top of page

Events Group

Public·310 members

Download and Install Detours Professional 3.0 [FullVersion].rar: A Step-by-Step Tutorial



Detours Professional 3.0 [FullVersion].rar: What Is It and How to Use It?




Have you ever wanted to modify or extend the functionality of an existing Windows application or system without having access to its source code? Have you ever wondered how you can intercept or redirect any Win32 function call in any process on any Windows-compatible processor? If so, then you might be interested in learning more about Detours Professional 3.0, a powerful software package for re-routing Win32 APIs underneath applications.




Detours Professional 3.0 [FullVersion].rar



Introduction




In this article, we will explain what Detours Professional 3.0 is, what are its features and benefits, and what are some use cases and examples of using it. We will also show you how to download and install Detours Professional 3.0 from the .rar file, and how to use it to intercept Win32 functions, enumerate PE binary imports, and support 64-bit code and other Windows processors. We will also provide some tips and best practices for using Detours Professional 3.0, and answer some frequently asked questions about it. By the end of this article, you will have a better understanding of how Detours Professional 3.0 works and how you can use it to enhance your Windows applications and systems.


How to Download and Install Detours Professional 3.0 [FullVersion].rar?




Detours Professional 3.0 is a commercial software package that requires a license to use. You can purchase a license from the official website of Microsoft Research, where you can also find more information about the pricing and terms of use. Once you have purchased a license, you will receive an email with a download link for Detours Professional 3.0 [FullVersion].rar, which is a compressed archive file that contains the Detours Professional 3.0 software and documentation.


To download and install Detours Professional 3.0 from the .rar file, you will need a program that can extract .rar files, such as WinRAR or 7-Zip. You can download and install one of these programs from their respective websites, if you don't have one already. After you have installed a .rar extractor program, you can follow these steps to download and install Detours Professional 3.0:


  • Click on the download link in the email that you received from Microsoft Research, and save the Detours Professional 3.0 [FullVersion].rar file to your preferred location on your computer.



  • Right-click on the Detours Professional 3.0 [FullVersion].rar file, and select "Extract Here" or "Extract to Detours Professional 3.0 [FullVersion]" from the context menu, depending on your .rar extractor program.



  • A new folder named "Detours Professional 3.0 [FullVersion]" will be created in the same location as the .rar file, containing the extracted files of Detours Professional 3.0.



  • Open the folder "Detours Professional 3.0 [FullVersion]", and double-click on the file "setup.exe" to launch the installation wizard of Detours Professional 3.0.



  • Follow the instructions on the installation wizard to complete the installation process of Detours Professional 3.0. You will need to accept the license agreement, choose a destination folder, and select the components that you want to install.



  • After the installation is finished, you can find the Detours Professional 3.0 software and documentation in the destination folder that you chose during the installation.



To verify the installation and check the version of Detours Professional 3.0, you can open a command prompt window, navigate to the destination folder of Detours Professional 3.0, and type "detoured.dll /?" or "detoured64.dll /?" (depending on whether you are using a 32-bit or 64-bit processor). You should see a message that displays the version number and date of Detours Professional 3.0.


How to Use Detours Professional 3.0 to Intercept Win32 Functions?




One of the main features of Detours Professional 3.0 is that it allows you to intercept any Win32 function call in any process on any Windows-compatible processor, and redirect it to your own custom function. This way, you can modify or extend the functionality of an existing Windows application or system without having access to its source code.


To use Detours Professional 3.0 to intercept Win32 functions, you will need to create two types of functions: a detour function and a trampoline function. A detour function is your own custom function that replaces the original Win32 function that you want to intercept. A trampoline function is a helper function that allows you to call the original Win32 function from your detour function, if needed.


You will also need to create a payload DLL, which is a dynamic-link library that contains your detour function and trampoline function, as well as some code that uses the Detours API to attach and detach your payload DLL to a target binary (the executable file of the Windows application or system that you want to modify). A payload DLL can be written in any language that supports creating DLLs, such as C/C++, C#, or Visual Basic.


