Reference map for core process readers, process memory access, pointer chains,
pattern scanning, PE helpers, modules, code caves, and backend selection.
Optional package-specific readers belong in nuget/.
_EPROCESS list when the backend canIProcess is the top-level target process abstraction.IProcessMemory exposes process memory facade.IMemoryAccessor is the practical read/write API.IMemoryBackend performs low-level operations.RemoteMemoryObject is a small helper base for objects that represent aIMemory view.EyeAuras.Memory.Shared contains contracts.EyeAuras.Memory contains local process access.EyeAuras.Memory.KD contains kernel-driver-backed access.EyeAuras.Memory.MPFS contains MemProcFS / LeechCore / VMM access.IProcess - IsValid, ProcessName, ProcessId, Memory,GetProcessModules(), GetThreads(), VirtualQuery(...),GetMemoryRegions().IProcessMemory - process memory facade.IMemoryAccessor - typed reads/writes, pointer reads, pointer-chain reads.IMemory - memory view, often module-scoped through MemoryOfModule(...).RemoteMemoryObject - base class for address-backed memory object wrappers.IMemoryBackend - backend implementation contract.IProcessControlApi - allocation, protection, CreateThread,ExecuteCode, suspend/resume, APC where supported.IProcessSupportsManualMapping - opt-in marker for backends that can stageIProcess plusIProcessControlApi.LocalProcess - normal local user-mode reader.NativeLocalProcess - native local backend with permission tuning.KDProcess - kernel-driver-backed reader.LCProcess, ILCProcessBuilder - MPFS/LeechCore/VMM readers.MemoryExtensionsForPatterns, BytePattern, StringPattern - signatureMemoryExtensionsForCodeCaves, CodeCaveEntry - module-scoped code-cave0x00, 0xCC, and 0x90 runs as valid cave padding.MemoryExtensionsForImports, MemoryExtensionsForExports,ProcessPEExtensions - PE helpers.MemoryExtensionsForEprocess - backend-neutral helpers for reading_EPROCESS, PEB, and loader-listIMemoryReader that can read the relevant virtualMemoryExtensionsForTebPeb - backend-neutral helpers for reading a PEBRTL_USER_PROCESS_PARAMETERS through anyIMemoryReader that can read the target user-mode address space. It alsoReadProcessInformation - reads PID and image-name information from an_EPROCESS address without exposing raw kernel structures.ReadProcessModulesViaEprocess - reads loaded modules through the PEB_EPROCESS and returns ProcessModuleInformation.ReadTebAddressViaThreadHandle - queries the live local OS forThreadBasicInformation.TebBaseAddress from an already-open thread handle.ReadTebAddressViaThreadId - opens a live local Windows thread by id,ReadPebAddressViaTeb - reads TEB.ProcessEnvironmentBlock from aReadProcessModulesViaPeb - reads loaded modules through a caller-suppliedReadProcessModulesViaTeb - composes TEB-to-PEB reading with PEB loader-listReadProcessParametersViaPeb - reads command-line, image-path,ReadProcessParametersViaTeb - composes TEB-to-PEB reading withRTL_USER_PROCESS_PARAMETERS reading.ReadArchitectureViaEprocess - reads process architecture from kernel_EPROCESS.WoW64Process.ReadArchitectureViaTeb - reads process architecture from a TEB selfReadArchitectureViaPeb - reads architecture from PEB.ImageBaseAddressAttach from selected window:
IWindowHandle.ProcessId.IsValid and ProcessId.Read pointer chain:
IMemoryAccessor.ReadPointerChain or ReadPointerChain32.Scan signature:
BytePattern or StringPattern.Find a code cave:
MemoryOfModule(...).EnumerateCodeCaves(minBytes, alignment) for executable caves.sectionFilter and acceptedFillBytes when the cave is for dataRead<T> and Write<T>; useRead entity list:
IMemory.Enumerate processes from kernel memory:
KDProcess_EPROCESS address from the backend/driver/acquisition.ReadProcessesViaEprocess(eprocessAddress).ReadProcessInformation(eprocessAddress) for a single processReadProcessModulesViaEprocess(eprocessAddress) for module data whenReadArchitectureViaEprocess(eprocessAddress) when architecture_EPROCESS.WoW64Process._EPROCESS, PEB, and loader-list offsets.Enumerate modules from user-mode memory without OS snapshot APIs:
ReadTebAddressViaThreadId; use ReadTebAddressViaThreadHandle when aReadPebAddressViaTeb(tebAddress, architecture) when starting from aReadArchitectureViaTeb(tebAddress) first when the architecture isReadArchitectureViaPeb(pebAddress) when the architecture is unknownReadProcessModulesViaPeb(pebAddress, architecture) orReadProcessModulesViaTeb(tebAddress, architecture) for module data.ReadProcessParametersViaPeb(pebAddress, architecture) orReadProcessParametersViaTeb(tebAddress, architecture) for startupManual-map a DLL into a compatible target:
IProcess that also implements IProcessSupportsManualMapping.LocalProcess and NativeLocalProcess.WHProcess supports x64 GUI targetsInjectDllViaManualMapping(...); the mapper relies onIProcessControlApi.ExecuteCode(...) for synchronous completion before itCreateThread(...) as a waitable completion primitive; it isIProcess as target contract.LocalProcess for ordinary local access.NativeLocalProcess for native handle/permission tuning.KDProcess only when driver access is expected.LCProcess / ILCProcessBuilder for acquisition/VMM scenarios.[field: FieldOffset(...)] auto-properties,ReadTebAddressViaThreadId or ReadTebAddressViaThreadHandle forReadArchitectureViaTeb.IMemoryAccessor.Read<T> and IMemoryAccessor.Write<T> forMemoryOfModule(...).EnumerateCodeCaves(...) before writing localCreateThread(...); useIProcessControlApi.ExecuteCode(...) or a backend that exposesIProcessSupportsManualMapping.ReadProcessesViaEprocess on ordinary user-mode process memory;_EPROCESS, PEB, or loader-list snapshots from theProcessInformation,ProcessModuleInformation, and Architecture; low-level readers can defineMarshal.OffsetOf<T>(nameof(...)), auto-property[field: FieldOffset(...)] declarations.BinaryPrimitives, MemoryMarshal, or manual byte packing as a thinIProcess, IProcessMemory, IMemoryAccessor, IMemoryBackend,IProcessControlApi, IProcessControlApi.ExecuteCode,IProcessSupportsManualMapping, LocalProcess, NativeLocalProcess, KDProcess,LCProcess, ILCProcessBuilder, ReadPointerChain, VirtualQuery,BytePattern, StringPattern, MemoryExtensionsForPatterns,ProcessPEExtensions, MemoryExtensionsForEprocess,MemoryExtensionsForTebPeb, ReadPebAddressViaTeb,ReadProcessModulesViaPeb, ReadProcessModulesViaTeb,ReadProcessParametersViaPeb, ReadProcessParametersViaTeb,ReadTebAddressViaThreadHandle, ReadTebAddressViaThreadId,ReadProcessesViaEprocess, ReadProcessInformation,ReadProcessModulesViaEprocess, ReadArchitectureViaEprocess,ReadArchitectureViaTeb, ReadArchitectureViaPeb,MemoryExtensionsForCodeCaves, EnumerateCodeCaves, CodeCaveEntry,ModuleSectionEntry, MemoryOfModule, RemoteMemoryObject, ReadString.pattern-scanning.mdwindows-subsystems/window-handles.mdosd/selection.mdreverse-engineering/reprocess.mdrecipes/bot-memory-entity-list-reader.md