Skip to content

DetourRestoreAfterWith

Brian Gianforcaro edited this page Aug 22, 2020 · 9 revisions

DetourRestoreAfterWith

Restore the contents in memory import table after a process was started with DetourCreateProcessWithDllEx or DetourCreateProcessWithDlls.

Definition

BOOL DetourRestoreAfterWith(VOID);

Return value

Returns TRUE if the necessary payload was found and the restore succeeded; otherwise, returns FALSE.

Error codes

The function sets one of the following error codes if it was unable to find the necessary payload or restore the import table. The error code may be retrieved after the function has returned by calling GetLastError.

ERROR_MOD_NOT_FOUND : Could not find the necessary payload.

Remarks

The DetourCreateProcessWithDllEx API modifies the in-memory import table of the target PE binary program in the new process it creates. For correct application compatibility, the changes to the import table should be removed before the application runs. To remove these changes, DetourCreateProcessWithDllEx copies relevant reversal data into a payload in the target process using the DetourCopyPayloadToProcess API. When called in the target process, DetourRestoreAfterWith searches for the necessary payload and restores the contents of the import table.

For correct results, DetourRestoreAfterWith should be called in the PROCESS_ATTACH portion of the DllMain function of the DLL loaded into the target process.

Related Samples

FindFunc, Simple, Slept, Traceapi, Tracebld, Tracelnk, Tracemem, Tracereg, Traceser, Tracetcp, Tryman.

Clone this wiki locally