I have some quick questions about the Microsoft Detours library. I used it before (successfully), but I just thought about this function:
LONG DetourUpdateThread (HANDLE hThread);
I read elsewhere that this function will actually pause the thread until the transaction completes. This seems odd since most code examples:
DetourUpdateThread (GetCurrentThread ());
In any case, this function apparently “recruits” the flows, so that when a transaction is completed (and a bypass occurs), their instruction pointers change if they lie “inside the rewritten code either in the target function or in the trampoline function.”
My questions:
When the transaction completes, the current thread instruction pointer will be inside the DetourTransactionCommit? If so, why should we worry about updating it?
Also, if paused threads are paused, how can the current thread continue execution (given that most code samples call DetourUpdateThread (GetCurrentThread ());)?
Finally, could you pause all threads for the current process, avoiding race conditions (given that threads can be created and destroyed at any time)? Perhaps this happens when a transaction begins? This would allow us to list threads more securely (since it seems less likely that new threads can be created), although with regard to CreateRemoteThread ()?
Thank,
Floor
For reference, here is an excerpt from a simple example:
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)
{
if (dwReason == DLL_PROCESS_ATTACH) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)TrueSleep, TimedSleep);
DetourTransactionCommit();
}
else if (dwReason == DLL_PROCESS_DETACH) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)TrueSleep, TimedSleep);
DetourTransactionCommit();
}
return TRUE;
}