Dynamic Instrumentation Hooking Frameworks

Frida is a dynamic binary instrumentation toolkit that provides a framework for deep process introspection and live application state manipulation. It enables the injection of custom scripts into running processes to trace function calls, modify memory, and analyze application behavior in real-time across diverse operating systems and processor architectures. The project distinguishes itself by embedding a high-performance JavaScript engine directly within the target process, allowing for the execution of user-defined logic for real-time inspection. It utilizes instruction-level hooking to re

Objection is a dynamic instrumentation framework and runtime exploration toolkit for mobile application security analysis. It provides a command-line interface to interact with the memory and state of iOS and Android applications during active execution, serving as a toolkit for runtime analysis and security testing. The project distinguishes itself by providing specialized capabilities to bypass common mobile security controls, including SSL pinning, biometric authentication, and root or jailbreak detection. It enables the extraction of sensitive credentials and data from secure storage syst

bpftrace is a dynamic instrumentation tool and high-level tracing language for eBPF. It functions as a Linux kernel tracer and user-space profiler used to analyze live software behavior through the on-the-fly insertion of tracing and logging probes. The tool enables the collection of real-time data from the Linux kernel and applications to diagnose issues on live production systems. It intercepts user-level events using uprobes and USDT to debug and profile applications without modifying the original source code. The project covers system observability and performance analysis by monitoring

Cheat Engine is a software reverse engineering suite and memory editor designed for the Windows environment. It functions as a comprehensive platform for inspecting, analyzing, and modifying the internal logic and data structures of running applications. The tool provides capabilities for real-time memory scanning and manipulation, allowing users to locate and alter specific values within a process's address space. It distinguishes itself through advanced debugging features, including hardware-assisted debugging, kernel-mode driver injection for bypassing memory protections, and dynamic binar

ZygiskNext is an Android rooting integration layer and system hooking framework. It functions as a code injector for the Android Zygote process, allowing for the modification of system behavior across various rooting environments and superuser managers. The project provides a specialized API to intercept and modify low-level system calls. This enables the injection of custom code into the base process that spawns applications, facilitating deep Android system customization and rooted development. The framework utilizes dynamic library loading, hook-based runtime modification, and Java Native

ReZygisk is an Android root module framework and Zygote process injector. It functions as a native hooking engine and linker redirection tool designed to inject custom code into the Android Zygote process so that modifications are inherited by all spawned applications. The project provides a decoupled abstraction layer and Zygisk API implementation, allowing system modules to operate independently of specific root management tools. This ensures that root modules remain stable and compatible across various kernel-level rooting solutions. The framework includes capabilities for system process

This project is an Android security analysis toolkit and mobile app runtime manipulator designed for reverse engineering and auditing mobile applications. It provides a system for modifying Java classes and method behavior in active mobile processes to bypass security controls. The toolkit includes a web-based interface for controlling the instrumentation engine and a specialized utility for disabling certificate validation to intercept and inspect encrypted network traffic via SSL pinning bypass. It also features an Android file explorer for browsing and managing files within private data di

Magisk is an Android rooting framework designed to manage system-level modifications and grant administrative access to mobile devices. It functions by patching boot and recovery images to inject custom code into the operating system initialization sequence, allowing for system-wide control while maintaining compatibility with the underlying hardware. The project distinguishes itself through a systemless modification layer that overlays a virtual file system on top of read-only partitions, enabling changes without altering core system files. It includes a policy daemon to manage security cont

PINCE is a dynamic debugger, instruction tracer, and memory scanner designed for the analysis and manipulation of running processes. It functions as a process memory manipulator and editor, allowing for the identification, modification, and monitoring of values within a target application's active memory. The tool distinguishes itself through memory pointer analysis, tracing addresses and offsets to locate static pointers that lead to dynamic data across different sessions. It also enables the execution of internal functions within a running process by manipulating the instruction pointer and

LSPosed is an Android runtime hooking framework and system modification tool. It enables the modification of application and system behavior in memory without altering original installation files, serving as a platform for distributing and managing community-created extension modules. The project provides a comprehensive suite for device and identity spoofing, including the ability to mask hardware identifiers, simulate geographic locations, and conceal root access or hooking frameworks to bypass security and integrity checks. It also functions as an application modder to unlock premium featu

This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory

dnSpy is a desktop application designed for the analysis, debugging, and modification of compiled .NET assemblies. It functions as an assembly analysis suite and decompiler, translating binary instruction streams back into readable source code to facilitate reverse engineering when original source files are unavailable. The tool distinguishes itself through an integrated binary patching engine and metadata editor, which allow for the direct modification of executable logic and internal metadata tables. It supports in-process debugging instrumentation, enabling users to inject runtime hooks, s