Killing the Pesky Detours Marker DLL
The current version of Microsoft Detours injects a marker DLL into detoured processes. From the help docs:
The detoured.dll file is a marker that guides Microsoft technical support personnel and tools, like Windows OCA, by helping them quickly determine that a process has been altered by the Detours package.
If you're using Microsoft Detours in the context of an online poker bot or other real-time online poker tool...this can be an issue. You might as well hang a sign around your neck:
HEY! Unauthorized software being run here! Suspicious activity! Flag me!
That's not to say that every use of Microsoft Detours in an online poker context is suspicious or malicious, but generally speaking, only three kinds of poker applications require Detours-like functionality:
- Online poker bots
- Data miners
- Other real-time online poker tools
So from the perspective of an online poker site, the presence of DETOURED.DLL in a given poker client process can and should be interpreted as "suspicious". That said, earlier versions of Detours (pre-2.0) didn't include this marker DLL, and luckily the current version doesn't have to, either.
Instructions for removing the Detours marker DLL
Better yet, you can just use an equivalent open-source library like EasyHook. But whatever you do, don't make the mistake of assuming that you've "stealthed" or "cloaked" your use of API hooking by this simple expedient. You haven't; not by a long shot.
But it's a step in the right direction...
[Hat tip to Dave for the link.]
Use the form below to leave a comment.
- Of Gravatars and Robohashes
- Optimizing VP$IP
- A Question of VP$IP
- John Carmack: Script Interpreters Considered Harmful
- Movie Doppelgangers: B-Movie Ripoffs of Hollywood Blockbusters
- BROWSE ALL POSTS
Subscribe to Coding the Wheel over email or through any RSS reader. Coding the Wheel has been published since 2008.
- How I Built a Working Online Poker Bot, Part 1, 2, 3, 4, 5, 6, 7, 8
- Summoning the Harry Potter MMORPG
- Are Commercial Databases Worth It?
- 21 and the Monty Hall Paradox
- Online Poker and the Multi-Tabling Effect (34)
talia wrote: Ping G15 Fairway Wood Mizuno MP 53 Irons Mizuno MP 68 Irons Mizuno MX 1000 Irons ... - Online Poker and the Multi-Tabling Effect (34)
talia wrote: Ping G15 Fairway Wood Mizuno MP 53 Irons Mizuno MP 68 Irons Mizuno MX 1000 Irons ... - The Coin Flip: A Fundamentally Unfair Proposition? (92)
carla wrote: great post Thanks for sharing! [mutui][1] [1]: http://www.finmutui.it/ "mutui" ... - Summoning the Harry Potter MMORPG (1593)
AmberTheHarryPotterNumber1Fan wrote: Oh Does anyone know when it will come out? - Full Tilt Color Coding In Twenty Minutes or Less (34)
Timber Decking wrote: [url=http://www.deck-max.com.au/]Timber Decking[/url] [url=http://www.timberdeckingsydney.net.au/]Timber ... - Summoning the Harry Potter MMORPG (1593)
Tekken9 wrote: There is no game, at least not yet. - The Programming Aphorisms of Strunk and White (90)
parkeren wrote: So that we will follow and what shall be the first step to do so, because everyone will like this software ... - Online Poker and the Multi-Tabling Effect (34)
Anonymous wrote: This was an entirely new concept that Titleist Japan & Titleist US worked together on to create. They ... - Summoning the Harry Potter MMORPG (1593)
AmberTheHarryPotterNumber1Fan wrote: How do i play the Game? ;{ - The Coin Flip: A Fundamentally Unfair Proposition? (92)
maria wrote: i like this article and got info.this is very nice and popular site ,it site have informative and intrusting ... - The Coin Flip: A Fundamentally Unfair Proposition? (92)
Brian wrote: This is fascinating. I wonder if there's a similar bias vis a vis the coin flip during a football ... - Movie Doppelgangers: B-Movie Ripoffs of Hollywood Blockbusters (14)
Brian wrote: This is certainly not a hollywood blockbuster [dating site][1] [1]: http://www.basecandy.com/ ... - Movie Doppelgangers: B-Movie Ripoffs of Hollywood Blockbusters (14)
Brian wrote: Singles looking for [dating websites][1] can join now. [1]: http://www.basecandy.com/ ... - Full Tilt Color Coding In Twenty Minutes or Less (34)
Photo booth san diego wrote: Appreciate your making the effort to discuss this, I find myself strongly about this and love mind ... - Of Gravatars and Robohashes (20)
rake wrote: [rake][1] you provide the nice information , gravaters are amazing [1]: http://www.rakebackrage.com/ ... - The Programming Aphorisms of Strunk and White (90)
Steve Waters Vancouver wrote: A random act of kindness! - Movie Doppelgangers: B-Movie Ripoffs of Hollywood Blockbusters (14)
Bradly wrote: Battle: LA was a great movie (the new one that is). I have noticed a lot of very similar movies, mostly ... - Summoning the Harry Potter MMORPG (1593)
Shawn wrote: Haha, these photos are classic! I'm actually not a fan of the Harry Potter movies but I do play ... - A Word About Authenticity (57)
Shawn wrote: Being authentic is very important. If I'm playing poker against a bot and it goes all in on a 2, ... - Coding the Tweet: Building a Custom Branded Twitter Application (71)
Shawn wrote: Using Twitter to promote a business is extremely popular today. I actually found a place to train ...
10 comment(s)
Awesome. I've been using an ancient version of Detours specifically so I don't have to deal with the marker DLL. I'll have to try this, but your EasyHook link looks even better.
I started using EasyHook a few months ago, actually, here are a few tips for others who may have gone this route:
That way, not only is there not a marker DLL, but there aren't any well-known symbols/APIs floating around in your binary for the poker client to detect.
Another option (instead of bundling Detours/EasyHook into your bot) is to just cut and paste the specific pieces of code you need to set up the detours. That way, no identifiable functions or names in your EXE.
I'm not sure if poker clients look for that sort of stuff but better safe than sorry, right?
Are you planning any more posts on stealthing in general? I really have no idea what they look for.
I've gone down the screen scraping path (which was actually pretty easy). Does that make me stealthier? Or can the poker sites easily determine that I'm taking an unusually large amount snapshots?
And what about input? I read on pokerstars.com that they allow betting macros as long as a human is making the decision. Does that mean I don't have to worry about stealthing my fake mouse clicks etc?
Yeah, tons of people use AHK macros so I can't imagine that's against the rules.
Thanks James, I've been playing around with EasyHook for about a day and so far I love it. Better than Detours in just about every way!
I don't begin to use the new version of Microsoft Detours. Thank you for the tips! latex mattress
The new version of Microsoft Detours is awesome. Can't wait to use it. cricket phones
Really valuable written content. the information that you shown is amazing and many prominently i liked the way you provided things here. Extremely, the concept is real time applicable and as per the current demand of the internet user society. Casino Time
This site is too popular, I wouldn't be surprised if the programmers of Poker Sites read it every day for what we that we think is stealth and safe.