Coffeehouse Thread

6 posts

Detouring Win32 Function Calls in PowerShell

Back to Forum: Coffeehouse
  • User profile image
    JoshRoss

    I came across this earlier today. I didn't realize that hooking Win32 calls could be so simple.

    -Josh

  • User profile image
    Sven Groot

    It's only simple because you're using a library that hides the complexity. Smiley

  • User profile image
    evildictait​or

    It's worth pointing out that detouring functions is entirely unsupported in Win32. If you do it, Watson will automatically discard crash dumps that patch Microsoft libraries (because it can no longer tell if you crashed because you screwed up the internal Microsoft library state) and they won't make any attempt to ensure that you program continues to work past any given Windows Update or change of the OS.

    As soon as you begin detouring functions, you live entirely on your own.

  • User profile image
    JoshRoss

    I'm not sure why you would want to detour for legitimate reasons. Science? Anyways. I couldn't see someone using this in production, it seem more suited for a test environment.

    -Josh

  • User profile image
    JoshRoss

    Oh, it gets better.

    -Josh

  • User profile image
    evildictait​or

    , JoshRoss wrote

    I'm not sure why you would want to detour for legitimate reasons. Science? Anyways. I couldn't see someone using this in production, it seem more suited for a test environment.

    -Josh

    AppCompat is pretty much the only good reason.

    And even then, that's a good reason for Microsoft to do it. Not a good reason for you to do it.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.