[TEST:OUTPUTDEBUGSTRINGHOOK] Add OutputDebugStringA stub hook demo

RatinCN · RatinCN · commit f3d7a178b3a5 · 2026-05-28T02:10:24.000+08:00
Add a manual demo that verifies SlimDetours hooks the kernelbase implementation reached through the kernel32!OutputDebugStringA stub. Document MSDetours as the expected failing engine because it hooks only the kernel32 stub.

Skip when kernel32!OutputDebugStringA is not the expected stub, keep detach cleanup best-effort so it does not mask the hook result, and run the demo in CI only on supported x64/ARM64 paths. Also tighten the jump decoder success annotation reported by code analysis.
diff --git a/.github/workflows/Build_Publish.yml b/.github/workflows/Build_Publish.yml
@@ -33,6 +33,10 @@ jobs:
       run: |
         .\Source\OutDir\${{matrix.platform}}\${{matrix.config}}\Demo.exe -Run
         .\Source\OutDir\${{matrix.platform}}\${{matrix.config}}\Demo.exe -Run DeadLock -Engine=SlimDetours
+    - name: Run OutputDebugStringHook Test [x64/ARM64]
+      if: ${{(matrix.os == 'windows-latest' && matrix.platform == 'x64') || (matrix.os == 'windows-11-arm' && matrix.platform == 'ARM64')}}
+      run: |
+        .\Source\OutDir\${{matrix.platform}}\${{matrix.config}}\Demo.exe -Run OutputDebugStringHook -Engine=SlimDetours
     - name: Build [NT5, x64/x86]
       if: ${{ matrix.platform == 'x64' || matrix.platform == 'x86' }}
       run: |
@@ -43,6 +47,10 @@ jobs:
       run: |
         .\Source\OutDir\${{matrix.platform}}\${{matrix.config}}\Demo.exe -Run
         .\Source\OutDir\${{matrix.platform}}\${{matrix.config}}\Demo.exe -Run DeadLock -Engine=SlimDetours
+    - name: Run OutputDebugStringHook Test [NT5, x64]
+      if: ${{ matrix.os == 'windows-latest' && matrix.platform == 'x64' }}
+      run: |
+        .\Source\OutDir\${{matrix.platform}}\${{matrix.config}}\Demo.exe -Run OutputDebugStringHook -Engine=SlimDetours
   Publish:
     if: ${{github.base_ref == '' && startsWith(github.event.head_commit.message, '[VERSION] ')}}
     needs: Build
@@ -76,10 +84,12 @@ jobs:
       run: |
         .\Source\OutDir\x64\Release\Demo.exe -Run
         .\Source\OutDir\x64\Release\Demo.exe -Run DeadLock -Engine=SlimDetours
+        .\Source\OutDir\x64\Release\Demo.exe -Run OutputDebugStringHook -Engine=SlimDetours
         .\Source\OutDir\x86\Release\Demo.exe -Run
         .\Source\OutDir\x86\Release\Demo.exe -Run DeadLock -Engine=SlimDetours
         .\Source\OutDir\x64\Debug\Demo.exe -Run
         .\Source\OutDir\x64\Debug\Demo.exe -Run DeadLock -Engine=SlimDetours
+        .\Source\OutDir\x64\Debug\Demo.exe -Run OutputDebugStringHook -Engine=SlimDetours
         .\Source\OutDir\x86\Debug\Demo.exe -Run
         .\Source\OutDir\x86\Debug\Demo.exe -Run DeadLock -Engine=SlimDetours
     - name: Create NuGet package
diff --git a/Source/Demo/Demo.vcxproj b/Source/Demo/Demo.vcxproj
@@ -195,6 +195,7 @@
     <ClCompile Include="DelayHook.c" />
     <ClCompile Include="Instruction.c" />
     <ClCompile Include="Main.c" />
+    <ClCompile Include="OutputDebugStringHook.c" />
     <ClCompile Include="TwiceSimpleHook.c" />
   </ItemGroup>
   <ItemGroup>
diff --git a/Source/Demo/Demo.vcxproj.filters b/Source/Demo/Demo.vcxproj.filters
@@ -7,6 +7,7 @@
     <ClCompile Include="TwiceSimpleHook.c" />
     <ClCompile Include="Instruction.c" />
     <ClCompile Include="COMHook.c" />
+    <ClCompile Include="OutputDebugStringHook.c" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Demo.h" />
diff --git a/Source/Demo/Main.c b/Source/Demo/Main.c
@@ -4,6 +4,7 @@
 
