Heavily inspired by APIMonitor, but for .NET binaries. DotNetMonitor can hook .NET binaries (using Harmony) and capture API calls, even when the binary is obfuscated in most cases.

• Selecting a call will highlight all other calls from the same instance object
• System.Random sequences can be recreated with right-click
• UI and console binaries are supported

To add an API to monitor, simply create a new Harmony patch class under the Patches directory. Inside the patched method, give MainForm.DispatchApiCall a CallStruct with the data to be collected. The extension method WithValues is necessary for proper collection of all parameter names with their values, including deep copies.

namespace DotNetMonitor.Patches
{
	[HarmonyPatch(typeof(MyClass))]
    class MyClassPatch
	{
		[HarmonyPostfix]
        [HarmonyPatch("Create", new Type[] { typeof(string) })]
        static void PostfixCreate(MyClass __instance, string parameter1, MyClass __result)
        {
            MainForm.DispatchApiCall(new CallStruct
            {
                Instance = __instance,
                MethodName = "Create",
                Parameters = MethodBase.GetCurrentMethod().GetParameters().WithValues(new CallLookup
                {
                    [nameof(parameter1)] = parameter1,
                    [nameof(__result)] = __result
                }),
            });
        }
	}
}

• Generally you will want to use a postfix patch to catch the return, unless it is a Setter
• Interfaces (e.g. ICryptoTransform) cannot have a postfix or prefix patch, they require a transpiler... which is more complicated than I ever got into it
• Be careful not to cause stack overflows with postfixes that may hook indefinitely (e.g. failed experiment with StringBuilder.ToString...)

• Do not run malware thru DotNetMonitor on your host machine!!! It should go without saying that the loaded binary is executed in full; no breakpoints or anything are made. Always execute malware in a properly sandboxed virtual machine.
• This tool was originally written for ransomware analysis in mind, so mostly crypto-related classes are hooked.
• It's recommended to run DotNetMonitor as administrator; if the binary you are running with it elevates with UAC, you will likely lose it.
• New threads created by the injected binary are not hooked.
• The UI may freeze for a moment if it is flooded with calls; if it fully crashes, everything is still logged to %USERPROFILE%\Desktop\harmony.log.txt
• I wrote this project several years ago, and have forgotten many aspects of the internals without analyzing the code.
• The project has only been explicitly tested with Harmony v2.0.4.

• Add more hooks
• Implement the API filter to actual hook/unhook desired APIs during runtime
  • Maybe have a config file for selected hooks?
• Display ASCII with the hex view
• Support passing command line arguments to the loaded binary
• Maybe do some anti-anti-debugging?
• Generate patch codes using .NET Roslyn Compiler API automatically