I want to hook every call to CreateProcess (and a few other related APIs), no matter the process. Can modern Detours be used to do this without enumerating all processes and performing injections?
I've read several articles on both API hooking and doing so specifically with Detours, re:
API Hooking with MS Detours (InfoSec Institute)
I have two problems with these articles:
They are quite old and things may have changed.
They do not thoroughly address system-wide hooking using Detours specifically.
I am aware that this can be done with a driver, but Detours is said to be a powerful tool, and is still currently supported, so I wanted to know how it could be done with Detours.
The literature I've read thus far is geared toward targeting a specific program using Detours, and although it has presented an idea of how it's possible to enumerate every process and perform a DLL injection and then try to use Detours, this seems like a very unreliable way.
Detours cannot be used globally without per-process injection.
However, you only need to enumerate processes manually once, when you want to set an initial hook after the system is already running. One option (if you are careful with it) is to use the AppInit_DLLs Registry setting to have your DLL loaded into new processes (well, at least processes that use user32.dll, and that don't opt-out of letting AppInit_DLLs run, and providing that AppInit_DLLs is even enabled on the system to begin with).
Otherwise, the alternative is to write a kernel driver that implements a process creation callback that is registered via PsSetCreateProcessNotifyRoutine(). That callback will be called every time a process is created or destroyed.