Add SlimDetoursDetachEx to allow to free the trampoline manually

m417z · m417z · commit 266cb49ccc81 · 2025-06-21T20:36:32.000+03:00
Usage example:

SlimDetoursTransactionBegin();
PVOID pTrampoline = NULL;
DETOUR_DETACH_OPTIONS Options;
Options.ppTrampolineToFreeManually = &amp;pTrampoline;
SlimDetoursDetachEx(pPointer, pDetour, &amp;Options);
SlimDetoursTransactionCommit();
Sleep(1000);
SlimDetoursFreeTrampoline(pTrampoline);
diff --git a/Source/SlimDetours/SlimDetours.h b/Source/SlimDetours/SlimDetours.h
@@ -62,11 +62,35 @@ SlimDetoursAttach(
     _Inout_ PVOID* ppPointer,
     _In_ PVOID pDetour);
 
+typedef struct _DETOUR_DETACH_OPTIONS
+{
+    PVOID *ppTrampolineToFreeManually;
+} DETOUR_DETACH_OPTIONS, *PDETOUR_DETACH_OPTIONS;
+
+typedef const DETOUR_DETACH_OPTIONS* PCDETOUR_DETACH_OPTIONS;
+
 HRESULT
 NTAPI
+SlimDetoursDetachEx(
+    _Inout_ PVOID* ppPointer,
+    _In_ PVOID pDetour,
+    _In_ PCDETOUR_DETACH_OPTIONS pOptions);
+
+FORCEINLINE
+HRESULT
 SlimDetoursDetach(
     _Inout_ PVOID* ppPointer,
-    _In_ PVOID pDetour);
+    _In_ PVOID pDetour)
+{
+    DETOUR_DETACH_OPTIONS Options;
+    Options.ppTrampolineToFreeManually = NULL;
+    return SlimDetoursDetachEx(ppPointer, pDetour, &Options);
+}
+
+HRESULT
+NTAPI
+SlimDetoursFreeTrampoline(
+    _In_ PVOID pTrampoline);
 
 PVOID
 NTAPI
diff --git a/Source/SlimDetours/SlimDetours.inl b/Source/SlimDetours/SlimDetours.inl
@@ -113,6 +113,7 @@ struct _DETOUR_OPERATION
     PBYTE pbTarget;
     PDETOUR_TRAMPOLINE pTrampoline;
     ULONG dwPerm;
+    PVOID* ppTrampolineToFreeManually;
 };
 
 /* Memory management */
diff --git a/Source/SlimDetours/Transaction.c b/Source/SlimDetours/Transaction.c
@@ -160,12 +160,14 @@ SlimDetoursTransactionCommit(VOID)
                 NtFlushInstructionCache(NtCurrentProcess(), o->pbTarget, o->pTrampoline->cbRestore);
             } else
             {
-                // Don't remove in this case, put in bypass mode and leak trampoline.
+                // Don't remove and leak trampoline in this case.
                 o->dwOperation = DETOUR_OPERATION_NONE;
-                o->pTrampoline->pbDetour = o->pTrampoline->rbCode;
                 DETOUR_TRACE("detours: Leaked hook on pbTarget=%p due to external hooking\n", o->pbTarget);
             }
 
+            // Put hook in bypass mode.
+            o->pTrampoline->pbDetour = o->pTrampoline->rbCode;
+
             *o->ppbPointer = o->pbTarget;
         } else if (o->dwOperation == DETOUR_OPERATION_ADD)
         {
@@ -236,9 +238,16 @@ SlimDetoursTransactionCommit(VOID)
         NtProtectVirtualMemory(NtCurrentProcess(), &pMem, &sMem, o->dwPerm, &dwOld);
         if (o->dwOperation == DETOUR_OPERATION_REMOVE)
         {
-            detour_free_trampoline(o->pTrampoline);
+            if (!o->ppTrampolineToFreeManually)
+            {
+                detour_free_trampoline(o->pTrampoline);
+                freed = TRUE;
+            } else
+            {
+                // The caller is responsible for freeing the trampoline.
+                *o->ppTrampolineToFreeManually = o->pTrampoline;
+            }
             o->pTrampoline = NULL;
-            freed = TRUE;
         }
 
         n = o->pNext;
@@ -471,9 +480,10 @@ SlimDetoursAttach(
 
 HRESULT
 NTAPI
-SlimDetoursDetach(
+SlimDetoursDetachEx(
     _Inout_ PVOID* ppPointer,
-    _In_ PVOID pDetour)
+    _In_ PVOID pDetour,
+    _In_ PCDETOUR_DETACH_OPTIONS pOptions)
 {
     NTSTATUS Status;
     PVOID pMem;
@@ -526,12 +536,67 @@ SlimDetoursDetach(
     o->pTrampoline = pTrampoline;
     o->pbTarget = pbTarget;
     o->dwPerm = dwOld;
+    o->ppTrampolineToFreeManually = pOptions->ppTrampolineToFreeManually;
     o->pNext = s_pPendingOperations;
     s_pPendingOperations = o;
 
     return HRESULT_FROM_NT(STATUS_SUCCESS);
 }
 
+HRESULT
+NTAPI
+SlimDetoursFreeTrampoline(
+    _In_ PVOID pTrampoline)
+{
+    if (pTrampoline == NULL)
+    {
+        return HRESULT_FROM_NT(STATUS_SUCCESS);
+    }
+
+    // This function can be called as part of a transaction or outside of a transaction.
+    ULONG nPrevPendingThreadId = _InterlockedCompareExchange(&s_nPendingThreadId, NtCurrentThreadId(), 0);
+    BOOL bInTransaction = nPrevPendingThreadId != 0;
+    if (bInTransaction && nPrevPendingThreadId != NtCurrentThreadId())
+    {
+        return HRESULT_FROM_NT(STATUS_TRANSACTIONAL_CONFLICT);
+    }
+
+    NTSTATUS Status;
+
+    if (!bInTransaction)
+    {
+        // Make sure the trampoline pages are writable.
+        Status = detour_writable_trampoline_regions();
+        if (!NT_SUCCESS(Status))
+        {
+            goto fail;
+        }
+    }
+
+    detour_free_trampoline((PDETOUR_TRAMPOLINE)pTrampoline);
+    detour_free_trampoline_region_if_unused((PDETOUR_TRAMPOLINE)pTrampoline);
+
+    if (!bInTransaction)
+    {
+        detour_runnable_trampoline_regions();
+    }
+
+    Status = STATUS_SUCCESS;
+
+fail:
+    if (!bInTransaction)
+    {
+#ifdef _MSC_VER
+#pragma warning(disable: __WARNING_INTERLOCKED_ACCESS)
+#endif
+        s_nPendingThreadId = 0;
+#ifdef _MSC_VER
+#pragma warning(default: __WARNING_INTERLOCKED_ACCESS)
+#endif
+    }
+    return HRESULT_FROM_NT(Status);
+}
+
 HRESULT
 NTAPI
 SlimDetoursUninitialize(VOID)
