Presentation is loading. Please wait.

Presentation is loading. Please wait.

13/July/1999Third USENIX Windows NT Symposium1 Detours: Binary Interception of Win32 Functions Galen Hunt and Doug Brubacher Systems and Networking Group.

Published byBenedict Ryan Modified over 8 years ago

Similar presentations

Presentation on theme: "13/July/1999Third USENIX Windows NT Symposium1 Detours: Binary Interception of Win32 Functions Galen Hunt and Doug Brubacher Systems and Networking Group."— Presentation transcript:

1 13/July/1999Third USENIX Windows NT Symposium1 Detours: Binary Interception of Win32 Functions Galen Hunt and Doug Brubacher Systems and Networking Group Microsoft Research One Microsoft Way Redmond, WA 98052 detours@microsoft.com http://research.microsoft.com/sn/detours

2 13/July/1999Third USENIX Windows NT Symposium2 Problem:  You want to do compelling research! You have a great idea for some really compelling systems research!  You want it to be relevant! You want to prove it on commercial systems with commercial applications!  You don’t have source code! (Or you don’t want to use source code!)

3 13/July/1999Third USENIX Windows NT Symposium3 Detours  Is a library for instrumenting and intercepting function calls in Win32 binaries.  Replaces the first instructions of a target function with jmp to a detour function.  Preserves original function semantics through a trampoline function.  Enables interception and instrumentation of Win32 binary programs.

4 13/July/1999Third USENIX Windows NT Symposium4 Outline Motivation & Introduction  Implementation  Demonstration  Related Work  Conclusions

5 13/July/1999Third USENIX Windows NT Symposium5 Problem Rephrased:  How do you get your code into an application’s address space?  How do you get your code invoked?

6 13/July/1999Third USENIX Windows NT Symposium6 How do you get your code into an application’s address space?  First: Place code into a DLL.  Then do one of the following:  Link application with your DLL.  Only works if you have.obj files.  Modify application.imports to include DLL.  Detours includes routines for editing.imports.  Inject DLL into running process.  Detours calls OpenProcess(), VirtualAllocEx(), WriteProcessMemory(), and CreateRemoteThread()  Inject DLL into process at creation time.  Detours calls CreateProcess() w/ CREATE_SUSPENDED.

7 13/July/1999Third USENIX Windows NT Symposium7 Rewriting a Binary: COFF Header.text.data.imports.exports.detour Header.imports Payloads Payload COFF Header.text.data.imports.exports

8 13/July/1999Third USENIX Windows NT Symposium8 How do you get your code invoked?  Replace first instructions of target with a jump to the detour.  Insert replaced instructions into trampoline.  Trampolines can be allocated and initialized either statically or dynamically (see paper for dynamic).

9 13/July/1999Third USENIX Windows NT Symposium9 Detouring a Function: ;; Target Function Sleep: push ebp[1 byte] mov ebp,esp[2 bytes] push ebx[1 bytes] push esi[1 byte] push edi.... ;; Trampoline Function UntimedSleep: jmp Sleep ;; Detour Function TimedSleep:.... ;; Target Function Sleep: jmp TimedSleep[5 bytes] push edi.... ;; Trampoline Function UntimedSleep: push ebp mov ebp,esp push ebx push esi jmp Sleep+5 ;; Detour Function TimedSleep:.... Before: After:

10 13/July/1999Third USENIX Windows NT Symposium10 Invoking Your Code: StartTarget 1. Call 2. Return StartTarget 1. Call 6. Return Detour 2. Jump Trampoline 3. Call 5. Return Target 4. Jump Before: After:

11 13/July/1999Third USENIX Windows NT Symposium11 An Entire Example: SleptTicks 1: #include 2: #include 3: LONG slept = 0; 4: __declspec(dllexport) DETOUR_TRAMPOLINE(VOID WINAPI UntimedSleep (DWORD), Sleep); 5: __declspec(dllexport) VOID WINAPI TimedSleep(DWORD dwMilliseconds) 6: { 7: DWORD begin = GetTickCount (); 8: UntimedSleep ( dwMilliseconds ); 9: InterlockedExchangeAdd ( &slept, GetTickCount() – begin ); 10: } 11: __declspec(dllexport) DWORD WINAPI GetSleptTicks() 12: { 13: return slept; 14: } 15: BOOL WINAPI DllMain(HINSTANCE hinst, DWORD reason, LPVOID reserved) 16: { 17: if ( reason == DLL_PROCESS_ATTACH ) 18: DetourFunctionWithTrampoline ( UntimedSleep, TimedSleep ); 19: if ( reason == DLL_PROCESS_DETACH ) 20: DetourRemoveTrampoline ( UntimedSleep ); 21: }

12 13/July/1999Third USENIX Windows NT Symposium12 Micro-Benchmark Performance: Interception Technique Intercepted Function Empty FunctionCoCreateInstance Time Overhead Time Overhead Direct113 nsn/a 14.8  s n/a Call Replacement143 ns30 ns 15.2  s 360 ns DLL Redirection143 ns30 ns 15.2  s 360 ns Detour145 ns32 ns 15.2  s 360 ns Breakpoint Trap230k ns229k ns 265.9  s 265k ns Overhead:6 cycles for Empty Function 71 cycles for CoCreateInstance (5 Args.) 1 cache line

13 13/July/1999Third USENIX Windows NT Symposium13 Coign: ADPS using Detours 1. Find Objects in Application 2. Identify Interfaces and Measure Communication 3. Partition and Distribute  Convert desktop applications into distributed applications from binary files.

