> For the complete documentation index, see [llms.txt](https://kwcsec.gitbook.io/the-red-team-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kwcsec.gitbook.io/the-red-team-handbook/techniques/code-injection/hooking/detours.md). # Detours Detours is a library that allows you to hook functions and instrument arbitrary win32 function by proxying them and re-writing the function. Detours works by using a jmp instruction to redirect code execution. Detours has a whitepaper which goes into further detail. ![](/files/-MgRzPBduczg6WoPZsER) This uses a trampoline function which is a like a proxy and setups everything properly. ![](/files/-MgRzWG3-K5C0XpLLqWN) With hooking, we can: look at values that the function uses, make it return a certain value, or execute someone etc. ## Example To demonstrate, lets try hooking a simple message box function. ```cpp #include #include #include int main(void){ getchar(); MessageBox(NULL, L"Hello world!", L"detour", MB_OK); return 0; } ``` We will inject a dll into the process that uses the message box, our dll will look like this. ```cpp #include #include #include static int (WINAPI* NativeMessageBox)( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType ) = MessageBox; int WINAPI MyMessageBox( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) { return NativeMessageBox(hWnd, L"Hooked", lpCaption, uType); } BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved) { switch (dwReason) { case DLL_PROCESS_ATTACH: DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)NativeMessageBox, MyMessageBox); DetourTransactionCommit(); break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourDetach(&(PVOID&)NativeMessageBox, MyMessageBox); DetourTransactionCommit(); break; } return TRUE; } ``` First, we make a pointer to the original MessageBox ```cpp static int (WINAPI* NativeMessageBox)( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType ) = MessageBox; ``` Then, we create the "hooking function", which is the function that will replace the original message box. ```cpp int WINAPI MyMessageBox( HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType) { return NativeMessageBox(hWnd, L"Hooked", lpCaption, uType); } ``` Then, when our dll gets attached, we will being hooking with this code. ```cpp DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourAttach(&(PVOID&)NativeMessageBox, MyMessageBox); DetourTransactionCommit(); ``` And when our dll gets detached, we will unhook the code. ```cpp DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); DetourDetach(&(PVOID&)NativeMessageBox, MyMessageBox); DetourTransactionCommit(); ``` For our injector, we can use a simple dll injector or use Process hacker to inject a dll. Our next step is to then inject our dll into the target process with the messagebox function and resume execution by entering a key to get through getchar(). When injected, this DLL will change the message that the messagebox popups during execution. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/code-injection/hooking/detours.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.