Skip to content

Memory

Domain: memory

Memory analysis domain for native scans, pointer-chain discovery, structure inference, and breakpoint-based observation.

Profiles

  • full

Typical scenarios

  • Run first/next scans to narrow target values
  • Analyze pointer chains and in-memory structures
  • Manage scan sessions and memory breakpoints

Common combinations

  • memory + process
  • memory + debugger
  • memory + workflow

Full tool list (34)

ToolDescription
memory_first_scanStart a new memory scan session.
memory_next_scanNarrow an existing scan session.
memory_unknown_scanStart an unknown initial value scan.
memory_pointer_scanFind pointers to a target address.
memory_group_scanSearch for multiple values at known offsets simultaneously.
memory_scan_sessionManage scan sessions. Actions: list (all sessions), delete (by sessionId), export (as JSON).
memory_pointer_chainPointer chain operations: scan (find chains to target), validate, resolve, or export as JSON.
memory_structure_analyzeAnalyze memory at an address to infer data structure layout.
memory_vtable_parseParse a vtable to enumerate virtual function pointers and resolve them to module+offset. Also attempts RTTI parsing for class name and inheritance hierarchy.
memory_structure_export_cExport an inferred structure as a C-style struct definition with offset comments and type annotations.
memory_structure_compareCompare two structure instances to identify which fields differ (dynamic values like health/position) vs which are constant (vtable, type flags). Useful for finding important fields.
memory_breakpointHardware breakpoint via x64 debug registers (DR0-DR3). Actions: set, remove, list, trace.
memory_patch_bytesWrite bytes to target process at address. Saves original bytes for undo. Use for runtime code patching.
memory_patch_nopNOP out instructions at address (replace with 0x90). Useful for disabling checks or jumps.
memory_patch_undoUndo a previous patch by restoring the original bytes.
memory_code_cavesFind code caves (runs of 0x00 or 0xCC) in executable sections of loaded modules. Returns largest caves first.
memory_write_valueWrite a typed value to a memory address. Supports undo/redo via memory_write_history(action=undo|redo).
memory_freezeFreeze or unfreeze a memory address. Freeze continuously writes a value to prevent changes; unfreeze stops it.
memory_dumpDump memory region as hex with ASCII column. Outputs a formatted hex dump similar to xxd.
memory_speedhackHook time APIs (GetTickCount64/GetTickCount/QueryPerformanceCounter) to scale process time via an in-process SSE2 trampoline. Actions: apply (hook + set speed), set (adjust speed without re-hooking), restore (unhook and restore original functions). Speed range 0.01–100x; values outside this range are rejected to avoid destabilising the target.
memory_write_historyUndo or redo the last memory write operation. Pass pid to scope the operation to a specific process — per-PID undo prevents reverting an unrelated process's write when multiple processes are being edited concurrently.
memory_heap_enumerateEnumerate all heaps and heap blocks in a process via Toolhelp32 snapshot. Returns heap list with block counts, sizes, and overall statistics.
memory_heap_statsGet detailed heap statistics with size distribution buckets (0-64B, 64B-1KB, 1-64KB, 64KB-1MB, >1MB), fragmentation ratio, and aggregate metrics.
memory_heap_anomaliesDetect heap anomalies: heap spray patterns (many same-size blocks), possible use-after-free (non-zero free blocks), and suspicious block sizes (0 or >100MB).
memory_pe_headersParse PE headers (DOS, NT, File, Optional) from a module base address in process memory. Returns machine type, entry point, image base, section count, and data directory info.
memory_pe_imports_exportsParse import and/or export tables from a PE module in process memory. Returns DLL names, function names, ordinals, hints, and forwarded exports. Cross-platform: parses ELF .dynsym / Mach-O LC_SYMTAB from disk when moduleName is given on Linux/macOS.
memory_inline_hook_detectDetect hooks in process modules. scanMode "inline" (default) compares the first 16 bytes of each exported function disk-vs-memory and recognises 8 hook patterns (JMP/CALL/short-jmp/MOV+JMP/MOV+CALL/PUSH+RET/INT3/padding). scanMode "iat" detects Import Address Table hooks (entries redirected outside their source module — evades inline detection, used by EasyHook/MinHook/Detours). scanMode "both" runs both scans.
memory_anticheat_detectScan process imports for anti-debug/anti-cheat mechanisms: IsDebuggerPresent, NtQueryInformationProcess, timing checks (QPC, GetTickCount), thread hiding, heap flag checks, and DR register inspection. Each detection includes a bypass suggestion.
memory_guard_pagesFind all memory regions with PAGE_GUARD protection in a process. Guard pages are often used as anti-tampering mechanisms or stack overflow detection.
memory_integrity_checkCheck executable memory regions against their corresponding on-disk PE files (.text sections) to detect modifications like inline hooks or code patches.
memory_region_enumerateEnumerate memory regions in a target process. Cross-platform: Windows (VirtualQueryEx), macOS (mach_vm_region), Linux (/proc/pid/maps). Returns base address, size, protection (r/w/x/rw/rx/rwx), state, type (image/mapped/private), and module name (if module-backed).
memory_aob_scanArray-of-Bytes scan with wildcard support. Search for byte patterns like "48 8B ?? ?? 00 00" across readable memory. Accepts hex bytes (00-FF, optional 0x prefix) and "??" wildcards. Case insensitive.
memory_find_accessesFind what writes to or accesses a memory address (Cheat Engine MWT workflow). Sets a hardware breakpoint on the target address, auto-rearms after each hit, captures the faulting instruction address + context + timestamp, and optionally disassembles the instruction. Returns aggregated hits with per-hit instruction details.
memory_parse_dumpParse a Windows Minidump (.dmp) file and extract forensic information: loaded modules (base/size/name/timestamp), threads (ID/stack/context), memory ranges (64-bit or 32-bit), system info (OS/CPU), and exception records. Optionally resolve a list of addresses against the dump contents. Pure TS — cross-platform (can analyze Windows dumps on Linux/macOS).

Released under AGPL-3.0-only