14 13/July/1999Third USENIX Windows NT Symposium14 Coign: COM API Extension Coign Profiling Runtime COM APIs Windows NT Coign Distributed Runtime COM APIs Windows NT COM APIs Windows NT Application Profiling:Distributed Execution:

15 13/July/1999Third USENIX Windows NT Symposium15 Coign Demo

16 13/July/1999Third USENIX Windows NT Symposium16 Other Applications of Detours  Detailed Analysis of DCOM (Millennium Falcon).  Intercept entry-points between DCOM layers.  Distributed COM-based Win32 API (COP).  Intercept large subset of Win32 API.  First-Chance Exception Filter  Intercept KiUserExceptionDispatcher.  Debugger support for non-standard loaders  Intercept WaitForDebugEvent (DebugString event to LoadDll event).  API Trace Facility.  Test Harnesses.  DLL Versioning  Attach manifest payload to binaries.

17 13/July/1999Third USENIX Windows NT Symposium17 Related Work  Code Patching [Gill ’51]  Age-old technique for modifying binaries.  Jump to patch, then either return or jump to target.  Binary Rewriters [Atom ’94, Etch ’97, EEL ’95]  Static binary rewriters.  Register allocation  For Detours the target, detour, and trampoline maintain same call signature to ensure registers are automatically preserved by compiler.  Fine granularity: instructions & basic blocks.  DyninstAPI [Hollingsworth & Buck ’98]  Dynamic binary rewriter.  Mediating Connectors [Balzer & Goldman, 1999]  DLL Redirection.

18 13/July/1999Third USENIX Windows NT Symposium18 Conclusions:  Detours provides fast (<100 cycles), light (<18KB.lib), flexible library for instrumenting Win32 binaries.  Trampoline preserve target semantics.  Enables compelling systems research.  Free for non-commercial & research use:  http://research.microsoft.com/sn/detours Future Work:  Alpha and Windows 95/98 Ports

Download ppt "13/July/1999Third USENIX Windows NT Symposium1 Detours: Binary Interception of Win32 Functions Galen Hunt and Doug Brubacher Systems and Networking Group."

Similar presentations

A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.

A Binary Agent Technology for COTS Software Integrity Richard Schooler Anant Agarwal InCert Software.
ITEC 352 Lecture 25 Memory(3). Review Questions RAM –What is the difference between register memory, cache memory, and main memory? –What connects the.

ITEC 352 Lecture 25 Memory(3). Review Questions RAM –What is the difference between register memory, cache memory, and main memory? –What connects the.
Monitoring Data Structures Using Hardware Transactional Memory Shakeel Butt 1, Vinod Ganapathy 1, Arati Baliga 2 and Mihai Christodorescu 3 1 Rutgers University,

Monitoring Data Structures Using Hardware Transactional Memory Shakeel Butt 1, Vinod Ganapathy 1, Arati Baliga 2 and Mihai Christodorescu 3 1 Rutgers University,
Assembler/Linker/Loader Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc11-12.html Chapter 4.3 J. Levine: Linkers & Loaders

Assembler/Linker/Loader Mooly Sagiv html:// Chapter 4.3 J. Levine: Linkers & Loaders
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.

Mehmet Can Vuran, Instructor University of Nebraska-Lincoln Acknowledgement: Overheads adapted from those provided by the authors of the textbook.
Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.

Nullcon Goa 2010http://nullcon.net Intelligent Debugging and in-memory Fuzzers By Vishwas Sharma Amandeep Bharti Rohan Thakur.
Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.

Paradyn Project Paradyn / Dyninst Week College Park, Maryland March 26-28, 2012 Self-propelled Instrumentation Wenbin Fang.
Enabling Efficient On-the-fly Microarchitecture Simulation Thierry Lafage September 2000.

Enabling Efficient On-the-fly Microarchitecture Simulation Thierry Lafage September 2000.
Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.

Procedures and Stacks. Outline Stack organization PUSH and POP instructions Defining and Calling procedures.
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.

Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.

INTRODUCTION OS/2 was initially designed to extend the capabilities of DOS by IBM and Microsoft Corporations. To create a single industry-standard operating.
Run-Time Storage Organization

Run-Time Storage Organization
1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.

1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Dreams in a Nutshell Steven Sommer Microsoft Research Institute Department of Computing Macquarie University.

Dreams in a Nutshell Steven Sommer Microsoft Research Institute Department of Computing Macquarie University.
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Similar presentations

Ads by Google