The following table summarizes the steps involved in using Detours Professional 3.0 to intercept Win32 functions:



Step


Description


1. Create a detour function


Write a function that has the same signature and calling convention as the Win32 function that you want to intercept, and implement your own custom logic in it. You can use the Detours API to access the original Win32 function pointer, if needed.


2. Create a trampoline function


Write a function that calls the original Win32 function using the Detours API, and returns its result. You can use this function from your detour function, if you want to preserve the original functionality of the Win32 function.


3. Create a payload DLL


Write a DLL that contains your detour function and trampoline function, as well as some code that uses the Detours API to attach and detach your payload DLL to a target binary. You can use the DetourAttach() and DetourDetach() functions to do this.


4. Compile and link your payload DLL


Use a compiler and linker that support creating DLLs, such as Visual Studio, to compile and link your payload DLL. You will need to link your payload DLL with the Detours library (detours.lib or detours64.lib), which is provided by Detours Professional 3.0.


5. Run your target binary with your payload DLL


Use a tool that can inject your payload DLL into your target binary, such as the Detours utility (detours.exe or detours64.exe), which is also provided by Detours Professional 3.0. You can also use other tools, such as Process Explorer or Process Hacker, to inject your payload DLL into a running process.


6. Enjoy the modified functionality of your target binary


Once your payload DLL is injected into your target binary, you will be able to see the effects of your detour function on the Win32 function that you intercepted. You can also use a debugger or a logger to monitor or modify the behavior of your detour function.


The following code snippets show an example of using Detours Professional 3.0 to intercept the MessageBoxW() function in Notepad.exe, and replace it with a custom message box that displays "Hello, World!" instead of the original text.


The detour function:


// The detour function that replaces MessageBoxW() int WINAPI MyMessageBoxW( HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType ) // Call the original MessageBoxW() function using a trampoline function return TrampolineMessageBoxW(hWnd, L"Hello, World!", lpCaption, uType);


The trampoline function:


// The trampoline function that calls the original MessageBoxW() function static int (WINAPI * TrampolineMessageBoxW)( HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType ) = NULL; // Initialize the trampoline function pointer using the Detours API TrampolineMessageBoxW = (int (WINAPI *)(HWND, LPCWSTR, LPCWSTR, UINT)) DetourFindFunction("user32.dll", "MessageBoxW");


The payload DLL:


// The payload DLL that contains the detour function and trampoline function #include


#include


// Declare the detour function and trampoline function prototypes int WINAPI MyMessageBoxW(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType); static int (WINAPI * TrampolineMessageBoxW)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType) = NULL; // The DllMain() function that attaches and detaches the payload DLL to Notepad.exe BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved) if (DetourIsHelperProcess()) return TRUE; if (dwReason == DLL_PROCESS_ATTACH) // Attach the payload DLL to Notepad.exe using the Detours API DetourRestoreAfterWith(); DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); // Replace MessageBoxW() with MyMessageBoxW() DetourAttach(&(PVOID&)TrampolineMessageBoxW, MyMessageBoxW); DetourTransactionCommit(); else if (dwReason == DLL_PROCESS_DETACH) // Detach the payload DLL from Notepad .exe using the Detours API DetourTransactionBegin(); DetourUpdateThread(GetCurrentThread()); // Restore MessageBoxW() to its original function DetourDetach(&(PVOID&)TrampolineMessageBoxW, MyMessageBoxW); DetourTransactionCommit(); return TRUE;


The command to run Notepad.exe with the payload DLL:


// The command to run Notepad.exe with the payload DLL using the Detours utility detours.exe /d:payload.dll notepad.exe


After running this command, you will see that whenever you try to save or exit Notepad.exe, a custom message box that displays "Hello, World!" will pop up instead of the original message box.


