Detours: binary interception of Win32 functions
DETOTOURS: Intercepted Win32 function call on the binary code
Galen hunt and doug brubacher
Microsoft Research
One Microsoft Way
Redmond, WA 98052
DETOTOURS@microsoft.com
Http://research.microsoft.com/sn/detours
Note: This paper first published an authorization to Usenix. The author retains copyright. This article allows for non-commercial purposes, such as education and research purposes. The first time in Proceedings of the 3rd Usenix Windows NT Symposium. Seattle, Wa, July 1999.
extract
The key to creative system-level detection research is to make the intercept function calls make simpler and the functionality used to extend existing operating systems and applications. By getting the source code, we can easily insert new features or function extensions through the REBUILDING operating system or application. However, in today's commercial development world, and in systems published in only binary code, researchers have little possibilities to get the source code of the program.
Our development of DETOTOURS is a tool library that intercepts any Win32 function call on the X86 platform. DETOTOURS resembles the image that is inserted into the WIN32 function by rewriting the target function. The DETOURS development package also retains documents that describe how to attach to any Win32 binary file (called a payload, "payloads").
Although the previous developers used to rewrite the binary code to join the code of debugging and performance testing into the app, DETOURS is the first at any platform according to we know, DETOURS is available at any platform (translation: referring to the Windows platform). The target function can be called the development package called the sub-process of a intercept function. Our unique trampoline design is the key to extending existing binary software.
We will introduce our use of DETOURS to generate an automated distributed system experience, which is used to analyze the DCOM protocol stack and is used to generate a Thunking layer for COM-based OS API. It demonstrates the effectiveness of the Detours library from a microscopic baseline.
1 Introduction
The key to creative system-level detection research is to make the interception function more simple and feasible and the functionality that exists existing operating systems and applications, regardless of this function exists in an application, a library, or a system's dynamic link library . Our intercepter functions perform the most direct reasons are to add functions to the function, modify the return value, or add additional code to debug and performance test. By accessing the source code, we can easily use the rebuilding operating system or application method to insert new features or function extensions in them. However, in today's commercial development world, and in systems published in only binary code, researchers can have source code.
DETOTOTOURS is a tool library that intercepts any Win32 function call on the X86 platform. Interrupt code can be dynamically loaded during runtime. DETOTOURS uses an unconditional transfer command to replace the initial instructions of the target function, transfer the control stream to the intercept function provided by the user. Some instructions in the target function are saved in a function called "Trampoline" (translation: English meaning trampoline, acrobatics), including the code in the target function and a conditional branch transferred to the target function. . The interception function can replace the target function, or to expand the function as a subroutine as a subroutine when performing "TRAMPOLINE".
Detours are inserted when executed. The code in the memory function is not modified on the hard disk, so that the execution of the interception binary function can be made easier to a good particle size. For example, the function process in the DLL loaded when an application executes can be inserted into a crossoured code. At the same time, this DLL can also be performed according to the normal situation by other applications (the translation: that is, according to the inclusion The way is performed because the DLL binary is not modified, so it does not affect other process spaces when intercepted. Different from DLL resin or static redirection, this interrupt technology used in the DETOURS library ensures that the method in the application or the location of the system code to the target function. If others try to modify the binary code for debugging or internally using other system detection, DETOTOURS will be a developing package that can be used. As we know, DETOTOURS is the first development package that can be reserved as a subroutine that can be invited on arbitrary platforms as a subroutine that can be called by "Trampoline". The previous system is logically in advance in the target code, rather than calling the original target code as a normal subroutine. Our unique "trampoline" design is critical to extending the binary code of existing software.
For the purpose of using the basic function interception function, DETOTOURS also provides the function of editing any DLL import table, reaching the purpose of adding any data segment table to the existing binary code, in a new process or a running process Inject a DLL. Once the DLL is injected with a process, this dynamic library can intercept any Win32 function, whether it is in the application or in the system library.
In the next section we will tell how DETOTOURS work. Section 3 explains how to use the DETOURS library, Section 4 describe the general technology used by the intercept function and how to measure Detours through a micro-standard. Section 5 details If a distributed application is generated from the local application using DETOURS, it is used to quantify the cost of DCOM, and create a THUNKING layer for a new COM-based Win32API and implement capture the first opportunity exception. We will make a comparison between DETOTOURS and others in Section 6 and make a summary in Section 7.
2 interception
DETOTOURS provides three important features: arbitrarily interrupt the ability of the Win32 binary function on the X86 machine, edit the capabilities of the binary import table, and attach the ability to attach any data segment to the binary.
We will describe each intercept function.
2. Intercepting the binary function
The DETOTOURS library makes the intercept function call easier, and the intercept code is dynamically loaded when running. DETOTOURS uses an unconditional transfer command to replace the initial instructions of the target function, transfer the control stream to the intercept function provided by the user. Some instructions in the target function are saved in a function called "trampoline", including the code in the target function and the unconditional branch that shifts to the target function.
