1.5 KiB
mach-detours Overview
mach-detours is a library for intercepting binary functions on arm64 machines. Detours is most commonly used to intercept system API calls within an application, such as to add debugging instrumentation. Interception code is applied dynamically at runtime. mach-detours replaces the first few instructions of the target function with an unconditional jump to the user-provided detour function. Instructions from the target function are placed in a trampoline. The address of the trampoline is placed in a target pointer. The detour function can either replace the target function or extend its semantics by invoking the target function as a subroutine through the target pointer to the trampoline.
Detours are inserted at execution time. The code of the target function is modified in memory, not on disk, thus enabling interception of binary functions at a very fine granularity. For example, the procedures in a shared library can be detoured in one execution of an application, while the original procedures are not detoured in another execution running at the same time. Unlike dyld interposing or symbol rebinding, the interception techniques used in the mach-detours library are guaranteed to work regardless of the method used by application or system code to locate the target function.
This technical overview of Detours is divided into two sections: