Remote process hooking library for .NET
SpyGlass is a hooking library that allows for hooking inside remote processes. The API is an event driven framework, allowing .NET developers easily inspect and alter the behaviour of the target process without having to write lots of code.
The image above showcases a simple hooking application (on the right) that monitors a remote process running inside a virtual machine (on the left) that calls MessageBoxA
at some point. We can use SpyGlass to hook this function remotely, and inspect the arguments.
SpyGlass.Bootstrapper.x86.exe SpyGlass.Injection.x86.dll MessageBoxTest.exe
And on the master machine, run:
MessageBoxHook.exe <ip-address> 12345
In this case, the function DummyMethod
in the slave process takes three arguments, and simply adds them together. This function is originally called with three arguments: 0x1337
, 0x1338
and 0x1339
. However, the master process hooked this function, and modified the first parameter from 0x1337
to 0x1234
in the callback.
SpyGlass.Bootstrapper.x86.exe SpyGlass.Injection.x86.dll SpyGlass.DummyTarget.exe
And on the master machine, run:
SpyGlass.Sample.x86.exe <ip-address> 12345
To write your own master process and/or bootstrapper, see the quick starters guide.
Here's a quick summary of how the library works internally:
How does the remoting part work?
How does the hooking process work?
call
to the trampoline at the position of the hook.For details go here.
First thing you have to remember is that I don't write bugs, only interesting new features. Make sure you are not just misusing a feature. With great power comes great responsibility!
If you still believe you have found a bug, please go to the issue tracker.