state-snapshot

The state-snapshot skill provides a robust mechanism for capturing the volatile runtime environment of a process being analyzed within the x64dbg debugger. By serializing the entire process memory space and the full processor context, this tool enables security researchers, reverse engineers, and malware analysts to persist the exact state of an application to disk. This functionality is essential for cases where active debugging must be suspended, or where deep, non-intrusive offline inspection is required, such as during complex exploit development, unpacking protected binaries, or analyzing multi-stage payloads. The skill is designed to interact directly with the x64dbg automation engine, ensuring that memory integrity is maintained and providing a structured output format suitable for downstream automated analysis tools, such as memory forensics frameworks or differential analysis scripts.

• Performs a full memory dump of all committed regions within the target process.

• Captures the complete processor register state, including general-purpose, floating-point, and system registers, serialized as structured JSON.

• Integrates with the x64dbg-automate framework to ensure safe detachment and re-attachment of the debugger session without losing process context.

• Generates raw binary files for memory regions, facilitating compatibility with standard hex editors and binary analysis toolsets.

• Automatically manages output directory structures using timestamp-based naming for efficient versioning and historical tracking.

• Users must ensure that the target process is actively loaded in x64dbg before initiating the snapshot sequence.

• The skill requires a clean disconnect from the MCP client to gain exclusive ZMQ control over the debugger process, and will automatically restore the connection after the operation completes.

• Expected inputs include an x64dbg-path and session-pid, typically managed by the plugin's internal orchestration.

• Memory snapshots can grow large depending on the target process footprint; ensure sufficient disk space is available for large binary dumps.

• This skill serves as a foundational prerequisite for other advanced diagnostic plugins like state-diff and yara-sigs, which rely on the persistence of these state files for comparison and signature-based threat detection.