NetHook

inject · intercept · modify · capture

A Windows network-hooking framework that captures, inspects and rewrites a process's traffic - before it is encrypted.

Download for Windows Buy a license

Free 7-day trial · Windows 10 / 11 · 64-bit

See it in action

One process, fully owned

A live session: the process list on the left, captured traffic in the middle, and the selected event decoded in the right-hand pane - here an SSL_write caught in the clear, before TLS.

NetHook capturing a process's traffic - a hooked SSL_write packet decoded as hex and ASCII in the right-hand pane

Live process list Per-hook capture grid Hex / ASCII decode pane Intercept & modify Named-pipe control

Why NetHook

Everything you need to own a process's traffic

From plaintext capture across every major crypto stack to live interception, auto-injection and capture-to-disk - built to be complete.

↧

Plaintext, before encryption

Hooks sit at the application boundary, so you read and rewrite data before it is wrapped in TLS - and after it is unwrapped on the way back.

❖

Multi-library hooking

One tool covers nine network & crypto stacks: OpenSSL (SSL_write/read + the _ex variants), Schannel (EncryptMessage/DecryptMessage), GnuTLS, wolfSSL, NSS/NSPR (Firefox), plus WinSock, WinINet, WinHTTP and File I/O.

◎

Watch & auto-inject on launch

Match processes by name and NetHook injects the instant one starts - optionally attaching a live session automatically. Rules persist across runs, so a target is hooked before it sends its first byte.

IAT hooking, done right

NetHook rewrites Import Address Table thunks instead of patching function prologues - no thread freezing, no prologue corruption - and works uniformly across MSVC-, GCC- and Clang-built targets.

Catches late & dynamic loads

A LoadLibrary re-scan hooks modules loaded after injection, and a GetProcAddress redirect catches APIs resolved dynamically - so nothing slips through by loading or resolving late.

Intercept & modify live

Hold each packet, edit it in hex or text, then forward, drop or rewrite it on the fly - with find-in-packet search - or block a process entirely.

Capture to disk

Record sessions to .pcap (IP/TCP synthesised so Wireshark reassembles the streams) and to clean, parseable .raw dumps - bounded by a configurable max bytes per event.

32- & 64-bit, any target

Inject into either architecture from one UI - a 64-bit GUI drives 32-bit targets and vice-versa - and elevate to SYSTEM for privileged processes.

Many processes, in parallel

Attach to multiple processes at once - each gets its own live session, tab and control pipe. A licensed install runs unlimited targets; the trial does one at a time.

Global & per-injection settings

Set capture, intercept, block, size limits and exactly which APIs to hook as global defaults - then override any of them live, per process, without re-attaching.

Hardened for hostile targets

Every PE header and import table is bounds-checked against the module's SizeOfImage before it's touched, so walking malformed or hostile memory never destabilises the host process.

Designed to be functional

Include built-in shortcuts to facilitate usability and efficient work.