3 How to use detours
The code snippet in Figure 5 describes how to use the DETOURS library. To use DETOURS, you must include DETOURS.H and link the DETOTOURS.LIB to the project.
Figure 5. Example of a intercept function.
The TRAMPOLINE function can be created dynamically or static. To intercept the target function using a static trampoline function, the DETOUR_TRAMPOLINE macro must be used when the application generates trampoline. DETOUR_TRAMPOLINE has two input parameters: TRAMPOLINE prototypes and names of the target function.
Note that for the correct intercept model, including the target function, the trampoline function, and the intercept function must be fully called form, including parameter format and call agreement. When copying the target function by the Trampoline function, the correct parameter is the responsibility of the intercept function. Since the target function is only an adjustable branch of the intercept function, this responsibility is almost a kind of behavior of the next consciousness.
Using the same call agreement ensures that the values in the register are saved correctly, and ensure that the call stack can be established and destroyed correctly when the intercept function calls the target function.
You can use the DetourFunctionWithtrampoline function to intercept the target function. This function has two parameters: TRAMPOLINE function and pointer to the intercept function. Because the target function has been added to the TRAMPOLINE function, all do not need to be specified in parameters.
We can use the DetourFunction function to create a dynamic trampoline function that includes two parameters: a pointer to the target function and a pointer to the intercept function. DetourFunction Assign a new Trampoline function and inserts the appropriate intercept code into the target function.
If the target function itself is a link symbol, the use of static trampoline functions will be very simple. If the target function cannot be visible when the link is linked, the dynamic trampoline function can be used. Other functions can usually be used to get pointers for target functions. At this time, when the target function is not easy to use, the DetourFindFunction function can find that function, regardless of the function exported in the DLL, or can be found through the debug symbol of the binary target function.
DetourFindFunction accepts two parameters: the name of the library and the name of the function. If the DetourFindFunction function finds the specified function, return the function of the function, otherwise a NULL pointer will be returned. DetourFindFunction will first use Win32 function loadLibrary and getProcAddress to locate functions, if the function does not find in the DLL export table, DetourFindFunction will use the ImageHLP library to search for effective debug symbols (translation: The debug symbol here refers to the debug symbol provided by Windows itself. Need to install separately, please refer to Windows user diagnostic support information). The function pointer returned by DETOURFINDFunction can be used to pass to DetourFunction to generate a dynamic trampoline function.
We can call DetourRemoveTrampoline to remove interception of a target function.
Note that because the function in DETOURS modifies the address space of the application, make sure that there is no other thread to execute when the intercept function or remove the intercept function, this is the programmer's responsibility. A simple method guarantees that this time is a single thread execution is to call functions in dllmain when loading a Detours library.
4 evaluation
There are some other techniques to intercept the function calls, including:
Replace the called function in the application by the source code: By modifying the source code of the application, replace the call to the intercept function will be replaced by modifying the source code of the application. The main drawbacks of this method are that it requires source code. Replace the called function in the binary file of the application: replace the call to the intercept function by modifying the application's binarn will replace the call to the intercept function. Although this technique does not require source code, this method needs to identify the call location that can be used, which requires the available symbol information in the binary, and the usual application does not provide this information.
DLL Redirection: If the target function resides in a dynamic library, you can redirect to a DLL to a intercept by modifying the import table of the binary file. The redirection process can be the original DLL in the object to be loaded before the application is loaded, or the function address [2] is replaced in the indirect import jump table after loading. Unfortunately, the method of redirecting to the intercept function in the application is useless for those DLL internal function calls, and those functions loaded with LoadLibrary and GetProcAddress.
Breakpoint traps: Unlike the replacement DLL, the target function can be captured by inserting a debug break point.
The intercept function can be debug interrupt handle call. The main drawbacks of this technology are that the breakpoint traps hang all the threads of the application. In addition, debug interrupt must be captured in another operating system process. Capture by breakpoint traps, has great sacrifices in efficiency during execution.
Table 1 lists the time spent in capturing an empty function and a CocreateInstance API. This small test is performed on a Pentium PRO machine of a main frequency 200MHz. List the time without using the interception cost, use call replacement, use DLL replacement, use the DETOURS library, or the time spent using the breakpoint trap. You can see that using the DETOURS library is just more than some of the other methods (than 400 nanoseconds than the fastest method).
Table 1. Capture technology is spent in time.
5 experience
In the past two years, the DETOURS library is widely used in Win32 applications and Windows NT operating systems research and feature extensions.
