Killing the Pesky Detours Marker DLL
Thursday, August 20, 2009   

The current version of Microsoft Detours injects a marker DLL into detoured processes. From the help docs:

The detoured.dll file is a marker that guides Microsoft technical support personnel and tools, like Windows OCA, by helping them quickly determine that a process has been altered by the Detours package.

If you're using Microsoft Detours in the context of an online poker bot or other real-time online poker tool...this can be an issue. You might as well hang a sign around your neck:

HEY! Unauthorized software being run here! Suspicious activity! Flag me!

That's not to say that every use of Microsoft Detours in an online poker context is suspicious or malicious, but generally speaking, only three kinds of poker applications require Detours-like functionality:

  • Online poker bots
  • Data miners
  • Other real-time online poker tools

So from the perspective of an online poker site, the presence of DETOURED.DLL in a given poker client process can and should be interpreted as "suspicious". That said, earlier versions of Detours (pre-2.0) didn't include this marker DLL, and luckily the current version doesn't have to, either.

Instructions for removing the Detours marker DLL

Better yet, you can just use an equivalent open-source library like EasyHook. But whatever you do, don't make the mistake of assuming that you've "stealthed" or "cloaked" your use of API hooking by this simple expedient. You haven't; not by a long shot.

But it's a step in the right direction...

[Hat tip to Dave for the link.]


Posted by James Devlin   10 comment(s)

Awesome. I've been using an ancient version of Detours specifically so I don't have to deal with the marker DLL. I'll have to try this, but your EasyHook link looks even better.

JeremyX on 8/20/2009 8:05 AM (203 days ago)

I started using EasyHook a few months ago, actually, here are a few tips for others who may have gone this route:

1. Download EasyHook and get it building.
2. Go through and rename internal functions/structures/etc.
3. Use that in your poker bot/tool.

That way, not only is there not a marker DLL, but there aren't any well-known symbols/APIs floating around in your binary for the poker client to detect.

Anonymous on 8/20/2009 8:47 AM (203 days ago)

Another option (instead of bundling Detours/EasyHook into your bot) is to just cut and paste the specific pieces of code you need to set up the detours. That way, no identifiable functions or names in your EXE.

I'm not sure if poker clients look for that sort of stuff but better safe than sorry, right?

Teddy KGB on 8/20/2009 12:05 PM (203 days ago)

Are you planning any more posts on stealthing in general? I really have no idea what they look for.

I've gone down the screen scraping path (which was actually pretty easy). Does that make me stealthier? Or can the poker sites easily determine that I'm taking an unusually large amount snapshots?

And what about input? I read on pokerstars.com that they allow betting macros as long as a human is making the decision. Does that mean I don't have to worry about stealthing my fake mouse clicks etc?

thewee on 8/20/2009 6:27 PM (202 days ago)

Yeah, tons of people use AHK macros so I can't imagine that's against the rules.

Anonymous on 8/21/2009 2:11 AM (202 days ago)

Thanks James, I've been playing around with EasyHook for about a day and so far I love it. Better than Detours in just about every way!

Ed K. on 8/22/2009 8:45 PM (200 days ago)

i dont think AHK macros break any rules for poker sites

facebook poker chips on 12/9/2009 10:05 PM (91 days ago)

Great story my compliments.

Unibet on 12/14/2009 1:07 AM (87 days ago)

Are there new updates available for this tool ?

odds comparison script on 12/25/2009 3:57 PM (75 days ago)

What a great articles.

casinos on 1/2/2010 6:28 PM (67 days ago)

Comment on this post:

Thanks for your interest in Coding the Wheel. All fields are optional.