Memory Dump Detection
Protection Module: MemoryDumpDetection
Detect attempts to extract or analyze application memory through specialized dumping tools and suspicious memory access patterns.
Available for: Desktop full monitoring, Android memory monitoring, iOS memory monitoring
How It Works
The Memory Dump Detection module identifies attempts to extract or analyze application memory by detecting popular memory analysis tools and monitoring for suspicious memory patterns.
Detection Techniques
Desktop Tool Detection (High Confidence):
- Process-based detection: procdump, megadumper, scylla, pe-sieve, hollows_hunter, extremedumper, windbg, cdb, gcore, gdb, lldb (0.95 confidence)
- Medium confidence tools: processhacker, procmon, cheat engine (0.75 confidence)
- Java/.NET tools: jvisualvm, jconsole, jmap, jhat, dnspy, ilspy (0.85 confidence)
Memory Anomaly Detection:
- Baseline establishment and spike detection (>50% increase in <30 seconds)
- Requires 3 or more spikes to confirm threat
- Anomaly confidence: 0.7
Sensitivity Levels:
- Strict: 0.5 (highest sensitivity)
- Normal: 0.7 (default)
- Lenient: 0.9 (lowest sensitivity)
Default detection interval: 15 seconds, process cache: 30 seconds
Configuration
JSON Configuration
JSON
{
"protections": [
{
"type": "MemoryDumpDetection",
"action": "close",
"intervalMs": 15000
}
]
}{
"protections": [
{
"type": "MemoryDumpDetection",
"action": "close",
"intervalMs": 15000
}
]
}Kotlin Configuration
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
ActionType.CLOSE,
15000
)
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
ActionType.CLOSE,
15000
)
}Java Configuration
Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
ActionType.CLOSE,
15000
);
});import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
ActionType.CLOSE,
15000
);
});Custom Action Configuration
Kotlin
Monitor.configure { config ->
config.registerCustomAction("my-memory-action") { threat ->
val threatType = threat.getThreatType() // String
val description = threat.getDescription() // String
val confidence = threat.getConfidence() // Double (0.0-1.0)
val metadata = threat.getMetadata() // Map<String, Object>
// Custom handling logic
Log.e("Memory", "Detected: $threatType (Confidence: $confidence)")
}
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
"my-memory-action",
15000
)
}Monitor.configure { config ->
config.registerCustomAction("my-memory-action") { threat ->
val threatType = threat.getThreatType() // String
val description = threat.getDescription() // String
val confidence = threat.getConfidence() // Double (0.0-1.0)
val metadata = threat.getMetadata() // Map<String, Object>
// Custom handling logic
Log.e("Memory", "Detected: $threatType (Confidence: $confidence)")
}
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
"my-memory-action",
15000
)
}Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Close | Terminate application immediately | Production apps with critical IP |
| Log | Record incident and continue | Development, analytics |
| Erase | Securely delete data then terminate | Financial, healthcare apps |
| Custom | Execute custom handler | Enterprise integrations |
| None | Detect only, no action | Testing configurations |
| Block | Block the operation | Not applicable for this module |
See Actions for detailed action documentation.
When to Use
Enable Memory Dump Detection when:
- Protecting cryptographic keys and sensitive data
- Defending against specialized memory analysis frameworks
- Preventing cheating in gaming applications
- Detecting active memory dumping attempts
- Protecting against data exfiltration via memory analysis
- Ensuring compliance with data protection standards
Code Examples
Kotlin - Basic Integration
Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class SecurityManager {
fun initializeMemoryProtection() {
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
ActionType.CLOSE,
15000
)
}
}
}import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType
class SecurityManager {
fun initializeMemoryProtection() {
Monitor.configure { config ->
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
ActionType.CLOSE,
15000
)
}
}
}Kotlin - Custom Response
Kotlin
Monitor.configure { config ->
config.registerCustomAction("handle-memory-threat") { threat ->
when (threat.getThreatType()) {
"procdump" -> Log.e("Security", "Procdump detected!")
"megadumper" -> Log.e("Security", "Megadumper detected!")
"memory_anomaly" -> {
Log.w("Security", "Memory anomaly: ${threat.getDescription()}")
Log.d("Confidence", threat.getConfidence().toString())
}
else -> Log.e("Security", "Unknown memory threat: ${threat.getThreatType()}")
}
}
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
"handle-memory-threat",
15000
)
}Monitor.configure { config ->
config.registerCustomAction("handle-memory-threat") { threat ->
when (threat.getThreatType()) {
"procdump" -> Log.e("Security", "Procdump detected!")
"megadumper" -> Log.e("Security", "Megadumper detected!")
"memory_anomaly" -> {
Log.w("Security", "Memory anomaly: ${threat.getDescription()}")
Log.d("Confidence", threat.getConfidence().toString())
}
else -> Log.e("Security", "Unknown memory threat: ${threat.getThreatType()}")
}
}
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
"handle-memory-threat",
15000
)
}Java - Basic Integration
Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
public class SecurityManager {
public void initializeMemoryProtection() {
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
ActionType.CLOSE,
15000
);
});
}
}import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;
public class SecurityManager {
public void initializeMemoryProtection() {
Monitor.configure(config -> {
config.addProtection(
ProtectionModuleType.MEMORY_DUMP_DETECTION,
ActionType.CLOSE,
15000
);
});
}
}Platform Compatibility
| Platform | Status | Notes |
|---|---|---|
| Android 5.0+ | ✓ Fully Supported | Memory map and process monitoring |
| Android 10+ | ✓ Optimized | Enhanced system monitoring |
| Desktop Java | ✓ Fully Supported | Process detection and monitoring |
| iOS 12+ | ✓ Supported | Memory monitoring only |
Performance Impact
- CPU Impact: 2-3% increase during detection cycles
- Memory Overhead: ~800 KB for monitoring structures
- Detection Latency: 100-200 ms per cycle
- Battery Impact: Low (frequent monitoring required)
Threat Detection Details
JSON
{
"detection": {
"threatType": "procdump",
"timestamp": "2026-03-03T14:22:45.320Z",
"description": "Memory dump tool process detected",
"confidence": 0.95,
"metadata": {
"toolName": "procdump",
"detectionMethod": "process_detection",
"processId": 5824,
"processPath": "/usr/bin/procdump"
}
}
}{
"detection": {
"threatType": "procdump",
"timestamp": "2026-03-03T14:22:45.320Z",
"description": "Memory dump tool process detected",
"confidence": 0.95,
"metadata": {
"toolName": "procdump",
"detectionMethod": "process_detection",
"processId": 5824,
"processPath": "/usr/bin/procdump"
}
}
}JSON
{
"detection": {
"threatType": "memory_anomaly",
"timestamp": "2026-03-03T14:23:12.456Z",
"description": "Abnormal memory access pattern detected",
"confidence": 0.70,
"metadata": {
"anomalyType": "spike_detection",
"memoryIncreasePercent": 62,
"timeWindowMs": 28000,
"spikeCount": 3,
"detectionMethod": "baseline_and_spike_analysis"
}
}
}{
"detection": {
"threatType": "memory_anomaly",
"timestamp": "2026-03-03T14:23:12.456Z",
"description": "Abnormal memory access pattern detected",
"confidence": 0.70,
"metadata": {
"anomalyType": "spike_detection",
"memoryIncreasePercent": 62,
"timeWindowMs": 28000,
"spikeCount": 3,
"detectionMethod": "baseline_and_spike_analysis"
}
}
}