Hex Editor - Binary File Editing Software for Windows
Download Hex Editor Neo Hide this button

Process Window

Process Window displays information about the running process.

Process Window

The following information is displayed:

  1. Process icon, name, full executable path, command line, architecture and user account name.
  2. The list of process snapshots.
  3. Selected snapshot's memory layout, either in forms of allocated memory blocks, or as mapped files and executable modules/libraries.
  4. Selected snapshot's memory layout in form of a “memory map”.

Process Exit Code

If the opened process exits, process window is updated: process icon goes gray, “Status: Running” message is replaced with a process's exit code and “Running” snapshot is replaced with an “Exited” snapshot.

Once process exits, you are no longer able to view and use the “Running” snapshot, but may still use any created process snapshots.

Snapshots List

Hex Editor Neo allows you to create any number of light-weight process memory snapshots. A process snapshot is a “view” into the process memory in a given point of time. There is always a virtual “Running” snapshot that references a live state of the running process's memory. If process exits, it is replaced with an empty “Exited” snapshot.

Use the Create Snapshot command to create new memory snapshots. Use the Delete Snapshot command to delete selected snapshots and Clear Snapshots command to delete all process snapshots.

If the process window is closed (or Hex Editor Neo exits), all process snapshots are automatically deleted.

Select a snapshot and use the Debug Snapshot command to launch an external debugger or Save Dump command to save a process snapshot as a memory dump file.

Select two snapshots and execute the Compare Snapshots command to compare the contents of snapshots memory. You cannot compare a snapshot with the “Running” snapshot.

Memory Layout

This list shows the process memory layout. It supports two modes of operation: Blocks and Modules. Use the switch on the toolbar to select the display mode.

When a memory block or blocks are selected in either of the lists, the starting address of the selection and its size is displayed at the bottom the of the process window. Use the Open (Read-Only) and Open (Read/Write) commands to open the document for viewing or editing of the selected process memory block(s).

Blocks

The following information is displayed for each memory block in the process address space:

Address
Block starting address.
Size
Size of the block.
Type
Type of block: Unknown, Private or Image.
State
Block allocation state: Free, Reserved or Committed.
Flags
Memory protection and access flags.
Module
If the block is part of a mapped module, contains the module's name.

The list may be sorted on any column in either ascending or descending order. If the list is sorted on the Address column, multiple blocks may be selected, otherwise, only single block may be selected.

Modules

The following information is displayed for each module mapped into the process's address space:

Name
Module name.
Address
Module starting address.
Size
Module mapping size.
Path
Full path to the mapped module.

The list may be sorted on any column in either ascending or descending order. If the list is sorted on the Address column, multiple modules may be selected, otherwise, only single module may be selected.

Integration with Disassembler

When single module is selected, the Run Disassembler command may be used to disassemble the selected mapped module.

The built-in Hex Editor Neo's Disassembler component is used to disassemble the in-memory representation of a selected module. Please note that a module mapped into the process's address space may be different from its disk image, for example, if it was modified in memory.

Memory Map

When the snapshot is selected, its “memory map” is displayed on the right of the process window. It displays the relative location and size of each allocated memory block.

When 64-bit version of Hex Editor Neo is running on Windows x64 or Windows ARM64 computer, a special logarithmic representation of the process address space is shown. Otherwise, nearly empty map of 128 TB address space of a running process would be impossible to use. Please note, however, that in this case relative size of displayed blocks does not directly correlate to relative size of real memory blocks.

Scripting

Each process window is represented by a process window object in running scripts. Script may use the openProcess method to open a process and get a reference to an object. A process window object supports methods and properties to carry any task that is available in the process window user interface.