When the program executes the target function, the intercept function supported directly to one user support. The intercept function performs the appropriate pretreatment. The intercept function can be returned to the original function, or it can call the "TRAMPOLINE" function, the latter can call the target function in the previous manner. When the target function is executed, it returns control to the intercept function. The interception function will perform the appropriate ending and return the control to the source function call. Figure 1 shows the intercepted and uninterrupted calls on logical control flows.
Figure 1. Documentation and uninterrupted function calls.
The DETOTOURS library reaches the purpose of the intercept target function by rewriting the binary image in the process. For each target function, DETOURS actually renovates two functions: the target function and the TRAMPOLINE function that matches it. The TRAMPOLINE function can be created static or dynamic. A static created trampoline function can always call the target function without interception. In the previously used insertion, the static trampoline function saves a simple jump to the target function. After this adjustment is inserted, the Trampoline function saves the initialization instruction of the target function, and the jump instruction to the target function. For programmers for intercept, it is extremely useful, for example, in CoIGN [7], calling CoIGN_COCREATEINSTANCE is equivalent to not directly calling the original CocreateInstance function by intercepting. The internal function of CoIGN can generate a component object at any time without considering whether the original function changes the execution process due to the interception. Figure 2. Trampoline and target functions, before and after interception code (from left to right).
Figure 2 shows the insertion of the intercept process before and after. To intercept a target function, DETOTOURS first assigns memory for dynamic trampoline functions (if there is no static trampoline function), then writes the target and trampoline function. After starting the first instruction, DETOTOURS will copy at least five bytes from the target function to the TRAMPOLINE function (5 bytes are sufficient to put down the unconditional transfer command). If the target function is less than 5 bytes, DETOTOURS will terminate the execution and return an error code. For copying instructions, DETOURS uses a simple table-driven disassemble engine. DETOTOURS adds a jump instruction to the end of the TRAMPOLINE function, so that after executing the TRAMPOLINE function, the program will jump to the remainder of the target function without the copy. DETOTOURS will write a unconditional jump instruction as a first instruction to the target function in the intercepter function. Finally, DETOURS will save the target function and the original page permissions of the Trampoline function, and empty the CPU's instruction buffer using the FlushinStructionCache function.
2.2 Editing of the payload and DLL import table
Although there is a large number of ready-made tools to edit binary [[10, 12, 13, 17], but most systematic research does not require a lot of access and modification of binary files with these clumsy tools. Instead, an additional DLL or data section table is usually required to add an additional DLL or data segment for the application and system binaries. For the intercept function, the DETOTOURS library provides a function called a payloads, which can be reversible support for the Win32 binaries attached to any data segment table (translation: can be added, and discharged), and editing DLL import tables. .
Figure 3 shows the basic structure of Win32's PE binaries. The Win32 binary file in the PE format is an extension of COFF (normal object file format). A Win32 binary includes a DOS-compatible file header, a PE header, a Text section table containing the program code, a data section table saves the initialization data, a list of import tables that are imported, and a list, a column Guide the export table of the function code and debug symbols. In addition to the two file headers, each section of the file is optional, and the binary can not contain them.
Figure 3. The structure of the Win32 PE executable.
To modify a Win32 binarily, DETOTOURS generates a new .detours section between exporting the section table and the debug symbol. Note that the debug symbol must always be at the end of the Win32 binary file. This new section saves a record of the file header and the original PE header. If the import table is modified, Detours will generate a new import table and attach it to the copy of the PE header, then modify the original PE header. Let it point to the new import table within it. Finally, DETOTOURS will write some other information to the final side of the .detours section table and attach the debug information to the last side of the file. DETOTOTOURS can restore binary to the previous status that is modified by it because it can restore the original PE file header saved in the .detours table and delete the .detours table. Figure 4 shows a format of Win32 binary files modified by Detours.
There are two purposes that generate a new import table. First, it retains the original import table, so that the programmer does not have problems before the programmer wants to recover before the modification. Second, the new import table can save the renamed import DLL and functions or new DLLs and functions. For example, CoIgn [7] uses DETOTOURS to insert a CoIgnRTE.dll dynamic library to initialize the initializing entry for each program to be intercepted. As the first entry in the application import table, CoIgnRTE.dll is always the first dynamic library running in the application address space (the translation note: This is when the DLLMAIN function is running when the dynamic library is loaded).
Figure 4. A format of a binary file modified by Detours.
DETOTOURS provides an editing introduction table, adds a payload, enumerating payload, deleting a payload, and then binding a dynamic library. DETOTOURS also provides an enumeration that enumerate binary files in the address space and enumerate these binaries to map to the payload in the address space. Each payload is identified with a global unique identifier (GUID). CoIGN uses DETOTOURS to attach the configuration information of each application to the binary code of the application.
Once there is any intercepting behavior needs to be inserted into the application without modifying binary files,
Detours
Provide functions to
DLL
Inject into a new or already existing process. In order to inject one
DLL
,
Detours
Make
Use AllocEx and WriteProcessMemory this
some
API
Write one in the target process
LoadLibrary calls code, and uses CreateRemoteThread to make this call (the translation: refers to the written code, including LoadLibrary, the DLLMAIN function is executed during the DLL load process).
