# microsoft/detours

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/microsoft-detours).**

6,303 stars · 1,152 forks · C++ · MIT

## Links

- GitHub: https://github.com/microsoft/Detours
- awesome-repositories: https://awesome-repositories.com/repository/microsoft-detours.md

## Topics

`hacktoberfest` `microsoft`

## Description

Detours is a library for intercepting Win32 API calls and redirecting function calls at runtime on Windows, enabling binary-level instrumentation without requiring access to the original source code. It functions as an API hooking library and binary instrumentation toolkit, allowing developers to monitor or modify the behavior of compiled Windows binaries by hooking into their function execution paths.

The project achieves this through detour-based function interception, where the first few instructions of a target function are replaced with a jump to a user-supplied detour function, while preserving the original bytes for optional trampoline calls. It supports export table redirection to overwrite import address table entries, payload-based hook management for chaining multiple detours on a single function, and process injection via DLL to load interception code into running processes. The library also includes a runtime code cache for trampolines, thread-safe atomic patching to prevent race conditions, and trampoline call preservation to allow detours to call the original function behavior.

Detours provides capabilities for dynamic code modification, process instrumentation, and runtime function redirection, enabling the alteration of execution paths in running Windows software. It supports binary-level code interception and Windows API hooking for debugging, analysis, or extending existing APIs without modifying the original binaries on disk.

## Tags

### Operating Systems & Systems Programming

- [API Hooking Utilities](https://awesome-repositories.com/f/operating-systems-systems-programming/api-hooking-utilities.md) — Provides a library for hooking into Win32 API calls to monitor or modify function behavior at runtime.
- [DLL Injection Techniques](https://awesome-repositories.com/f/operating-systems-systems-programming/dll-injection-techniques.md) — Loads a user-specified DLL into a target process using CreateRemoteThread and LoadLibrary for detour installation.
- [Runtime Function Entry Patching](https://awesome-repositories.com/f/operating-systems-systems-programming/runtime-execution-modifications/runtime-function-entry-patching.md) — Alters execution paths of running Windows software by patching function entry points at runtime.
- [Dynamic Process Instrumentation](https://awesome-repositories.com/f/operating-systems-systems-programming/system-instrumentation-frameworks/android-instrumentation/dynamic-process-instrumentation.md) — Injects code into running Windows processes to observe or modify internal function calls for debugging or analysis.
- [Windows Process Instrumentations](https://awesome-repositories.com/f/operating-systems-systems-programming/system-instrumentation-frameworks/android-instrumentation/dynamic-process-instrumentation/windows-process-instrumentations.md) — Injects interception code into running Windows processes to observe or alter their API usage dynamically.
- [Atomic Function Patching](https://awesome-repositories.com/f/operating-systems-systems-programming/atomic-thread-synchronization/atomic-function-patching.md) — Uses interlocked operations to atomically replace function entry points, preventing race conditions during hook installation.
- [Trampoline Call Preservations](https://awesome-repositories.com/f/operating-systems-systems-programming/binary-instruction-patching/trampoline-based-hook-engines/trampoline-call-preservations.md) — Generates trampoline functions that re-execute overwritten instructions and jump to the original function.
- [Trampoline Code Caches](https://awesome-repositories.com/f/operating-systems-systems-programming/binary-instruction-patching/trampoline-based-hook-engines/trampoline-code-caches.md) — Allocates executable memory pages near target functions to store trampoline code within 32-bit displacement limits.

### Artificial Intelligence & ML

- [WebAssembly Function Callings](https://awesome-repositories.com/f/artificial-intelligence-ml/function-calling-interfaces/webassembly-function-callings.md) — Routes calls from one function to a custom replacement, enabling instrumentation or extension of existing APIs.

### Graphics & Multimedia

- [Windows API Hooking Engines](https://awesome-repositories.com/f/graphics-multimedia/graphics-engines-rendering/rendering/graphics-apis-bindings/graphics-rendering-apis/windows-api-hooking-engines.md) — Intercepts and modifies Win32 API calls at runtime to monitor or alter application behavior without changing binaries.

### Programming Languages & Runtimes

- [Binary Instrumentation](https://awesome-repositories.com/f/programming-languages-runtimes/binary-instrumentation.md) — Provides source-code tools for monitoring and instrumenting API calls on Windows systems.
- [Instruction Rewriting](https://awesome-repositories.com/f/programming-languages-runtimes/instruction-rewriting.md) — Directly modifies machine code of running processes, requiring precise x86/x64 instruction decoding and alignment.
- [Function Redirection](https://awesome-repositories.com/f/programming-languages-runtimes/language-interoperability/native-c-interoperability/c-function-bindings/function-redirection.md) — Routes calls from original functions to custom replacements, enabling instrumentation or extension of existing APIs. ([source](https://cdn.jsdelivr.net/gh/microsoft/detours@main/README.md))

### Software Engineering & Architecture

- [Binary-Level Interceptions](https://awesome-repositories.com/f/software-engineering-architecture/code-path-interception/binary-level-interceptions.md) — Hooks into compiled Windows binaries to intercept function execution without requiring source code access.
- [Detour-Based Interceptions](https://awesome-repositories.com/f/software-engineering-architecture/dynamic-function-interception/detour-based-interceptions.md) — Replaces function entry instructions with jumps to detour functions, preserving original bytes for trampoline calls.
- [Import Address Table Overwrites](https://awesome-repositories.com/f/software-engineering-architecture/reference-management/symbolic-reference-tracing/symbol-to-address-mapping/pe-export-table-resolvers/import-address-table-overwrites.md) — Overwrites import address table entries to redirect calls to detour functions without modifying original DLLs.

### System Administration & Monitoring

- [DLL-Based Process Attachments](https://awesome-repositories.com/f/system-administration-monitoring/process-attachment-tools/dll-based-process-attachments.md) — Injects interception code into running Windows processes to observe or alter their API usage dynamically. ([source](https://cdn.jsdelivr.net/gh/microsoft/detours@main/README.md))

### User Interface & Experience

- [API Interception Hooks](https://awesome-repositories.com/f/user-interface-experience/font-rasterizers/api-interception-hooks.md) — Provides a library for hooking into Win32 API calls to monitor or modify their behavior at runtime. ([source](https://cdn.jsdelivr.net/gh/microsoft/detours@main/README.md))

### Part of an Awesome List

- [Chained Hook Payloads](https://awesome-repositories.com/f/awesome-lists/security/payload-management/chained-hook-payloads.md) — Manages multiple detours on a single function through a linked list of payloads for chained interception.
- [Development Libraries](https://awesome-repositories.com/f/awesome-lists/devtools/development-libraries.md) — Library for monitoring and instrumenting Windows API calls.
