Memory Analysis

When opening a memory dump, an initialization dialog is displayed that allows to select the appropriate profile for the dump.

The initialization dialog provides a preview to confirm the correctness of the selected memory profile.

After choosing the profile, the memory dump can be inspected in the analysis workspace.

Every list view supports filtering for quick access to relevant items.

Loaded kernel modules can be examined.

Threads from all processes are also available.

Referenced objects from all processes can be inspected.

Active network connections can be reviewed.

System users and groups along with their properties can be examined.

Registry hives loaded in memory are displayed in a familiar interface.

It is also possible to directly jump to specific registry keys.

Architecture-specific tables such as the Interrupt Descriptor Table are supported.

Similarly, the Windows Service Descriptor Table can be inspected too.

Additionally, each process can be individually inspected as a child object.

The complete address space of a process can also be analyzed using the Carbon disassembler.

The package is exposed to the SDK.