Core Concepts

Understanding these fundamental concepts will help you work more effectively with Memril's memory analysis capabilities.

Memory Hierarchy

Memril organizes memory analysis around a hierarchical structure that reflects how Windows manages virtual memory:

Processes/Drivers

The top level represents the target of your analysis:

Processes - Applications and user/system programs
Drivers - Windows kernel and driver memory

Regions

Contiguous memory areas with similar properties and protection:

Process Image - The main executable file (if process is selected)
Driver - Kernel driver (if driver is selected)
System DLLs - Windows system libraries (ntdll.dll, kernel32.dll, etc.)
Modules - Loaded libraries, plugins, and dependencies
Private Memory - Process-allocated heap and stack memory
Mapped Files - Memory-mapped files and data
Allocated Memory - User allocated kernal-land memory blocks done via Memril

Pages

Individual 4KB memory pages within regions:

Mapped - Accessible and backed by physical memory
Reserved - Address space reserved but not accessible (will be displayed as unmapped)
Free - Available address space (currently not shown in Memril)

Sections

PE file sections within executable modules:

.text - Executable code
.data - Initialized data
.rdata - Read-only data and imports
.rsrc - Resources (icons, strings, etc.)
Custom sections defined by the application

Threads

Execution contexts within the process:

Thread ID - Unique identifier
Start Address - Entry point for thread execution
State - Current execution state (running, waiting, etc.)

Memory States and Protection

Protection Flags

Memory pages have protection attributes that control access:

R - Readable
W - Writable
X - Executable
C - Copy-on-write
G - Guard page (triggers exception on access)

Examples:

RWX - Read, write, execute (common for JIT code)
RW- - Read, write (typical for data sections)
R-X - Read, execute (typical for code sections)
R-- - Read-only (constants, read-only data)

Selection Model

Memril uses a unified selection system where most windows operate on the current selection:

Selection Types

Region - An entire memory region
Page - A specific 4KB page within a region
Thread - A process execution context
Section - A PE file section

Selection Propagation

When you select something in one window, other windows automatically update:

Select a region → Hex editor shows that region's memory
Select a page → Details window shows page information
Click a scan result → Memory editor jumps to that address
Select a thread → Shows thread's start address and context

Selection Context

The selection provides context for operations:

Memory scanning is limited to selected regions
Disassembly shows code from the selected executable region
String extraction processes the selected memory area
Structure overlay applies to the selected memory location

Address Spaces

Virtual vs Physical Addresses

Virtual Addresses - Process-specific memory addresses (what the application sees)
Physical Addresses - Actual RAM locations (managed by the OS)
Mapped Addresses - Memril's internal mapping for analysis

Memril works primarily with virtual addresses, automatically handling the mapping to physical memory for analysis.

Address Translation

When you see addresses in Memril:

Base Address - The starting virtual address of a region
Offset - Distance from the base address
RVA (Relative Virtual Address) - Offset from the module's base address
File Offset - Position in the original file on disk

Memory Analysis Concepts

Static vs Dynamic Analysis

Static - Analyzing memory contents at a point in time
Dynamic - Monitoring memory changes over time
Real-time - Live analysis as the process executes

Value Types

Memril can interpret memory as different data types:

Integers - 8, 16, 32, 64-bit signed and unsigned
Floating Point - 32-bit float, 64-bit double
Strings - ASCII and Unicode text
Addresses - Pointers to other memory locations
Structures - Complex data types with multiple fields

Scan Strategies

Different approaches for finding data in memory:

Known Value - Search for specific values you know
Unknown Value - Find all values, then track changes
Pattern Matching - Search for byte patterns with wildcards
Range Scanning - Find values within a specific range

Process Architecture

Import/Export System

How modules connect to each other:

Imports - Functions the module needs from other modules
Exports - Functions the module provides to other modules
Import Address Table (IAT) - Runtime addresses of imported functions
Export Address Table (EAT) - List of exported function addresses

Data Structures

Bookmarks

Saved memory locations with metadata:

Address - Virtual memory location
Value Type - How to interpret the data
Label - User-defined description
Frozen State - Whether the value is locked

Breakpoints

Hardware-assisted debugging points:

Execute - Break when code at address is executed
Write - Break when memory at address is written
Access - Break when memory at address is read or written

Structure Definitions

Custom data type definitions:

Fields - Individual data elements within the structure
Offsets - Position of each field within the structure
Types - Data type of each field (int, float, string, etc.)
Arrays - Repeated elements of the same type

Common Terms

Term	Definition
DTB	Directory Table Base - kernel structure for process memory mapping
EPROCESS	Kernel structure containing process information
PEB	Process Environment Block - usermode process information
VAD	Virtual Address Descriptor - kernel structure describing memory regions
PE	Portable Executable - Windows executable file format
RVA	Relative Virtual Address - offset from module base
ASLR	Address Space Layout Randomization - security feature
DEP	Data Execution Prevention - prevents code execution in data regions

Next Steps

Now that you understand the core concepts, learn about:

Interface Layout - How Memril's windows are organized
Basic Workflow - Step-by-step analysis process
Memory Windows - Detailed window functionality