CallHook
trace · inspect · understand
A Windows tracing tool that records a process's calls and their arguments - so you can understand exactly how an application behaves and executes.
Free 7-day trial · Windows 10 / 11 · 64-bit
See it in action
One call, fully traced
CallHook shows each API call a process makes as it happens - the function, the module it came from, every argument decoded, and the value it returned.
Why CallHook
Everything you need to understand a process's execution
From full call tracing with decoded arguments to auto-attach, filtering and capture-to-disk - built to make an application's behaviour readable.
Full call tracing
Record every call a process makes as it runs and resolve each one by symbol, turning raw
addresses into readable names like CreateFile, RegOpenKey, and
socket and process calls - in the order they happen.
Decoded arguments & returns
Every argument is resolved to a readable value - handles, flags, strings and buffers - alongside the value each call returns, so you see what happened, not just that it did.
Watch & auto-attach on launch
Match processes by name and CallHook attaches the instant one starts - rules persist across runs, so a target is traced before it makes its first call.
Filter & search calls
Narrow the stream to a module, a function or an argument value, and search across the whole trace - so the call you care about is never buried in noise.
Capture to disk
Record full traces to clean, parseable logs - so a run can be replayed, diffed or shared long after the process has exited.
Catches late & dynamic loads
A LoadLibrary re-scan traces modules loaded after attach, and a
GetProcAddress redirect catches APIs resolved dynamically - so nothing slips through
by loading or resolving late.
32- & 64-bit, any target
Attach to either architecture from one UI - a 64-bit GUI drives 32-bit targets and vice-versa - and elevate to SYSTEM for privileged processes.
Many processes, in parallel
Trace multiple processes at once - each gets its own live session, tab and control pipe. A licensed install runs unlimited targets; the trial does one at a time.
Hardened for hostile targets
Every PE header and import table is bounds-checked against the module's SizeOfImage
before it's touched, so tracing malformed or hostile memory never destabilises the host process.
Designed to be functional
Built-in shortcuts and a readable, focused UI to facilitate usability and efficient work.