Memory Dump Detection
Protection Module: MemoryDumpDetection
Detects attempts to dump or scan application memory to extract sensitive data.
Available for:
- Desktop Applications
- Mobile Applications (limited)
- Gaming Applications
How It Works
Memory Dump Detection monitors for tools and techniques used to dump, scan, or manipulate application memory.
Detection Methods:
- Known Tool Detection - Identifies running memory dump/scan tools
- Process Enumeration - Detects suspicious process names
- Memory Access Patterns - Identifies unusual memory read patterns
- Handle Analysis - Detects external process handles
- DLL Injection Detection - Identifies injected libraries
Common Tools Detected:
- Cheat Engine
- Process Hacker
- Process Explorer (in scan mode)
- x64dbg / x32dbg (memory view)
- ArtMoney
- GameConqueror (Linux)
- scanmem (Linux)
Configuration
JSON Configuration
JSON
{
"protections": {
"MemoryDumpDetection": {
"enabled": true,
"action": "erase"
}
}
}{
"protections": {
"MemoryDumpDetection": {
"enabled": true,
"action": "erase"
}
}
}Code-Based Configuration
C#
await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.MemoryDumpDetection, ActionType.Erase);
});await Payload.ConfigureAsync(config =>
{
config.AddProtection(ProtectionModuleType.MemoryDumpDetection, ActionType.Erase);
});Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Erase | Securely delete sensitive data then close | Financial apps, encryption keys |
| Close | Terminate immediately | Gaming, general protection |
| Log | Record and continue | Development, analytics |
| Custom | Execute custom handler | Advanced security responses |
When to Use
Strongly Recommended for:
- Applications storing encryption keys in memory
- Financial applications with sensitive data
- Gaming applications (anti-cheat)
- Password managers
- Cryptocurrency wallets
- Applications with proprietary algorithms
Code Example - Gaming Anti-Cheat:
C#
config.RegisterCustomAction("gaming-memory-protection", async (threat) =>
{
var toolName = threat.Metadata["toolName"]?.ToString();
await AntiCheatService.ReportViolation(new
{
Type = "MemoryDump",
Tool = toolName,
PlayerId = CurrentPlayer.Id
});
await ShowBanMessageAsync($"Memory manipulation tool detected: {toolName}");
Environment.Exit(-1);
});config.RegisterCustomAction("gaming-memory-protection", async (threat) =>
{
var toolName = threat.Metadata["toolName"]?.ToString();
await AntiCheatService.ReportViolation(new
{
Type = "MemoryDump",
Tool = toolName,
PlayerId = CurrentPlayer.Id
});
await ShowBanMessageAsync($"Memory manipulation tool detected: {toolName}");
Environment.Exit(-1);
});Platform Compatibility
| Platform | Support | Detection Methods |
|---|---|---|
| Windows | ✔ | Process enumeration, handle analysis |
| Linux | ✔ | /proc inspection, ptrace detection |
| macOS | ✔ | Process listing, library injection detection |
| Android | ⚠️ | Limited (requires root for full detection) |
| iOS | ⚠️ | Very limited (sandboxing restrictions) |
Related Protections
Next Steps
Erase Action
Secure data deletion
Actions
All action types