Most penetration testers reach for Burp Suite when they need to inspect HTTP traffic. For web applications this works brilliantly. For Windows thick clients it often does not. Certificate pinning, custom TLS implementations, or simply ignoring the system proxy settings are all common in commercial desktop software - and they all render a traditional MITM proxy useless before the assessment even begins.
The problem with proxy-based approaches
A proxy operates at the network level, sitting between the client and the server. To decrypt TLS traffic it must intercept the handshake and present its own certificate to the application. Any application that pins the server certificate or its public key will detect this substitution immediately and refuse to complete the connection. The proxy never sees the plaintext, and the tester is left with a failed handshake and no data to work with.
Applications that implement their own TLS stack, rather than relying on Schannel or the OS certificate store, present the same problem from a different angle. Even if you trust the proxy certificate in the OS store, the application may not consult the OS store at all.
How NetHook solves this
NetHook operates at the process level rather than the network level. It injects into the target process and hooks the WinSock, Schannel, and OpenSSL API calls that the application uses to send and receive data. By the time the hook fires, the application has already prepared the plaintext payload - TLS encryption has not been applied yet. The hook captures the data in the clear regardless of certificate pinning, custom TLS stacks, or proxy bypass settings.
The assessment workflow
A NetHook assessment moves through four passes. The first two surface what the application sends under normal conditions; the last two turn that visibility into findings you can act on.
Step 1 - Select the target process
Launch NetHook and select the process by name or PID from the process list. You can configure NetHook to automatically inject the moment a matching process starts, which is useful for applications that spawn short-lived child processes to handle specific operations.
Step 2 - Capture baseline traffic
Perform normal application actions and review the captured events in the middle pane. Each event shows the hooked function call, the direction of data flow, the timestamp, and the raw bytes transferred. A typical baseline session covering login, core feature use, and logout gives you the full picture of what the application sends and receives under normal conditions.
Step 3 - Analyse and identify findings
Select any event to decode its payload as hex, ASCII, or structured data in the detail pane. Look for authentication tokens, API keys, and serialised objects in the very first requests after login. Business logic decisions that should be enforced server-side are frequently leaked in plaintext fields that the client sends along and the server accepts without independent validation. Insecure serialisation formats - .NET BinaryFormatter, Java serialisation, or hand-rolled XML schemas - are worth examining carefully for object injection opportunities.
Step 4 - Modify traffic in flight
NetHook can modify the captured bytes before they leave the process. This allows you to test for injection points, manipulate business logic parameters, replay modified requests, and probe server-side validation without the application being aware that the data changed. Hardcoded credentials or API tokens visible in the first request can be extracted and used directly against the backend, bypassing the client application entirely.
Getting started
NetHook runs on Windows 10 and Windows 11 (64-bit) and includes a 7-day free trial. A personal license is $18.95 and is available at nethook.truecyber.world. The license is per-user and is activated directly within the software under Help → Register.