Add SlimDetoursDetachEx to allow to free the trampoline manually

Usage example:

SlimDetoursTransactionBegin();
PVOID pTrampoline = pPointer;
DETOUR_DETACH_OPTIONS Options;
Options.fFreeTrampoline = FALSE;
SlimDetoursDetachEx(pPointer, pDetour, &Options);
SlimDetoursTransactionCommit();
Sleep(1000);
SlimDetoursFreeTrampoline(pTrampoline);

Author: m417z

Source/SlimDetours/SlimDetours.h

@@ -62,11 +62,34 @@ SlimDetoursAttach(
     _Inout_ PVOID* ppPointer,
     _In_ PVOID pDetour);
 
+typedef struct _DETOUR_DETACH_OPTIONS
+{
+    BOOL fFreeTrampoline;
+} DETOUR_DETACH_OPTIONS, *PDETOUR_DETACH_OPTIONS;
+
+typedef const DETOUR_DETACH_OPTIONS* PCDETOUR_DETACH_OPTIONS;
+
 HRESULT
 NTAPI
+SlimDetoursDetachEx(
+    _Inout_ PVOID* ppPointer,
+    _In_ PVOID pDetour,
+    _In_ PCDETOUR_DETACH_OPTIONS pOptions);
+
+FORCEINLINE
+HRESULT
 SlimDetoursDetach(
     _Inout_ PVOID* ppPointer,
-    _In_ PVOID pDetour);
+    _In_ PVOID pDetour)
+{
+    DETOUR_DETACH_OPTIONS Options;
+    Options.fFreeTrampoline = TRUE;
+    return SlimDetoursDetachEx(ppPointer, pDetour, &Options);
+}
+HRESULT
+NTAPI
+SlimDetoursFreeTrampoline(
+    _In_ PVOID pTrampoline);
 
 PVOID
 NTAPI

Source/SlimDetours/SlimDetours.inl

@@ -105,6 +105,7 @@ enum
     DETOUR_OPERATION_NONE = 0,
     DETOUR_OPERATION_ADD,
     DETOUR_OPERATION_REMOVE,
+    DETOUR_OPERATION_REMOVE_AND_FREE,
 };
 
 typedef struct _DETOUR_OPERATION DETOUR_OPERATION, *PDETOUR_OPERATION;

Source/SlimDetours/Thread.c

@@ -188,7 +188,8 @@ detour_thread_update(
     bUpdateContext = FALSE;
     for (o = PendingOperations; o != NULL && !bUpdateContext; o = o->pNext)
     {
-        if (o->dwOperation == DETOUR_OPERATION_REMOVE)
+        if (o->dwOperation == DETOUR_OPERATION_REMOVE ||
+            o->dwOperation == DETOUR_OPERATION_REMOVE_AND_FREE)
         {
             if (cxt.CONTEXT_PC >= (ULONG_PTR)o->pTrampoline->rbCode &&
                 cxt.CONTEXT_PC < ((ULONG_PTR)o->pTrampoline->rbCode + RTL_FIELD_SIZE(DETOUR_TRAMPOLINE, rbCode)))

Source/SlimDetours/Transaction.c

@@ -177,7 +177,8 @@ SlimDetoursTransactionCommit(VOID)
     o = s_pPendingOperations;
     do
     {
-        if (o->dwOperation == DETOUR_OPERATION_REMOVE)
+        if (o->dwOperation == DETOUR_OPERATION_REMOVE ||
+            o->dwOperation == DETOUR_OPERATION_REMOVE_AND_FREE)
         {
             // Check if the jmps still points where we expect, otherwise someone might have hooked us.
             BOOL hookIsStillThere =
@@ -194,12 +195,14 @@ SlimDetoursTransactionCommit(VOID)
                 NtFlushInstructionCache(NtCurrentProcess(), o->pbTarget, o->pTrampoline->cbRestore);
             } else
             {
-                // Don't remove in this case, put in bypass mode and leak trampoline.
+                // Don't remove and leak trampoline in this case.
                 o->dwOperation = DETOUR_OPERATION_NONE;
-                o->pTrampoline->pbDetour = o->pTrampoline->rbCode;
                 DETOUR_TRACE("detours: Leaked hook on pbTarget=%p due to external hooking\n", o->pbTarget);
             }
 
+            // Put hook in bypass mode.
+            o->pTrampoline->pbDetour = o->pTrampoline->rbCode;
+
             *o->ppbPointer = o->pbTarget;
         } else if (o->dwOperation == DETOUR_OPERATION_ADD)
         {
@@ -268,7 +271,7 @@ SlimDetoursTransactionCommit(VOID)
         pMem = o->pbTarget;
         sMem = o->pTrampoline->cbRestore;
         NtProtectVirtualMemory(NtCurrentProcess(), &pMem, &sMem, o->dwPerm, &dwOld);
-        if (o->dwOperation == DETOUR_OPERATION_REMOVE)
+        if (o->dwOperation == DETOUR_OPERATION_REMOVE_AND_FREE)
         {
             detour_free_trampoline(o->pTrampoline);
             o->pTrampoline = NULL;
@@ -505,9 +508,10 @@ SlimDetoursAttach(
 
 HRESULT
 NTAPI
-SlimDetoursDetach(
+SlimDetoursDetachEx(
     _Inout_ PVOID* ppPointer,
-    _In_ PVOID pDetour)
+    _In_ PVOID pDetour,
+    _In_ PCDETOUR_DETACH_OPTIONS pOptions)
 {
     NTSTATUS Status;
     PVOID pMem;
@@ -555,7 +559,9 @@ SlimDetoursDetach(
         goto fail;
     }
 
-    o->dwOperation = DETOUR_OPERATION_REMOVE;
+    o->dwOperation = pOptions->fFreeTrampoline
+        ? DETOUR_OPERATION_REMOVE_AND_FREE
+        : DETOUR_OPERATION_REMOVE;
     o->ppbPointer = (PBYTE*)ppPointer;
     o->pTrampoline = pTrampoline;
     o->pbTarget = pbTarget;
@@ -566,6 +572,41 @@ SlimDetoursDetach(
     return HRESULT_FROM_NT(STATUS_SUCCESS);
 }
 
+HRESULT
+NTAPI
+SlimDetoursFreeTrampoline(
+    _In_ PVOID pTrampoline)
+{
+    NTSTATUS Status;
+
+    // Make sure only one thread can start a transaction.
+    if (_InterlockedCompareExchange(&s_nPendingThreadId, NtCurrentThreadId(), 0) != 0)
+    {
+        return HRESULT_FROM_NT(STATUS_TRANSACTIONAL_CONFLICT);
+    }
+
+    // Make sure the trampoline pages are writable.
+    Status = detour_writable_trampoline_regions();
+    if (!NT_SUCCESS(Status))
+    {
+        goto fail;
+    }
+
+    detour_free_trampoline((PDETOUR_TRAMPOLINE)pTrampoline);
+    detour_free_trampoline_region_if_unused((PDETOUR_TRAMPOLINE)pTrampoline);
+
+    detour_runnable_trampoline_regions();
+
+fail:
+#ifdef _MSC_VER
+#pragma warning(disable: __WARNING_INTERLOCKED_ACCESS)
+#endif
+    s_nPendingThreadId = 0;
+#ifdef _MSC_VER
+#pragma warning(default: __WARNING_INTERLOCKED_ACCESS)
+#endif
+}
+
 HRESULT
 NTAPI
 SlimDetoursUninitialize(VOID)