 /* Manual demos */
 TEST_DECL_FUNC(DeadLock);
+TEST_DECL_FUNC(OutputDebugStringHook);
 
 /* Auto tests */
 TEST_DECL_FUNC(COMHook);
@@ -15,6 +16,9 @@ TEST_DECL_FUNC(DelayHook);
 
 CONST UNITTEST_ENTRY UnitTestList[] = {
     TEST_DECL_MANUAL_ENTRY(DeadLock),
+#if defined(_AMD64_) || defined(_ARM64_)
+    TEST_DECL_MANUAL_ENTRY(OutputDebugStringHook),
+#endif
 
     TEST_DECL_ENTRY(COMHook),
     TEST_DECL_ENTRY(TwiceSimpleHook),
diff --git a/Source/Demo/OutputDebugStringHook.c b/Source/Demo/OutputDebugStringHook.c
@@ -0,0 +1,246 @@
+﻿/*
+ * This demo shows kernel32!OutputDebugStringA can be an architecture-specific stub before reaching
+ * the actual implementation in kernelbase.dll.
+ *
+ * Run "Demo.exe -Run OutputDebugStringHook -Engine=MSDetours" will fail this test,
+ *   because the original Microsoft Detours hooks only the kernel32 stub.
+ * Run "Demo.exe -Run OutputDebugStringHook -Engine=SlimDetours" will pass this test.
+ */
+
+#include "Demo.h"
+
+#if defined(_AMD64_) || defined(_ARM64_)
+
+typedef
+VOID
+WINAPI
+FN_OutputDebugStringA(
+    _In_opt_ LPCSTR lpOutputString);
+
+static FN_OutputDebugStringA* g_pfnOutputDebugStringA = NULL;
+static LONG volatile g_lOutputDebugStringACount = 0;
+static CONST UNICODE_STRING g_usKernel32 = RTL_CONSTANT_STRING(L"kernel32.dll");
+static CONST UNICODE_STRING g_usKernelBase = RTL_CONSTANT_STRING(L"kernelbase.dll");
+static ANSI_STRING g_asOutputDebugStringA = RTL_CONSTANT_STRING("OutputDebugStringA");
+
+static
+VOID
+WINAPI
+Hooked_OutputDebugStringA(
+    _In_opt_ LPCSTR lpOutputString)
+{
+    _InterlockedIncrement(&g_lOutputDebugStringACount);
+    g_pfnOutputDebugStringA(lpOutputString);
+}
+
+#if defined(_AMD64_)
+
+static
+_Success_(return != FALSE)
+BOOL
+DecodeKernel32OutputDebugStringAStub(
+    _In_ PBYTE pbCode,
+    _Out_ PVOID * ppTarget)
+{
+    if ((pbCode[0] & 0xf0) != 0x40 || pbCode[1] != 0xff || pbCode[2] != 0x25)
+    {
+        return FALSE;
+    }
+
+    *ppTarget = *(UNALIGNED PVOID*)(pbCode + 7 + *(UNALIGNED INT32*) & pbCode[3]);
+    return TRUE;
+}
+
+#elif defined(_ARM64_)
+
+static
+ULONG
+FetchArm64Opcode(
+    _In_ PBYTE pbCode)
+{
+    return *(UNALIGNED ULONG*)pbCode;
+}
+
+static
+INT64
+SignExtend(
+    _In_ UINT64 Value,
+    _In_ UINT Bits)
+{
+    UINT64 const Sign = 1ui64 << (Bits - 1);
+    return (INT64)((Value & Sign) ? (Value | (~0ui64 << Bits)) : Value);
+}
+
+static
+_Success_(return != FALSE)
+BOOL
+DecodeArm64ImportThunk(
+    _In_ PBYTE pbCode,
+    _Out_ PVOID * ppTarget)
+{
+    ULONG const Opcode = FetchArm64Opcode(pbCode);
+    ULONG const Opcode2 = FetchArm64Opcode(pbCode + 4);
+    ULONG const Opcode3 = FetchArm64Opcode(pbCode + 8);
