TamperTrace is a Windows-based memory analysis and integrity inspection tool designed to detect byte-level modifications in running processes.
It scans process memory, extracts dynamically referenced regions, and highlights potentially altered or suspicious data through targeted hex dumps.
Modern applications frequently manipulate memory at runtime, making it difficult to identify unauthorized modifications or hidden behavior. TamperTrace provides a low-level view into process memory, allowing developers and security researchers to inspect how memory is structured and whether it has been altered.
Unlike simple scanners, TamperTrace does not just dump memory blindlyβit actively searches for structured references to memory regions and inspects those regions for analysis.
- Traverses full virtual address space of target processes
- Uses
VirtualQueryExto safely enumerate memory regions - Filters only committed and readable memory
- Splits memory scanning across multiple threads
- Efficient chunk-based reading for large address spaces
- Optimized for high-speed analysis
-
Scans UTF-16 memory for structured patterns like:
process.exe (PID) (0xSTART - 0xEND) -
Extracts process names, PIDs, and memory ranges
-
Reads extracted memory regions using
ReadProcessMemory -
Outputs:
- Hexadecimal byte view
- ASCII representation
-
Limits dump size for performance and readability
- Helps identify unusual or modified memory regions
- Enables comparison and investigation of byte-level changes
- Uses ToolHelp32 APIs to locate processes by name
- Supports scanning multiple instances
- Iterates from
lpMinimumApplicationAddresstolpMaximumApplicationAddress - Uses
VirtualQueryExto inspect each region
- Reads memory in chunks (default: 1MB)
- Skips inaccessible or protected regions
- Converts raw memory into UTF-16
- Applies regex-based pattern matching
- Parses detected memory ranges
- Reads and prints selected bytes in hex format
- Windows 10/11
- C++ Compiler (MSVC / MinGW)
- Administrator privileges (recommended)
g++ main.cpp -o TamperTrace.exe -static -O2- Create a new Console Application
- Add source code
- Set configuration to Release
- Build solution
Run the tool as Administrator:
TamperTrace.exe- Targets predefined processes (e.g.,
dwm.exe,explorer.exe) - Scans memory regions
- Prints detected references
- Dumps relevant memory blocks
Process --> dwm.exe
PID --> 3000
Memory Range --> 0x15c8785c000 - 0x15c8799a000
Address Hex Dump ASCII
--------------------------------------------------------------
0x15c8785c000 48 8B 05 ... H...
...
- Cannot read memory of protected processes like
dwm.exe(in some configurations) - Even with debug privileges, access may be denied
- Memory may change during scanning
- Extracted addresses may become invalid
- Some regions may return partial or failed reads
- Does not automatically confirm malicious behavior
- Requires manual analysis for interpretation
- Reverse engineering
- Debugging runtime memory issues
- Analyzing memory structures
- Detecting runtime patches or hooks
- Security research and anti-tamper exploration
- Automatic baseline comparison (true tamper detection)
- Hash-based integrity verification
- Module-level scanning
- Hook detection (IAT/EAT/inline)
- Kernel-mode support for protected processes
TamperTrace is a research-oriented tool. It exposes raw memory data and highlights potentially interesting regions, but interpretation is left to the user.
This project is intended for educational and research purposes only.
Use responsibly.