How to Use Detours Professional 3.0 to Enumerate PE Binary Imports?




Another feature of Detours Professional 3.0 is that it allows you to enumerate all the imported functions in a PE binary, which are the functions that are dynamically loaded from other DLLs at runtime. This can be useful for analyzing or modifying the dependencies and behavior of a PE binary.


To use Detours Professional 3.0 to enumerate PE binary imports, you will need to use the DetourEnumerateImports() function, which takes a handle to a PE binary and a callback function as parameters. The callback function will be invoked for each imported function in the PE binary, and will receive information such as the name, address, and module of the imported function.


You will also need to use two helper functions: DetourGetContainingModule() and DetourFindFunction(). The DetourGetContainingModule() function takes a pointer to a function and returns a handle to the module that contains that function. The DetourFindFunction() function takes a module name and a function name and returns a pointer to the function in that module.


The following code snippet shows an example of using Detours Professional 3.0 to enumerate all the imported functions in Notepad.exe, and print their names and modules:


// The callback function that is invoked for each imported function in Notepad.exe BOOL CALLBACK EnumerateImportsCallback(PVOID pContext, ULONG nOrdinal, LPCSTR pszName, PVOID pCode) // Get the handle to the module that contains the imported function HMODULE hModule = DetourGetContainingModule(pCode); // Get the module name from the handle CHAR szModule[MAX_PATH]; GetModuleFileNameA(hModule, szModule, ARRAYSIZE(szModule)); // Print the name and module of the imported function printf("%s: %s\n", szModule, pszName); return TRUE; // The main function that enumerates all the imported functions in Notepad.exe int main() // Get the handle to Notepad.exe HMODULE hNotepad = LoadLibraryA("notepad.exe"); // Enumerate all the imported functions in Notepad.exe using the callback function DetourEnumerateImports(hNotepad, NULL, EnumerateImportsCallback); // Free the handle to Notepad.exe FreeLibrary(hNotepad); return 0;


After compiling and running this code, you will see a list of all the imported functions in Notepad.exe and their modules, such as:


C:\Windows\System32\KERNEL32.DLL: GetStartupInfoW C:\Windows\System32\KERNEL32.DLL: GetCommandLineW C:\Windows\System32\KERNEL32.DLL: HeapAlloc C:\Windows\System32\KERNEL32.DLL: HeapFree C:\Windows\System32\KERNEL32.DLL: ExitProcess ... C:\Windows\System32\USER32.DLL: LoadIconW C:\Windows\System32\USER32.DLL: LoadCursorW C:\Windows\System32\USER32.DLL: RegisterClassW C:\Windows\System32\USER32.DLL: CreateWindowExW C:\Windows\System32\USER32.DLL: ShowWindow ...


How to Use Detours Professional 3.0 to Support 64-bit Code and Other Windows Processors?




A third feature of Detours Professional 3.0 is that it supports detouring functions in 64-bit code and other Windows processors, such as IA64 and ARM. This means that you can use Detours Professional 3.0 to modify or extend any Windows application or system that runs on any Windows-compatible processor.


To use Detours Professional 3.0 to support 64-bit code and other Windows processors, you will need to compile and link your payload DLL and your target binary for the same processor architecture. You will also need to use the appropriate version of the Detours library and utility for your processor architecture. For example, if you are using a 64-bit processor, you will need to use detours64.lib and detours64.exe, instead of detours.lib and detours.exe.


You will also need to follow some additional rules and guidelines when detouring functions in 64-bit code and other Windows processors, such as:


  • You cannot detour functions that are less than 12 bytes long in 64-bit code, or less than 16 bytes long in IA64 code.



  • You cannot detour functions that use the fastcall calling convention in 64-bit code, or the __thiscall calling convention in IA64 code.



  • You cannot detour functions that are exported by ordinal only, or that have no name in the PE binary.