DETOTOURS was originally developed for CoIgn Automatic Distributed Partition System [7]. CoIGN converts a local desktop application from the COM component to a distributed client / server application. When system detection analysis is performed, CoIGN uses DETOURS to intercept the call to the COM instance function, for example: COCREATEINSTANCE function. The intercepter function calls the original library function through the trampoline function and then encapsulates an output interface pointer in an additional detection output layer (refer to [8]). This detection output layer determines how the application component is executed through the network. Thus, by distributed, a new CoIGN intercept function intercepts the call of the COM instance function and reassigns these calls with distributed mechanisms. In essence, CoIGN extends the COM library and supports flexible remote calls.
Although DCOM supports remote calls for some COM instance functions, CoIGN supports remote calls of approximately 50 COM functions through a roundabout extended (ie, intercept behavior). CoIGN attached a runtime loader to the binary code of the application using the DETOURS DLL redirect function, using a load function (PayLoad) to attach a system statistics section table to the binary code of the application.
Some colleagues also use DETOURS to detect the user mode part of the DCOM protocol stack, including Marshaling Proxies, DCOM runtime, RPC running, Winsock running, and Marshaling Stubs [11]. Analysis of the results is used to reconstruct the structure of the DCOM to generate a fast-faster user mode network. And they can use source code to generate a special version of DCOM to perform system detection analysis, on the computer detection and analysis, this source code-based detection can be used independently and is shared by all DCOM applications. By DETOURS-based binary detection method, system analysis tool can attach to any Windows NT 4 version of DCOM and only affect the detected process. In another functional extension test, DETOTOTOURS is used to generate a Thunking layer for COP (component-based operating system proxy server [14]). COP is a COM-based Win32 API version. Use the COP application through the COM interface, such as IWIN32FileHandle, to access the functionality provided by the operating system. Since the COP interface is published by DCOM, a COP application can use operating system resources over a network, including file systems, mouse, keyboard, displays, registry, and so on. In order to provide support for subroutines, COP uses intercept functions to capture all calls to Win32 API. The API call for the local application is converted to the call to the COP interface. At the bottom, COP uses the trampoline function to detect communication with the following operating system. COP does not need to make any modifications to the application's binary code. At the time of loading, the COP's DLL is injected into the address space of the application in the DETOURS injection function. Simple interception through DETOURS makes this cumbersome extension of Win32 APIs easier.
Finally, in order to support the Software Distributed Memory (SDSM) system, we construct a first opportunity exception (first-chance "filter for the Win32 structured exception handle. An API: SetunHandledExceptionFilter is included in the WiIn32 API, which can specify an exception filter for the application without any other exception filter handle. For applications such as SDSM, programmers always want to insert the first chance abnormal filter, which can be removed from the page error caused by SDSM's operation of the virtual memory (VM) page. Windows NT does not provide a mechanism for, for example, the first opportunity to filter. A simple interception can convert an exception entry point from kernel mode to user mode (KiuseRexceptionDispatcher). Only a few lines of code are used, and the intercept function calls a first chance of the user and handles this exception. If the exception is not processed, the default exception handler will be done through the trampoline function.
6 related work
DETOTOURS can expand ordinary code patch technology. In order to capture the execution process, an unconditional branch or jump is inserted to a certain point of the captured target function. The code of the target function covered by these jump instructions is moved to the code patch. The code patch includes our inserted detection code or a call to the detection code, which is the code that is moving with the target function that is transferred to unconditional branches and one to the target function is not modified. The jump of the instruction. Logically, a code patch can be designed to place the beginning of a function, inserted into any point in the function, or attached to the tail of the function.
Although the code patch will continue to perform the target code through a certain mechanism, our technology will handle the control over the intercept function, the latter can call the original target function when it may pass the TRAMPOLINE function. The TRAMPOLINE function allows the behavior of the system to perform full freedom, because by using the same call convention, the original target function has been called any time to call at any time. Code patch has existed when digital computers have known, and there is already [3-5, 9, 15]. Code patch is used to insert debug information and detection code. In distant past, the code patch is generally considered to be a more practical upgrade method, not the entire application recompiles again. In addition, for debugging and detection, DETOTOURS is also used to extend the functionality of existing systems [7, 14].
Although the most recent system is extended to parallel applications [1] and system kernel [16], the DETOURS is the only patch system that can make the target function as an adjustable subroutine. The intercepter function replaces the target function, but can call the target function through the trampoline function in any suitable place. Our unique trampoline design has become easily expanded to the existing binary code.
Recent studies have produced a class of rewriting tools for binary code, including Atom [13], ETCH [12], EL [10], and Morph [17]. In general, these tools use the binary code of the application and the script for one detection as input. The detection script passes some instructions, basic blocking, or functions that need to be inserted on binary. The output is a new binary code for detecting research. On earlier systems, DynInStapi [6] can dynamically modify the application.
