Quick command tour

Reading values in memory
Writing values to memory
Searching values in memory
Watching for memory accesses
Finding instructions in memory
Disassembling instructions in memory
Allocating memory
Dumping memory contents to file
Pausing program execution
Executing code

Reading values in memory

32-bit integer:

$ proctal read --pid=12345 --address=EC5E096F --type=integer --integer-bits=32
571

Double precision floating-point number:

$ proctal read --pid=12345 --address=3B0335D5 --type=ieee754 --ieee754-precision=double
25.2

Array of 32-bit integers:

$ proctal read --pid=12345 --address=EC5E096F --type=integer --integer-bits=32 --array=4
571

0
-235893634
-759425

Writing values to memory

32-bit integer:

$ proctal write --pid=12345 --address=EC5E096F --type=integer --integer-bits=32 571

Double precision floating-point number:

$ proctal write --pid=12345 --address=3B0335D5 --type=ieee754 --ieee754-precision=double 25.2

Four 32-bit integers:

$ proctal write --pid=12345 --address=EC5E096F --type=integer --integer-bits=32 571 0 -235893634 -759425

Searching values in memory

All 32-bit integers with the value 32:

$ proctal search --pid=12345 --type=integer --integer-bits=32 --eq=32
211399D0 32
783BC3F7 32
B0032BAD 32
F263741D 32
[...]

Checking which have changed since the previous search:

$ proctal search --pid=12345 --type=integer --integer-bits=32 --eq=32 > results
$ proctal search --pid=12345 --type=integer --integer-bits=32 --changed --review < results
211399D0 35
783BC3F7 1
B0032BAD -1245
F263741D 239478923
[...]

Watching for memory accesses

Watching for reads and writes on address 1c09346.

$ proctal watch --pid=12345 --read --write 1c09346

Finding instructions in memory

A call instruction followed by a sub that acts on the rsp register.

$ proctal pattern --pid=12345 '48 83 EC ?? E8 ?? ?? ?? ??'
493690
8F255B
9DD660
$ proctal read --pid=12345 --address=493690 --type=x86 --array=2 --show-address --show-bytes
493690  sub     rsp, 0x18
        48 83 EC 18
493694  call    0x49364c
        E8 AF FF FF FF

Disassembling instructions in memory

Disassembling x86 instructions:

$ proctal read --pid=12345 --address=400570 --type=x86 --array=5
sub     rsp, 0x18
mov     dword ptr [rsp + 0xc], 0
call    0x400530
mov     edi, 0x400764
mov     esi, eax

With corresponding addresses:

$ proctal read --pid=12345 --address=400570 --type=x86 --array=5 --show-address
400570  sub     rsp, 0x18
400574  mov     dword ptr [rsp + 0xc], 0
40057C  call    0x400530
400581  mov     edi, 0x400764
400586  mov     esi, eax

With bytecode:

$ proctal read --pid=12345 --address=400570 --type=x86 --array=5 --show-address --show-bytes
400570  sub     rsp, 0x18
        48 83 EC 18
400574  mov     dword ptr [rsp + 0xc], 0
        C7 44 24 0C 00 00 00 00
40057C  call    0x400530
        E8 AF FF FF FF
400581  mov     edi, 0x400764
        BF 64 07 40 00
400586  mov     esi, eax
        89 C6

Allocating memory

Allocating 32 bytes:

$ proctal allocate --pid=12345 32
636DFF6F

Deallocating:

$ proctal deallocate --pid=12345 636DFF6F

Dumping memory contents to file

Dump everything to dump.bin:

$ proctal dump --pid=12345 > dump.bin

Only dump what's between 7F7BE75E0714 and 7F7BE75ED1A0:

$ proctal dump --pid=12345 --address-start=7F7BE75E0714 --address-stop=7F7BE75ED1A0 > dump.bin

Pausing program execution

Pressing CTRL + C on your terminal stops the command.

$ proctal pause --pid=12345

Executing code

Executing a couple of no-ops.

$ proctal execute --pid=12345 <<EOD
	nop ; This is a comment
	nop
	nop
	nop
	nop
EOD

Proctal

Documentation