Perhaps some novelty but...
Many years ago I found myself with access to somebody open Wi-Fi router which had default passwords for the admin interface. With that in mind it seemed fairly obvious that manually setting the DNS server in the DHCP settings would allow me to redirect the owner of the router's traffic.
Whilst not as complex as the binder described here I was able to cobble together an infection tool that would essentially proxy requests and inject code into a binary as it was downloaded in about 2 days. I'd already written a tool years before that allowed for adding new sections to PE executables and it was only a matter of converting it to be able to work on-the-fly by buffering just enough of the PE header to know where to to the entry point for the program to before letting the rest pass through until it came time to tacking on the extra malicious code on the end.
I never actually used the code as it was more a proof-of-concept/I wonder if I could do it kind of thing but it worked in my own test environment.