Kernel transaction manager: This manages transactions within the kernel, which is a core part of the operating system. It's not used for instrumenting applications.
Services: Services are background processes that run on the operating system. While some malware might interact with services, Detours is a specific library used for code injection.
Dynamic-link: Dynamic linking refers to the concept of loading libraries at runtime. Detours leverages this concept to inject code.
Detours: A Code Injection Library
Developed by Microsoft Research, Detours provides a way to intercept and modify function calls within a program.
Benefits for Developers: Originally, Detours was intended to simplify tasks like code instrumentation and debugging by allowing developers to hook into existing functions.
Malware Abuse: Unfortunately, malware authors have misused Detours to inject malicious code into legitimate processes. This can be done by:
Attaching DLLs: Malware can use Detours to inject malicious DLLs into programs. The code within the DLL can then be executed when specific functions are called.
Adding Function Hooks: Detours can also be used to hook functions within a process. When a hooked function is called, the malware's code can be executed before or after the original function, allowing it to alter the program's behavior.
In conclusion, Detours is a legitimate library that has been misused by malware authors for code injection purposes.
No comments:
Post a Comment