DLL hooking and Microsoft Detours

A short how-to guide in setting up and using Microsoft Detour.
The initial plan was to build a DLL injection module that would hook onto CreateFile or LibraryLoad functions to find Phantom DLLs (Phantom DLLs are DLLs that do not exist on the Windows system, but yet the process tries to load them anyway. This could lead to DLL sideloading if the attacker is able to create a file with the same name and path of the Phantom DLL). Although nothing came out of it, I thought it’s worth writing about how I setup the environment and hook onto the functions.
Nothing came out of it because when a process loads a DLL, that DLL could in turn load other DLLs, but when you do a process injection, you’re only injecting into the memory space of the first process. There are ways to inject the DLL into every single process spawn, but that’s too complicated (This is essentially what an EDR does, using KAPC to inject their DLL into every single process created). I wanted to build a simple and portable solution of Procmon, but recursively injecting the DLL into every single process proved too challenging, so I decided to abandon the project. Nonetheless, here’s a quick introduction to hooking and Microsoft Detours.

Hooking functions