+    UINT64 pageLow2;
+    UINT64 pageHigh19;
+    INT64 page;
+    UINT64 offset;
+    PBYTE pbTarget;
+
+    if ((Opcode & 0x9f00001f) != 0x90000010 ||
+        (Opcode2 & 0xffe003ff) != 0xf9400210 ||
+        Opcode3 != 0xd61f0200)
+    {
+        return FALSE;
+    }
+
+    pageLow2 = (Opcode >> 29) & 3;
+    pageHigh19 = (Opcode >> 5) & ~(~0ui64 << 19);
+    page = SignExtend((pageHigh19 << 2) | pageLow2, 21) << 12;
+    offset = ((Opcode2 >> 10) & ~(~0ui64 << 12)) << 3;
+    pbTarget = (PBYTE)((ULONG_PTR)pbCode & ~(ULONG_PTR)0xfff) + page + offset;
+
+    *ppTarget = *(UNALIGNED PVOID*)pbTarget;
+    return TRUE;
+}
+
+static
+_Success_(return != FALSE)
+BOOL
+DecodeKernel32OutputDebugStringAStub(
+    _In_ PBYTE pbCode,
+    _Out_ PVOID * ppTarget)
+{
+    ULONG const Opcode = FetchArm64Opcode(pbCode);
+    INT64 branchOffset;
+
+    if ((Opcode & 0xfc000000) != 0x14000000)
+    {
+        return FALSE;
+    }
+
+    // B <imm26>
+    branchOffset = SignExtend((Opcode & 0x03ffffffULL) << 2, 28);
+    return DecodeArm64ImportThunk(pbCode + branchOffset, ppTarget);
+}
+
+#endif
+
+static
+HRESULT
+RunOutputDebugStringAHook(
+    _In_ DEMO_ENGINE_TYPE EngineType,
+    _In_ FN_OutputDebugStringA* pfnKernel32,
+    _In_ FN_OutputDebugStringA* pfnKernelBase)
+{
+    HRESULT hr;
+
+    _InterlockedExchange(&g_lOutputDebugStringACount, 0);
+    g_pfnOutputDebugStringA = pfnKernel32;
+
+    hr = HookTransactionBegin(EngineType);
+    if (FAILED(hr))
+    {
+        return hr;
+    }
+    hr = HookAttach(EngineType, TRUE, (PVOID*)&g_pfnOutputDebugStringA, Hooked_OutputDebugStringA);
+    if (FAILED(hr))
+    {
+        HookTransactionAbort(EngineType);
+        return hr;
+    }
+    hr = HookTransactionCommit(EngineType);
+    if (FAILED(hr))
+    {
+        return hr;
+    }
+
+    pfnKernelBase("OutputDebugStringHook: kernelbase");
+    pfnKernel32("OutputDebugStringHook: kernel32");
+
+    hr = HookTransactionBegin(EngineType);
+    if (SUCCEEDED(hr))
+    {
+        hr = HookAttach(EngineType, FALSE, (PVOID*)&g_pfnOutputDebugStringA, Hooked_OutputDebugStringA);
+        if (SUCCEEDED(hr))
+        {
+            hr = HookTransactionCommit(EngineType);
+        } else
+        {
+            HookTransactionAbort(EngineType);
+        }
+    }
+    return S_OK;
+}
+
+TEST_FUNC(OutputDebugStringHook)
+{
+    NTSTATUS Status;
+    HRESULT hr;
+    DEMO_ENGINE_TYPE EngineType;
+    PVOID hKernel32, hKernelBase;
+    FN_OutputDebugStringA *pfnKernel32OutputDebugStringA, *pfnKernelBaseOutputDebugStringA;
+    PVOID pStubTarget;
+
+    if (FAILED(GetEngineTypeFromArgs(TEST_PARAMETER_ARGC, TEST_PARAMETER_ARGV, &EngineType)))
