What is Reddit's opinion of
SpyStudio?
From 3.5 billion Reddit comments
3 reviews of this app found across Reddit:
> How do you do the hooking? do you patch the DLL the way Detours and EasyHook do? Or do you patch the import table?
We patch the api/function being hooked and take some extra steps when building the stub. For e.g., in x64 usually addressing is relative to RIP so when relocating, the code is changed to mantain the target address.
> Do you have a solution for protected processes like services.exe in Win2012?
Altougth this is not related to a hooking engine itself, when opening a process we try to setup SeDebugPrivilege if available. But it depends on o.s. configuration restrictions and all engines are affected in the same way. If not, it would be an o.s. bug.
> Do you perform injection using CreateRemoteThread to a suspended process or do you do it the way Detours does using an import table rewrite?
We do not touch the import table. In Deviare, injection is done via CreateRemoteThread/NtCreateThreadEx. In Deviare InProc, although it can hook remote processes, dll injection must be done by the user.
> SysInternals process monitor installs a kernel driver to intercept file-system/registry calls so unless you also do that, the output will be significantly different than what process monitor enables.
Yes it is different, but you can try SpyStudio. For e.g., when you open a key under HKEY_CLASSES_ROOT it may end in HKLM or HKCU. With ProcMon you see the end but you don't know that the app asked for HKCR. Sometimes it is important mainly in app virtualization.
Yes it is capable of hooking any api with at least 5 bytes of code. Usually there exists gaps inside +/- 2gb region from the api being hooked that allows the hooking engine to put some code.
In our tool SpyStudio we hook more than 100 functions without problems.
I've recently dicovered SpyStudio as a pretty good alternative to Process Monitor. It allows you to follow a single process and has a very straight forward interface for viewing files and registry entries that were modified by the process (tabbed/tree view as opposed to a flat list).