easy to get rid of. The dll contains nothing, it’s purely for process marking purposes. Take a look at detoured.cpp. It contains one exported function: Detoured() which does nothing but return the handle to the dll. Now go open up detours.cpp and look where it’s called from. Two places: 1) from another function which is called from nowhere (useless), and 2) In the middle of some method which doesn’t make use of its return value. Aka, the calling of the function has no effect on the program other than loading the dll into memory.

Straight from the README.TXT:

4.5. SUPPORT FOR DETECTION OF DETOURED PROCESSES:
=================================================
Detours loads the detoured.dll shared library stub into any process which has
been modified by the insertion of a detour. This allows the Microsoft Customer
Support Services (CSS) and the Microsoft Online Crash Analysis (OCA) teams to
quickly and accurately determine that the behavior of a process has been
altered by a detour. CSS does not provide customer assistance on detoured
products.

The sole purpose of this dll is to help Microsoft NOT support products which have been detoured. So if you really want to screw with someone who relies on Microsoft Customer Support Services, you could rename any dll to detoured.dll and add it to their HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key so that it gets loaded into every process in Windows.

Anyway,

How to remove it

Open up detours.cpp,

Remove the line:
#include "detoured.h"

Remove the line:
Detoured();

Remove the whole function:
HMODULE WINAPI DetourGetDetouredMarker() { ... }

That’s it! Recompile! Now you no longer need detoured.dll to be laying around for your code to work.

Beware! Also in the README.TXT:

If you distribute programs which use Detours, you must also distribute a
copy of DETOURED.DLL, which is required for your program to execute.
DETOURED.DLL is built when you build the libraries.

So if you are distributing stuff and you do this, Microsoft will probably hunt you down and legally rape you.

---

Possibly related posts: (automatically generated)

• API Hooking
• What is svchost.exe ?