-
Notifications
You must be signed in to change notification settings - Fork 981
Samples
Brian Gianforcaro edited this page Mar 6, 2021
·
6 revisions
To build the sample applications, type nmake in the samples directory.
Note that you must build the setdll and syslog samples in order to use
many of the other sample programs.
Each of the sample directories has a test, which can be invoked by
typing nmake test, to demonstrate the usage of the sample. With very
few exceptions, all of the .exe programs also accept a /? command to
display a usage message.
The trace samples log their output through the
syelogd.exe daemon and hook CreateProcessW to load
themselves into any child processes. For example, typing
withdll -d:traceapi.dll cmd.exe will create a command shell under
which all processes log their API calls through traceapi.dll.
| Name | Description |
|---|---|
| Commem | Demonstrates how to detour a member function of a COM interface. |
| Cping | Detours multiple functions in the DCOM/RPC stack to measure the overhead of sending DCOM messages. |
| Disas | Tests the Detours disassembler tables. |
| Dtest | Detours the Win32 Sleep function and a private function. |
| Dumpe | Dumps the list of all functions exported from a binary. |
| Dumpi | Dumps the list of all functions imported by a binary. |
| dynamic_alloc | Detours to a code that is crafted on a dynamically allocated region |
| Einst | Find payloads compiled into binary files. |
| Excep | Uses a first-chance exception filter to toggle VM permissions on a page. |
| FindFunc | Detours a function using DetourFindFunction to find the function using debug symbols. |
| Impmunge | Modifies all of the entries in a binary's imports table. |
| Member | Demonstrates how to detour a class member function. |
| Payload | Demonstrates various ways to use payloads to communicate information at runtime. |
| Region | Demonstrates how to change the region of memory off limits for trampolines. |
| Setdll | Adds a DLL to the import table of any binary (a .DLL or .EXE for example) |
| Simple | Modifies the Sleep API to record the number of ticks spent sleeping. |
| Slept | More elaborate version of the Simple sample. |
| Syelog | System event logging library and service. |
| Traceapi | Win32 API tracing sample. Detours and prints tracing statements for 1401 Win32 API functions. |
| Tracebld | Traces the file access patterns of a process and all of its children. |
| Tracelnk | Traces all calls to the Windows dynamic linking APIs. |
| Tracemem | Traces all calls to the Windows HeapAlloc API. |
| Tracereg | Traces activity through the registry APIs. |
| Traceser | Traces activity through the serial ports (com1 or com2). |
| Tracetcp | Traces activity through WinSock TCP APIs. |
| Tryman | Demonstration of using helper processes to hook both 32-bit and 64-bit target processes. |
| Withdll | Demonstrates how to load a detour DLL into a new process without modifying the target application. |