// Capture a full debuggee state snapshot (all committed memory regions + processor state) to disk for offline analysis
| name | state-snapshot |
| description | Capture a full debuggee state snapshot (all committed memory regions + processor state) to disk for offline analysis |
| allowed-tools | mcp__x64dbg__get_debugger_status, mcp__x64dbg__pause, mcp__x64dbg__disconnect, mcp__x64dbg__connect_to_session, mcp__x64dbg__go, Bash |
Capture a full debuggee state snapshot — all committed memory regions as raw binary files plus the complete processor state as JSON.
Follow these steps exactly:
Call mcp__x64dbg__get_debugger_status to confirm the debugger is connected and a debuggee is loaded. Note the session PID and x64dbg path from the current MCP connection — you will need these to reconnect later.
If no debuggee is loaded, tell the user and stop.
If the debugger status shows the debuggee is running (not paused), call mcp__x64dbg__pause to pause it. Remember that you auto-paused so you can resume later.
Call mcp__x64dbg__disconnect to release the ZMQ connection. This is required because only one client can be connected to an x64dbg session at a time, and the Python script needs its own connection.
Execute the snapshot script:
python "${CLAUDE_PLUGIN_ROOT}\skills\state-snapshot\state_snapshot.py" --x64dbg-path "<x64dbg_path>" --pid <session_pid>
Where:
<x64dbg_path> is the path to the x64dbg executable noted in step 1<session_pid> is the debugger process PID noted in step 1The script defaults output to ./snapshots/<timestamp>/. If the user specified a custom output directory, pass --output-dir <path>.
Call mcp__x64dbg__connect_to_session with the x64dbg path and session PID saved from step 1 to restore the MCP connection.
Summarize what was captured:
Scan a state snapshot's memory dumps with YARA signatures to detect packers, crypto constants, malware, and more
Smart trace-based OEP finder for packed/protected PE executables. Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic OEP detection, then captures a state snapshot at the original entry point.
Hunt for vulnerabilities in a running debuggee by analyzing imports/exports, triaging attack surface, and iteratively testing for bugs with PoC generation.
Load, unpack, and analyze shellcode in x64dbg. Use this skill when the user wants to analyze shellcode, load a shellcode blob into a debugger, unpack encoded/encrypted shellcode, or perform static/dynamic analysis of shellcode payloads.
Decompile a function to C-like pseudocode using angr
Compare two state snapshots to identify register and memory changes between two points in time