Process Snapshot is a light-weight copy of a full process memory. It consists of all allocated memory pages, can be quickly created and discarded on demand and may outlive the parent process.
Hex Editor Neo provides an ability to create a memory snapshot using the commands in process window. Once created, the following options are available:
Creation of process snapshots requires Windows 8 or later operating system.
The user may open either an entire snapshot address space or only a sub-portion of it for viewing in the editor. Opening for read/write access is not available for obvious reasons.
Running scripts may use the IProcessSnapshot.openRegion method to execute this task.
The user may compare the memory from two process snapshots using the built-in File Comparison module. In order to compare snapshots, they first need to be selected in the Snapshots list in the process window and Compare Snapshots command need to be executed. Comparing a snapshot with a running process is not allowed.
Running scripts may use the IProcessWindow.compareSnapshots method to compare snapshots.
Hex Editor Neo uses an effective algorithm to find the memory that changed between the given snapshots.
An external debugger may be launched for a selected snapshot. Opening a snapshot in a debugger allows the user to investigate the state of all process threads at a given point in time, including their contexts and call stacks, their referenced variables and memory.
This option may be executed against the “Running” snapshot.
The “Include full memory when debugging snapshots” option in General Settings Page govern how Hex Editor Neo prepares information to be passed to a debugger. If this option is off (default), only directly referenced memory will be available for the debugger. This is usually enough for most debugging purposes and allows the debugger to be launched much faster and efficiently. When this option is on, the full snapshot memory will be available for the debugger, however, execution of the command will take longer.
The full process memory is always available for the debugger when it is launched for the “Running” snapshot, that is, live process. In this case, the process may get suspended when debugger is launched.
Hex Editor Neo is compatible with two debuggers: WinDBG (including “legacy” WinDBG and new WinDBG Preview, available from Microsoft Store) and Visual Studio. It can also use the debugger that is currently registered as system default JIT debugger. Use the “Preferred external debugger” option in General Settings Page to select what debugger to use.
Running scripts may use the IProcessSnapshot.debug method to execute this task.
It is possible to save a dump file of the selected snapshot. This command also supports a “Running” snapshot. The “Include full memory when debugging snapshots” option in General Settings Page controls the amount of memory written to a dump file. It is recommended to leave that option off, unless the specific memory blocks are missing in the resulting dump file.
To execute this command, select the snapshot in the process window and choose the Save Dump option from the context menu.
The resulting dump file may be used to launch the debugger or to investigate the process address space on another computer.
Running scripts may use the IProcessSnapshot.saveDump method to execute this task.