coderrr

August 27, 2008

How to get rid of Microsoft Detours’ detoured.dll

Filed under: c, windows — Tags: , — coderrr @ 3:18 am

Shameless Plug: Use a Microsoft Compatible VPN Service to protect your privacy when working with public APIs.

If you don’t know what DLL injection, API hooking, instrumentation, or the Detours library is, then you might wanna skip this post.

The story

Microsoft has a nifty library called Detours which helps you intercept function calls using something called inline-function-hooking or detouring. Basically, it finds the target function, and overwrites its memory with a JMP instruction pointing to a different function. Anyway, Detours provides a nice little API to do this for you.

Sucky thing is, it comes with a detoured.dll library which needs to be present for detours to work. This, in essence, flags whatever process you use Detours to detour. When detoured.dll shows up in your process’ loaded module list you know you’ve been detoured.

This may or may not be an issue for you depending what you’re trying to accomplish. Well, it was an issue for me. After a bunch of googling, I found only a few people mentioned the same issue. Some of them sounded smart, some not so smart, but all of them sounded like they believed this dll was necessary and were sad because processes would be marked.

Well it’s not necessary, and it’s really easy to get rid of. The dll contains nothing, it’s purely for process marking purposes. Take a look at detoured.cpp. It contains one exported function: Detoured() which does nothing but return the handle to the dll. Now go open up detours.cpp and look where it’s called from. Two places: 1) from another function which is called from nowhere (useless), and 2) In the middle of some method which doesn’t make use of its return value. Aka, the calling of the function has no effect on the program other than loading the dll into memory.

Straight from the README.TXT:

4.5. SUPPORT FOR DETECTION OF DETOURED PROCESSES:
=================================================
Detours loads the detoured.dll shared library stub into any process which has
been modified by the insertion of a detour. This allows the Microsoft Customer
Support Services (CSS) and the Microsoft Online Crash Analysis (OCA) teams to
quickly and accurately determine that the behavior of a process has been
altered by a detour. CSS does not provide customer assistance on detoured
products.

The sole purpose of this dll is to help Microsoft NOT support products which have been detoured. So if you really want to screw with someone who relies on Microsoft Customer Support Services, you could rename any dll to detoured.dll and add it to their HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key so that it gets loaded into every process in Windows.

Anyway,

How to remove it

Open up detours.cpp,

Remove the line:
#include "detoured.h"

Remove the line:
Detoured();

Remove the whole function:
HMODULE WINAPI DetourGetDetouredMarker() { ... }

That’s it! Recompile! Now you no longer need detoured.dll to be laying around for your code to work.

Beware! Also in the README.TXT:

If you distribute programs which use Detours, you must also distribute a
copy of DETOURED.DLL, which is required for your program to execute.
DETOURED.DLL is built when you build the libraries.

So if you are distributing stuff and you do this, Microsoft will probably hunt you down and legally rape you.

11 Comments »

  1. Well, that’s exactly what i was looking for. Thanks coderrr, you are the man tonight ! :D

    Comment by kingrain — October 17, 2008 @ 1:56 am

  2. Great tip!

    Comment by justice — January 27, 2009 @ 1:21 am

  3. just make it a static library and be done with it. But since most the people that use detours is scriptkiddys and dont have a clue about programming.

    Comment by ulliklliwi — February 9, 2009 @ 1:05 am

  4. very nice! wish i read this 2 months ago.

    thanks

    Comment by ioluas — February 19, 2009 @ 11:47 am

  5. Dude, I was forced to use Detours v1.5 until I came across this post. Nice one!

    Comment by Cpp — June 29, 2009 @ 5:14 am

  6. /* Detour Hook Manager [InDll]: dllMain.cpp */

    typedef struct { int unused; } HINSTANCE;
    static HINSTANCE s_Dll = 0;

    HINSTANCE __stdcall Detoured() // The linker will use this instead of the one in ‘detoured.lib’
    {
    return s_Dll;
    }

    __declspec(dllexport) __declspec(noreturn) __declspec(naked) void Ordinal_1(){}
    // you need a function for the ordinal 1 right? (:

    int __stdcall DllMain(HINSTANCE me, unsigned long res, void*) // BOOL DllMain(HINSTANCE,DWORD,PVOID)
    {
    if (res == 1) // Process Attach
    {
    s_Dll = me; // store dll instance
    DTMan::getInstance()->getHookingTree()->HookTree(); // hook registered functions
    }
    else if (res == 0)
    {
    DTMan::getInstance()->getHookingTree()->Undo(); // undo the last hook steps
    }
    return 1; // return TRUE;
    }

    Comment by Ryouku — July 14, 2009 @ 7:32 pm

  7. How do i get to detours.cpp, on vista???

    Stupid Vista…

    Comment by Julian Moretti — May 25, 2010 @ 2:23 am

    • Don’t blame Vista for your lack of understanding. Stupid you is more like it.

      Comment by Anonymous — August 9, 2010 @ 3:51 am

  8. Alternatively, if you don’t want to make changes in Detours sources – you can simply add the following code to your code:

    HMODULE WINAPI Detoured()
    {
    return 0;
    }

    this way you’ll provide the symbol that linker expects when linking with detours.lib.

    Comment by Andrey — August 17, 2010 @ 12:51 pm

  9. I’ve been fighting to get Detours 2.1 to work at all for the past day – this tip cleared my problems up completely. Thanks!

    Comment by Ryan — January 23, 2011 @ 7:24 pm

  10. wow thnks man….this is nice fpr a eginner like me

    Comment by Anonymous — July 24, 2012 @ 9:15 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Customized Silver is the New Black Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 28 other followers

%d bloggers like this: