zvxhash/void-sniff

VoidSniff is a Windows tool for watching what a program does at a low level while it runs. It packages itself as a single DLL file that you inject into another process, after which it intercepts specific operating system calls that process makes and prints a colored log of what it found. The goal is to help people understand and study program behavior, particularly patterns that show up in malicious software such as injecting code into other processes or replacing a process's memory with different code. The tool works by patching the entry points of three specific Windows functions inside ntdll, which is the core Windows library that almost every program uses to talk to the operating system. The three functions it watches are: one that handles opening or creating files, one that opens handles to other running processes, and one that maps sections of memory from one process into another. When any of these are called, VoidSniff logs what happened, who called it, and flags anything that looks suspicious, such as a process opening another process with permissions typically used for code injection. Because VoidSniff writes its own hook engine from scratch without borrowing any external hooking library, it is also a demonstration of how this kind of interception works at the machine-code level. It overwrites the first 14 bytes of a function with a jump instruction pointing to its own code, saves the original bytes, and restores them briefly when it needs to call the real function through. Building it requires Windows, Visual Studio 2022, and CMake 3.20 or newer. Running it means injecting the compiled DLL into whatever process you want to observe, then watching the console window it opens for a live feed of activity. Pressing F10 cleanly removes all hooks and unloads the DLL from the target process. The project is deliberately scoped to x64 Windows only and is described as a research and educational tool rather than something for production use.