Flag: Tornado! Hurricane!

File Information
Category Open Source # Downloads Version
Standalone Yes N/A 1.10.4

Download Page

Last updated on Aug 29, 2009 with the following description:

ChangeLog: 1.10.3 to 1.10.4

- Notify UI as early as possible to speed up capture setup, which could take indefinite time with a busy app.
- Improve OpenGL hooks to also log PIXELFORMATDESCRIPTOR and also pretty-print nSize and iLayerType.

ChangeLog: 1.10.2 to 1.10.3

- Avoid using a WaitHandle.WaitAny() overload that wasn't part of the framework until .NET 2.0 SP2. This improves compatibility with older versions.  Thanks to trex005 for reporting this issue!
- Detect the case where a capture got interrupted by an unclean system shutdown and instructions how to fix this. (Automatic solution coming in a future release.)  Thanks to jinzo for reporting this!
- Fix crash happening when "Create Process" dialog is closed with search results visible and then reopened.  Thanks to Youness Alaoui for reporting this issue!
- Improve "Create Process" search box usability (Like cancelling search by pressing ESC, and allowing TAB to be used for switching to search results.)
- Tear things down properly if starting capture fails.
- Transition to using objects for delivering logged events so that modern hooks can be written in managed code. Not happy with the modeling here, mostly due to legacy hook compatibility, which will be removed once all hooks have been rewritten.

- Add beginnings of OpenGL hooks for spying on such apps; which are the first modern hooks written in managed code and thus making use of EasyHook and the modern logging system.
- Make it so that events are always ordered by id within the same process, by timestamp between events from multiple processes (IDs no longer share a global namespace as I'm not sure it's worth the extra complexity of using shared memory for this like before).
- Ensure that events related to the same socket handle all share a unique resource id that isn't reused after the socket is closed.
- Add error-handling to socket logging, improve output somewhat and simplify logging code.

ChangeLog: 1.10.1 to 1.10.2

- Error out when starting capture if one of the processes dies.
- Rename "Start Process" to "Create Process".
- Improve capture startup progress feedback.
- A couple of minor UI tweaks.

- Optimize backtrace algorithm so it doesn't rely on page faults by calling IsBadCodePtr() and similar.
- Improve accuracy of backtraces by using udis86 to verify that there is in fact a valid CALL instruction in place, instead of the loose checking that was before. Also make use of TIB to get top of stack, which is good for both accuracy and performance.
- Do incremental updates on the module list in order to speed things up.
- Refresh module list on FreeLibrary.
- Be smarter about when to refresh module list.
- WLM: Don't log any warning if the GET_CHALLENGE_SECRET signature isn't found, at least for now, it's not present in newer versions.

ChangeLog: 1.10.0 to 1.10.1

- Support spawning process and monitoring it from the first instruction executed.
- Improve capture start error message to mention IE "Protected Mode" issue.
- Reduce the number of menus by merging and moving things around a bit, and hide the debug item (accessible through Ctrl+D).
- Some minor aesthetic tweaks like using the oSpy icon for dialogs etc.
- Wait for clients to connect before assuming that capture has started.
- Some UI bugfixes and refactoring.

- Windows Live Messenger debug interception: Change FunctionName to match the existing convention so that these messages can be filtered out through the View menu.

ChangeLog: 1.9.8 to 1.10.0

Lots of bugfixes and major improvements in this release. The biggest changes are x64 support, new user-friendly UI for making captures with as few clicks as possible, changes in target processes now reverted when stopping capture, and improved compatibility with newer OSes.

- Completely revamped capture workflow. Making a capture is now as simple as File -> New capture... -> Tick the processes you want to monitor -> Start. When you're done, click Stop and oSpy will roll back changes in remote processes and allow them to live on, or do another capture later.
- Support for x64 and capturing from foreign sessions thanks to Christoph Husse's excellent EasyHook library. The old injection code has been replaced by EasyHook starting with this release. Note that the x64 support is limited to monitoring 32 bit processes, aiming to fix over future releases. (More details below.)
- Softwall UI bug fixes. Thanks to firouzabadi for reporting these and suggesting fixes, you rock!

- Transitioning to C++/CLI and aiming to eventually change legacy hooks to use EasyHook. No hooks have been migrated yet, but once the most useful ones are migrated it will be possible to monitor 64 bit processes too.
- Remove hooks, free memory, close handles and unload when stopping capture.
- Fix serious crash in HOOK_GLUE_EXTENDED used by for example the connect() hook, resulting in crashes when a matching softwall rule results in early return to caller.
- Fix crypt hooks on newer OSes.
- Fix backtrace generation on newer Windows OSes with ASLR so that backtraces contain entries based on preferred base addresses (effectively making the IDA integration usable on such systems).
- wininet/IE8 support tested on Windows 7 x64. Requires IE's "Protected Mode" to be disabled for now, aiming to fix this in a future release.
- Rewrite and optimize code signature parser and corresponding memory-scanning algorithm.
- Use .NET remoting instead of custom IPC using shared memory, reducing memory footprint and increasing performance a bit. (As the shared memory approach was a hack from the early days when I was just whipping together something quick and dirty to scratch an itch, not having the slightest intention that this would go public someday.)
- Switch to unicode and clean up the code a bit.

Author Information
Username Name E-Mail URL
  oleavr Ole Andre Vadla Ravnaas oleavrgmailcom http://frida.re

Description oSpy is a tool which aids in reverse-engineering software running on the Windows platform. With the amount of proprietary systems that exist today (synchronization protocols, instant messaging, etc.), the amount of work required to keep up when developing interoperable solutions will quickly become a big burden when limited to traditional techniques.

However, when the sniffing is done on the API level it allows a much more fine-grained view of what's going on. Seeing return-addresses for each recv/send call (for example), can prove useful when you want to look at the processing code at that spot in a debugger or static analysis tool. And if an application uses encrypted communication it's easy to intercept these calls as well. oSpy already intercepts one such API, and is the API used by MSN Messenger, Google Talk, etc. for encrypting/decrypting HTTPS data.

Another neat feature is when wanting to see how an application behaves when in a firewalled environment. Normally you would have to simulate such an environment by configuring firewalls etc., which not only is time-consuming, but might also cripple the rest of the applications you've got running. oSpy solves this problem by a feature called softwalling which allows you to set rules based on the type of function-call, the return-address, local/remote address/port, etc., and lets you choose which error to signal back to the application when the rule matches. This way you can make the application think that for example a connect() timed out, connection was refused, there was no route to host, etc.


There are 31,317 total registered users.

Recently Created Topics
[help] Unpacking VMP...
Reverse Engineering ...
let 'IDAPython' impo...
set 'IDAPython' as t...
GuessType return une...
About retrieving the...
How to find specific...
How to get data depe...
Identify RVA data in...

Recent Forum Posts
Finding the procedur...
Question about debbu...
Identify RVA data in...
let 'IDAPython' impo...
How to find specific...
Problem with ollydbg
How can I write olly...
New LoadMAP plugin v...
Intel pin in loaded ...
OOP_RE tool available?

Recent Blog Entries
Breaking IonCUBE VM

Anatomy of a code tracer

IAT Patcher - new tool for ...

CryptoShark: code tracer ba...

Build a debugger in 5 minutes

More ...

Recent Blog Comments
nieo on:
IAT Patcher - new tool for ...

djnemo on:
Kernel debugger vs user mod...

acel on:
Kernel debugger vs user mod...

pedram on:
frida.github.io: scriptable...

capadleman on:
Using NtCreateThreadEx for ...

More ...

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit