Skip to content

Memory Regions

Memory Regions Interface

The Memory Regions window provides a comprehensive view of all memory regions within the target process. It displays regions organized by type with hierarchical page information, advanced search capabilities, and memory management operations for detailed process memory analysis.

Features

Region Display

  • Hierarchical View: Memory regions with expandable page listings
  • Type Categorization: Regions grouped by Process Image, System DLLs, Modules, Mapped Files, Private Memory, Allocated Memory, Drivers, and Other
  • Address Information: Base addresses and mapped addresses for all regions and pages
  • Size Display: Human-readable size formatting (B, KB, MB, GB)
  • Real-Time Filtering: Search regions by name, address, or section name
  • Case-Insensitive Matching: Find results regardless of text case
  • Address Search: Search with or without 0x prefix
  • Page-Level Search: Filter individual pages within regions
  • Auto-Expansion: Matching regions automatically expand to show relevant pages

Memory Operations

  • Memory Dumping: Export raw memory dumps or rebuild PE executables
  • Zero Memory: Clear allocated memory regions
  • Memory Execution: Execute kernel memory regions
  • File Location: Open containing file location in explorer

Data Export

  • Clipboard Integration: Copy addresses, sizes, protection flags, and filenames
  • Full Details Export: Complete region/page information export
  • Selective Copying: Individual field copying through context menu
  • Multiple Formats: Address copying with proper formatting

How It Works

The Memory Regions window enumerates all virtual memory regions within the target process, categorizes them by type, and provides detailed information about memory layout, protection flags, and file mappings. It tracks both region-level and page-level information for comprehensive memory analysis.

User Interface

Main Display Area

Component Description
Region Categories Collapsible sections for each memory region type
Region Entries Base address and filename with expandable page listings
Page Entries Individual page addresses with section names
Search Bar Real-time filtering with magnifying glass icon

Region Categories

  • Process Image: Main executable module
  • System DLLs: Operating system libraries
  • Modules: Loaded application modules
  • Mapped Files: File-backed memory mappings
  • Private Memory: Process-private allocations
  • Allocated Memory: Dynamically allocated regions
  • Driver: Kernel driver modules
  • Other: Miscellaneous memory regions

Visual Indicators

  • Selection Highlighting: Selected regions/pages shown in gold
  • Unmapped Regions: Red text for regions with no mapped address
  • Section Names: Gray text showing page section names
  • File Information: Gray text displaying associated filenames

Context Menu Options

  • Copy Menu: Address, mapped address, size, protection, filename, type, full details
  • Memory Operations: Zero out, execute (for allocated memory)
  • Bookmarking: Add bookmark at region address
  • Dump Options: Raw memory dump or PE rebuild
  • File Operations: Open file location in explorer

Advanced Features

Search Functionality

  • Multi-Target Search: Searches region names, addresses, and page sections
  • Filtered Display: Shows only matching regions with highlighted pages
  • Smart Expansion: Auto-expands regions containing matching pages
  • Result Counting: Displays total matches found

Memory Management

  • PE Reconstruction: Rebuild executable files from memory regions
  • Kernel Operations: Execute and manipulate kernel memory regions
  • Memory Clearing: Zero out allocated memory for analysis
  • File Association: Direct links to source files on disk

Performance Optimization

  • Virtual Scrolling: Efficient rendering of large page lists using clipper
  • Lazy Loading: Pages rendered only when regions are expanded
  • Filtered Rendering: Only matching items displayed during search
  • Memory Efficient: Minimal overhead for large process analysis

Usage Tips

  • Use the search bar to quickly locate specific modules or memory addresses
  • Expand region categories to see individual pages within each memory region
  • Right-click any region to access dumping, bookmarking, and copy options
  • Use the PE rebuild feature to extract executables from memory
  • Monitor allocated memory regions for dynamic analysis
  • Sort regions by type to understand process memory layout
  • Copy addresses for use in other analysis tools
  • Use file location feature to examine original binaries on disk
  • Search by section names (like .text, .data) to find specific code/data regions
  • Combine with hex view for detailed memory examination