shows a PEview of Detours being used to trojanize notepad.exe. Notice in the .detour section at ❶ that the new import table contains evil.dll, seen at ❷. Evil.dll will now be loaded whenever Notepad is launched. Notepad will continue to operate as usual, and most users would have no idea that the malicious DLL was executed.

Figure 12-4. A PEview of Detours and the evil.dll

Instead of using the official Microsoft Detours library, malware authors have been known to use alternative and custom methods to add a .detour section. The use of these methods for detour addition should not impact your ability to analyze the malware.