"""dump_hot_region.py [num_hits=8] Dump bytes around N occurrences of 0x0079385c in a specific region, showing 32 bytes before + 64 bytes after each hit. Goal: visualize the surrounding object structure to identify the class. """ import argparse, ctypes, ctypes.wintypes as wt, struct, sys from collections import Counter ap = argparse.ArgumentParser() ap.add_argument("pid", type=int) ap.add_argument("base", type=lambda s: int(s, 0)) ap.add_argument("--size", type=lambda s: int(s, 0), default=260*1024) ap.add_argument("--n", type=int, default=10) args = ap.parse_args() PROCESS_VM_READ = 0x10 PROCESS_QUERY_INFORMATION = 0x400 k = ctypes.windll.kernel32 k.OpenProcess.argtypes = [wt.DWORD, wt.BOOL, wt.DWORD]; k.OpenProcess.restype = wt.HANDLE k.ReadProcessMemory.argtypes = [wt.HANDLE, wt.LPCVOID, wt.LPVOID, ctypes.c_size_t, ctypes.POINTER(ctypes.c_size_t)] k.ReadProcessMemory.restype = wt.BOOL h = k.OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, False, args.pid) if not h: print(f"OpenProcess failed err={ctypes.get_last_error()}"); sys.exit(2) buf = (ctypes.c_ubyte * args.size)() sz = ctypes.c_size_t(0) if not k.ReadProcessMemory(h, args.base, buf, args.size, ctypes.byref(sz)): print(f"read failed err={ctypes.get_last_error()}"); sys.exit(2) data = bytes(buf[:sz.value]) print(f"Read {sz.value} bytes from 0x{args.base:08x}") # Find all hits TARGET = 0x0079385c target_bytes = struct.pack("6} count={c}") # Sample N hits and dump context step = max(1, len(hits) // args.n) samples = hits[::step][:args.n] print(f"\n=== Sampling {len(samples)} hits with 64 bytes before + 80 after ===") for idx in samples: addr = args.base + idx start = max(0, idx - 64) end = min(len(data), idx + 80) chunk = data[start:end] print(f"\n--- hit at 0x{addr:08x} (region offset 0x{idx:x}) ---") for i in range(0, len(chunk), 16): row = chunk[i:i+16] addr_row = args.base + start + i hex_part = " ".join(f"{b:02x}" for b in row) ascii_part = "".join(chr(b) if 32 <= b < 127 else "." for b in row) marker = " <-- HIT" if (start + i) <= idx < (start + i + 16) else "" print(f" {addr_row:08x} {hex_part:<47} {ascii_part}{marker}")