+    {
+        TEST_SKIP("Invalid engine type");
+        return;
+    }
+
+    Status = LdrGetDllHandle(NULL, NULL, (PUNICODE_STRING)&g_usKernel32, &hKernel32);
+    if (!NT_SUCCESS(Status))
+    {
+        TEST_SKIP("LdrGetDllHandle for kernel32.dll failed with 0x%08lX", Status);
+        return;
+    }
+    Status = LdrGetDllHandle(NULL, NULL, (PUNICODE_STRING)&g_usKernelBase, &hKernelBase);
+    if (!NT_SUCCESS(Status))
+    {
+        TEST_SKIP("LdrGetDllHandle for kernelbase.dll failed with 0x%08lX", Status);
+        return;
+    }
+
+    Status = LdrGetProcedureAddress(hKernel32,
+                                    &g_asOutputDebugStringA,
+                                    0,
+                                    (PVOID*)&pfnKernel32OutputDebugStringA);
+    if (!NT_SUCCESS(Status))
+    {
+        TEST_SKIP("LdrGetProcedureAddress for kernel32!OutputDebugStringA failed with 0x%08lX", Status);
+        return;
+    }
+    Status = LdrGetProcedureAddress(hKernelBase,
+                                    &g_asOutputDebugStringA,
+                                    0,
+                                    (PVOID*)&pfnKernelBaseOutputDebugStringA);
+    if (!NT_SUCCESS(Status))
+    {
+        TEST_SKIP("LdrGetProcedureAddress for kernelbase!OutputDebugStringA failed with 0x%08lX", Status);
+        return;
+    }
+    if (!DecodeKernel32OutputDebugStringAStub((PBYTE)pfnKernel32OutputDebugStringA, &pStubTarget))
+    {
+        TEST_SKIP("kernel32!OutputDebugStringA is not the expected stub");
+        return;
+    }
+
+    if (pStubTarget != (PVOID)pfnKernelBaseOutputDebugStringA)
+    {
+        TEST_SKIP("kernel32!OutputDebugStringA stub does not target kernelbase!OutputDebugStringA");
+        return;
+    }
+
+    hr = RunOutputDebugStringAHook(EngineType,
+                                   pfnKernel32OutputDebugStringA,
+                                   pfnKernelBaseOutputDebugStringA);
+    if (FAILED(hr))
+    {
+        TEST_FAIL("Hook OutputDebugStringA failed with 0x%08lX", hr);
+        return;
+    }
+
+    TEST_OK(g_lOutputDebugStringACount == 2);
+}
+
+#endif
diff --git a/Source/KNSoft.SlimDetours/Instruction.c b/Source/KNSoft.SlimDetours/Instruction.c
@@ -178,6 +178,7 @@ detour_is_jmp_indirect_to(
 }
 
 static
+_Success_(return != FALSE)
 BOOL
 detour_decode_jmp_indirect(
     _In_ PBYTE pbCode,

Original file line number	Diff line number	Diff line change
`@@ -178,6 +178,7 @@ detour_is_jmp_indirect_to(`
`178`	`178`	`}`
`179`	`179`
`180`	`180`	`static`
	`181`	`+_Success_(return != FALSE)`
`181`	`182`	`BOOL`
`182`	`183`	`detour_decode_jmp_indirect(`
`183`	`184`	`_In_ PBYTE pbCode,`