// Compare two state snapshots to identify register and memory changes between two points in time
| name | state-diff |
| description | Compare two state snapshots to identify register and memory changes between two points in time |
| allowed-tools | Bash, Read |
Compare two debuggee state snapshots and produce a detailed change analysis — which registers changed, which memory regions were modified, and what the changes mean.
Follow these steps exactly:
List the available snapshots:
dir "${CLAUDE_PLUGIN_ROOT}\snapshots"
If there are fewer than two snapshots, tell the user they need at least two snapshots (captured via /state-snapshot) and stop.
If the user specified two snapshot paths, use those directly. Otherwise, present the available snapshots and ask the user to pick the before (earlier) and after (later) snapshots.
Execute the diff engine:
python "${CLAUDE_PLUGIN_ROOT}\skills\state-diff\state_diff.py" --before <before_snapshot_dir> --after <after_snapshot_dir>
The script writes diff_report.json into the after-snapshot directory by default. If the user specified a custom output path, pass --output <path>.
Use Read to load the generated diff_report.json.
Interpret the diff report for the user:
Register changes: Explain what each changed register suggests. For example:
Memory changes: Explain what modified regions likely represent:
Synthesize a narrative: Combine register and memory observations into a coherent explanation of what the program did between the two snapshots. For example: "The program called function X, which allocated Y bytes on the stack and wrote a string to a heap buffer."
Present the analysis in a clear, structured format with the raw evidence (hex values, addresses) supporting each conclusion.
Scan a state snapshot's memory dumps with YARA signatures to detect packers, crypto constants, malware, and more
Capture a full debuggee state snapshot (all committed memory regions + processor state) to disk for offline analysis
Smart trace-based OEP finder for packed/protected PE executables. Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic OEP detection, then captures a state snapshot at the original entry point.
Hunt for vulnerabilities in a running debuggee by analyzing imports/exports, triaging attack surface, and iteratively testing for bugs with PoC generation.
Load, unpack, and analyze shellcode in x64dbg. Use this skill when the user wants to analyze shellcode, load a shellcode blob into a debugger, unpack encoded/encrypted shellcode, or perform static/dynamic analysis of shellcode payloads.
Decompile a function to C-like pseudocode using angr