DETOTOURS is the biggest benefit of these binary rewriting tools is its size. DETOTOURS does not exceed 18KB to the code added by the test package, and those overwriting tools are minimal. The size of DETOTOTOURS is very small, and the price is that it cannot join the code between the instructions and basic blockages. The overwriting tool can be inserted into the detection instruction between free register discovery, such as free register discovery. DETOTOURS depends on the value of the call to save the register. The rewriting tool supports the code before and after the basic instruction unit, and they do not support calling the target function that will not be rewritten as a subroutine.
7 conclusions
The DETOURS library provides a strong set of instruments for the system of researchers. The Detour function is fast, flexible, friendly. A interception of CoCreateInstance, the impact on the speed will not exceed 3%. Compared with the breakpoint trap, it is the advantage of speed. The library of DETOTOURS is small. The compiled running library does not exceed 40kB, although the additional code will not exceed 18KB for the user's detection program.
Unlike the DLL redirection, the DETOUR library supports the function call to capture static and dynamic binding. Finally, the DETOUR library is a DLL redirection, and there is a lot more flexibility compared to the direct modification of the application code. At the time of execution of each process, the interception of any function is optional.
Our unique trampoline design retains the original language and provides an undrewed part of the target function as a subroutine to the intercept function call. Using intercept functions and trampoline functions, you can easily produce a note-specific system extension without having to support source code and do not need to recompile binary files. DETOTOURS makes a new generation system study on the Windows NT platform.
References
[1] Aral, Ziya, Illya Gertner, and Greg Schaffer. Efficient Debugging Primitives for Multiprocessors. Proceedings of the Third International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 87-95. Boston, MA, April 1989. [ 2] Balzer, Robert and Neil Goldman. Mediating Connectors. Proceedings of the 19th IEEE International Conference On Distributed Computing Systems Workshop, PP. 73-77. Austin, TX, June 1999.
[3] DIGITAL Equipment Corporation. Ddt Reference Manual, 1972.
[4] Evans, Thomas G. And D. Lucille Darley. Debug - An Extension To Current Online Debugging Techniques. Communications of The ACM, 8 (5), PP. 321-326, May 1965.
[5] Gill, S. The Diagnosis of Mistakes in Program on The Edsac. Proceedings of the Royal Society, Series A, 206, PP. 538-554, May 1951.
[6] Hollingsworth, Jeffrey K. and Bryan Buck. Dyninstapi Programmer's Guide, Release 1.2. Computer Science Department, University of Maryland, College Park, MD, September 1998.
[7] Hunt, Galen C. and Michael L. Scott. The Coign Automatic Distributed Partitioning System. Proceedings of the Third Symposium on Operating System Design and Implementation (OSDI '99), pp. 187-200. New Orleans, LA, February 1999. Usenix.
[8] Hunt, Galen C. and Michael L. Scott. Intercepting and Instrumenting COM Applications. Proceedings of the Fifth Conference on Object-Oriented Technologies and Systems (COOTS'99), pp. 45-56. San Diego, CA, May 1999. Usenix.
[9] Kessler, Peter. Fast Breakpoints: Design and Implementation. Proceedings of the ACM Sigplan '90 Conference ON Programming Language Design and Implementation, PP. 78-84. White Plains, NY, June 1990.
[10] Larus, James R. and Eric Schnarr EEL:.... Machine-Independent Executable Editing Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pp 291-300 La Jolla, CA, June 1995. [11] LI, LI, ALESSANDRO Forin, Galen hunt, and yi-min wang. High-Performance Distributed Objects over A System Area Network. Proceedings of the Third Usenix Nt Symposium. Seattle, Wa, July 1999.
[12] Romer, Ted, Geoff Voelker, Dennis Lee, Alec Wolman, Wayne Wong, Hank Levy, Brian Bershad, and J. Bradley Chen. Instrumentation and Optimization of Win32 / Intel Executables Using Etch. Proceedings of the USENIX Windows NT Workshop 1997 , PP. 1-7. Seattle, Wa, August 1997. Usenix.
[13] Srivastava, Amitabh and Alan Eustace ATOM:.... A System for Building Customized Program Analysis Tools Proceedings of the SIGPLAN '94 Conference on Programming Language Design and Implementation, pp 196-205 Orlando, FL, June 1994.
[14] STETS, ROBERT J., GALEN C. Hunt, And Michael L. Scott. Component-based Operating System Apis: a Versioning and Distribute Resource Solution. IEEE Computer, 32 (7), July 1999.
[15] StockHAM, T. G. and J.B. Dennis. Flit - Flexowriter Interrogation Tape: a Symbolic Utility Program for the TX-0. Department of Electical Engineering, MIT, Cambridge, MA, MEMO 5001-23, JULY 1960.
[16] Tamches, Ariel and Barton P. Miller. Fine-Grained Dynamic Instrumentation of Commodity Operating System Kernels. Proceedings of the Third Symposium on Operating Systems Design and Implementation (OSDI '99), pp. 117-130. New Orleans, LA , February 1999. Usenix.
