Skip to content

Basic Workflow

This guide walks you through the fundamental process of analyzing memory with Memril, from initial setup to finding and analyzing data.

Overview

A typical Memril analysis session follows this general pattern:

  1. Attach to a target process or driver
  2. Explore the memory layout to understand the target
  3. Locate data or code of interest
  4. Analyze the findings using appropriate tools
  5. Document your discoveries for future reference

Step 1: Attachment

Starting Memril

  1. Launch as Administrator - Required for process attachment and kernel analysis
  2. Select target from the process list or driver list
  3. Wait for loading - Memril maps memory regions and loads metadata

Step 2: Memory Layout Exploration

Using the Regions Window

Start your analysis in the Regions Window:

  1. Review region categories - Process image, DLLs, private memory, etc.
  2. Expand interesting regions - Look at individual pages
  3. Note protection flags - Identify executable, writable, or read-only areas
  4. Check for unusual regions - Injected code, packed sections, etc.

Key Regions to Examine

Process Image

  • The main executable - start here for code analysis
  • Look for custom sections or unusual characteristics
  • Check for packers or protectors

System DLLs

  • Standard Windows libraries (ntdll.dll, kernel32.dll)
  • Usually safe to ignore unless doing system analysis
  • May contain hooks or patches

Modules

  • Loaded libraries and plugins
  • Third-party components
  • Potential injection targets

Private Memory

  • Dynamically allocated memory
  • Heap data and runtime structures
  • Good targets for value scanning

Step 3: Finding Data of Interest

Using the Scanner Window

The scanner is your primary tool for finding unknown data:

Unknown Value Scanning

  1. Select "Unknown Initial" scan type
  2. Choose appropriate data type (Int32 for counters, Float for coordinates)
  3. Apply region filter if needed
  4. Run first scan - This captures all current values
  5. Modify the target - Change the value you're looking for
  6. Run "Changed" scan - Find values that changed
  7. Repeat until you have a manageable number of results

Known Value Scanning

If you know what you're looking for:

  1. Select "Exact Value" scan type
  2. Enter the known value
  3. Choose appropriate data type
  4. Run scan

Range Scanning

For values within a specific range:

  1. Select "Range" scan type
  2. Enter minimum and maximum values
  3. Run scan

Pattern and String Searching

Using the Strings Window

  1. Select memory regions to search
  2. Adjust minimum length filter
  3. Browse extracted strings
  4. Bookmark interesting strings

Hex Pattern Searching

In the Hex Editor:

  1. Use Find function (Ctrl+F)
  2. Enter byte patterns with wildcards (e.g., "48 8B ?? 50")
  3. Search across regions

Step 4: Analysis Techniques

Code Analysis

Using the Disassembly Window

  1. Select executable regions
  2. Navigate through assembly code
  3. Look for interesting instructions (calls, jumps, comparisons)
  4. Set breakpoints on key functions
  5. Analyze import/export usage

Key Things to Look For

  • Function prologs/epilogs - Standard function patterns
  • String references - Cross-references to interesting strings
  • API calls - Calls to system functions
  • Conditional branches - Decision points in the code
  • Loops - Repetitive operations

Data Analysis

Using Bookmarks

  1. Add scan results as bookmarks
  2. Set appropriate data types (Int32, Float, String, etc.)
  3. Monitor value changes over time
  4. Group related bookmarks

Structure Definition

For complex data:

  1. Use Structures Window to define data layouts
  2. Apply structures to memory regions
  3. Visualize relationships between data fields

Import/Export Analysis

Understanding Dependencies

  1. Use Imports Window to see what functions the process uses
  2. Check Exports Window for available functions
  3. Look for unusual imports - May indicate functionality
  4. Trace import usage in disassembly

Step 5: Documentation and Organization

Bookmark Management

  • Use descriptive labels - "Player Health", "Game Score", etc.
  • Group related bookmarks - Use consistent naming conventions
  • Add comments explaining the purpose of each bookmark
  • Export bookmark lists for sharing or backup

Structure Documentation

  • Name structures clearly - Reflect their purpose
  • Add field comments - Explain what each field represents
  • Export header files - Generate C/C++ definitions
  • Save structure templates - Reuse for similar analysis

Memory Dumps

  • Save critical regions - Export important memory areas
  • Document dump context - Note when and why dumps were taken
  • Include metadata - Process state, timestamp, etc.

Common Workflow Patterns

Game Value Analysis

  1. Attach to game process
  2. Unknown initial scan for player stats
  3. Change value in-game (take damage, gain points)
  4. "Changed" scan to narrow results
  5. Repeat until value is found
  6. Bookmark and monitor the value
  7. Test modifications to confirm functionality

Malware Analysis

  1. Load malware in isolated environment
  2. Examine process image for packing/obfuscation
  3. Extract strings for IOCs and configuration
  4. Analyze import table for API usage patterns
  5. Set breakpoints on suspicious functions
  6. Document findings and create signatures

Reverse Engineering

  1. Identify main executable region
  2. Locate entry points via exports or known addresses
  3. Analyze function structure and calling conventions
  4. Map data structures used by the application
  5. Document algorithms and protocols
  6. Create structure definitions for key data types

Memory Corruption Analysis

  1. Attach to unstable process
  2. Scan for buffer contents before corruption
  3. Set access breakpoints on buffer regions
  4. Monitor for unexpected writes
  5. Analyze call stack when breakpoints hit
  6. Document corruption patterns

Troubleshooting Common Issues

Attachment Problems

  • Run as Administrator - Required for most processes
  • Check process architecture - 32-bit vs 64-bit compatibility
  • Verify process state - Some protected processes can't be analyzed
  • Antivirus interference - May block memory access

Scanning Issues

  • Too many results - Use more specific data types or region filters
  • No results found - Value may be stored differently than expected
  • Results disappear - Value may be dynamically allocated
  • Performance problems - Limit scan scope to relevant regions

Analysis Difficulties

  • Packed/obfuscated code - May need unpacking first
  • ASLR randomization - Addresses change between runs
  • Anti-analysis measures - May detect and react to debugging
  • Complex data structures - May require reverse engineering

Next Steps

With this basic workflow understanding:

  • Practice on simple targets first
  • Explore specific windows for detailed functionality
  • Learn advanced techniques in specialized guides
  • Join community discussions to share techniques and get help

Each memory window has detailed guides with specific techniques and advanced features to help you become more proficient with Memril's capabilities.