  • You cannot detour functions that are located in a read-only or execute-only section of the PE binary.



  • You cannot detour functions that are located in a system DLL that is protected by Windows Resource Protection (WRP), such as kernel32.dll or user32.dll.



You will also need to handle some compatibility issues with managed-code (MSIL) programs on x64 processors, such as:


  • You cannot detour functions that are implemented in managed code, or that call managed code.



  • You cannot detour functions that are called by managed code, unless you use the /clr compiler option to compile your payload DLL.



  • You cannot detour functions that are located in a mixed-mode DLL, which contains both native and managed code.



The following table summarizes the steps involved in using Detours Professional 3.0 to support 64-bit code and other Windows processors:



Step


Description


1. Choose a processor architecture


Decide which processor architecture you want to target, such as x64, IA64, or ARM. Make sure that your target binary and your payload DLL are compiled and linked for the same processor architecture.


2. Use the appropriate version of Detours


Use the version of Detours library and utility that matches your processor architecture. For example, use detours64.lib and detours64.exe for x64 processors, or detoursia64.lib and detoursia64.exe for IA64 processors.


3. Follow the rules and guidelines for detouring functions


Follow the rules and guidelines for detouring functions in 64-bit code and other Windows processors, such as avoiding functions that are too short, use unsupported calling conventions, have no name, or are located in protected sections or DLLs.


4. Handle compatibility issues with managed-code programs


Handle compatibility issues with managed-code (MSIL) programs on x64 processors, such as avoiding functions that are implemented in or call managed code, or are located in mixed-mode DLLs. Use the /clr compiler option to compile your payload DLL if you want to detour functions that are called by managed code.


5. Run your target binary with your payload DLL


Use a tool that can inject your payload DLL into your target binary, such as the Detours utility or another injector tool. Enjoy the modified functionality of your target binary on any Windows-compatible processor.


Conclusion




In this article, we have introduced Detours Professional 3.0 [FullVersion].rar, a powerful software package for re-routing Win32 APIs underneath applications. We have explained what Detours Professional 3.0 is, what are its features and benefits, and what are some use cases and examples of using it. We have also shown you how to download and install Detours Professional 3.0 from the .rar file, and how to use it to intercept Win32 functions, enumerate PE binary imports, and support 64-bit code and other Windows processors. We hope that you have found this article informative and useful, and that you have learned how to use Detours Professional 3.0 to enhance your Windows applications and systems.


Here are some tips and best practices for using Detours Professional 3.0:



  • Always backup your target binary before injecting your payload DLL into it, in case something goes wrong or you want to restore the original functionality.



  • Always test your payload DLL on a non-critical system or process before deploying it on a production system or process, to avoid causing any damage or instability.



  • Always check the return values of the Detours API functions, such as DetourTransactionBegin(), DetourAttach(), and DetourTransactionCommit(), to make sure that they succeed and do not return any errors.



  • Always use the DetourIsHelperProcess() function to check if your payload DLL is running in a helper process, such as the Detours utility or another injector tool, and avoid performing any unnecessary actions in that case.



  • Always use the DetourRestoreAfterWith() function to restore the original state of the target binary after injecting your payload DLL into it, to avoid leaving any traces or artifacts of the injection.



If you have any feedback or questions about Detours Professional 3.0, please feel free to contact us or leave a comment below. We would love to hear from you and help you with any issues or challenges that you might encounter when using Detours Professional 3.0.


FAQs




Here are some frequently asked questions about Detours Professional 3.0:



  • What is the difference between Detours Express and Detours Professional?



Detours Express is a free version of Detours that is available for non-commercial use only. Detours Express has some limitations and restrictions compared to Detours Professional, such as:


  • Detours Express only supports 32-bit x86 processors, while Detours Professional supports 64-bit x64, IA64, and ARM processors as well.



Detours Express only allows you to detour up t


About

Welcome to the group! You can connect with other members, ge...
bottom of page