Skip to content

Process

Domain: process

Process, module, memory diagnostics, and controlled injection domain for host-level inspection, troubleshooting, and Windows process experimentation workflows.

Profiles

  • full

Typical scenarios

  • Enumerate processes and inspect modules
  • Diagnose memory failures and export audit trails
  • Perform controlled DLL/shellcode injection in opt-in environments

Common combinations

  • process + debugger
  • process + platform

Full tool list (25)

ToolDescription
process_findSearch for processes by name pattern. Returns a list of matching processes with PID, name, path, and window information.
process_listList all running processes. This is an alias for process_find with an empty pattern.
process_getGet detailed information about a specific process by PID, including command line, parent PID, and debug port status.
process_killTerminate a process by PID. Requires appropriate privileges.
process_windowsGet all window handles for a process.
process_check_debug_portCheck if a process has a debug port enabled for CDP attachment.
process_launch_debugLaunch an executable with remote debugging port enabled.
electron_attachAttach to an Electron CDP port and optionally evaluate in a matching page.
memory_readRead memory from a process at a specific address. Requires elevated privileges. If pid is omitted, the active browser renderer PID is auto-discovered from the current browser session.
memory_writeWrite data to process memory at a given address. If pid is omitted, the active browser renderer PID is auto-discovered from the current browser session.
memory_scanScan process memory for a pattern or value. Requires elevated privileges. If pid is omitted, the active browser renderer PID is auto-discovered from the current browser session.
memory_check_protectionCheck memory protection flags at a specific address. If pid is omitted, the active browser renderer PID is auto-discovered from the current browser session.
memory_scan_filteredRefine a previous memory scan with filtered addresses. If pid is omitted, the active browser renderer PID is auto-discovered from the current browser session.
memory_batch_writeWrite multiple memory patches at once. If pid is omitted, the active browser renderer PID is auto-discovered from the current browser session.
memory_dump_regionDump a process memory region to a binary file for offline analysis. If pid is omitted, the active browser renderer PID is auto-discovered from the current browser session.
memory_list_regionsList all memory regions in a process with protection flags. If pid is omitted, the active browser renderer PID is auto-discovered from the current browser session.
memory_audit_exportExport the in-memory audit trail for memory operations as JSON.
inject_dllInject a DLL into a target process. Requires elevated privileges. Target process and payload are validated before injection.
inject_shellcodeAllocate and execute raw shellcode in a target process. Requires elevated privileges. Target process and payload are validated before injection.
check_debug_portCheck if a process is being debugged using NtQueryInformationProcess (ProcessDebugPort).
enumerate_modulesList all loaded modules (DLLs) in a process with their base addresses.
process_enum_threadsEnumerate all threads in a process. Returns thread IDs. Cross-platform: Win32 uses CreateToolhelp32Snapshot; Linux reads /proc/{pid}/task; macOS uses ps -M.
process_detect_hollowingDetect process hollowing (malware technique that unmaps original process image and injects malicious code). Compares process memory sections (.text, .data, .rdata) with on-disk PE file using SHA-256 hashes. Returns detection result with confidence score and list of differing sections. WARNING: autoRestore=true is HIGH RISK, may crash the target process, and is Win32-only. Cross-platform: Win32 compares PE sections; Linux/macOS compare ELF/Mach-O executable sections via IntegrityScanner (autoRestore unavailable).
process_enum_handlesEnumerate open handles for a process using NtQuerySystemInformation. Resolves handle type and object name, decodes access masks, identifies security risks (high-privilege handles to sensitive processes, dangerous Token handles, inheritable sensitive handles, Section handles to executables). Skips name resolution for File/EtwRegistration types (known to hang). Requires elevated privileges (run as Administrator). Win32 only.
process_detect_apcDetect APC (Asynchronous Procedure Call) injection in a process. Enumerates threads, probes each thread APC queue via NtQueryInformationThread(ThreadApcState), and detects threads in alertable wait state (SleepEx/WaitForMultipleObjectsEx). Returns verdict (clean/suspicious/infected), confidence score, and risk reasons. Requires elevated privileges (run as Administrator). Win32 only.

Released under AGPL-3.0-only