Skill

analyze-module

Analyzes loaded modules in target processes: exports via PE headers, RTTI C++ classes, strings, key functions, and cross-references. For reverse engineering DLLs.

developer-tools

npx claudepluginhub vzco/arc-probe --plugin arc-probe

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Deep analysis of a loaded module in the target process.

SKILL.md

Similar Skills

map-module

Analyzes loaded modules to discover functions from exports, RTTI, and .pdata; scans strings, traces references to key functions, and builds labeled GUI function maps. For reverse engineering DLLs/EXEs like client.dll.

arc-probe

binary-triage

Performs initial binary triage surveying memory layout, strings, imports/exports, and functions to understand behavior and flag suspicious activity like unusual sections or malicious APIs.

asi

analysis

Triages and audits IDA binaries to detect suspicious behavior, crypto/network activity, review decompiled code against source, and run multi-table queries.

4 files4 tools

idasql

Stats

Parent Repo Stars10

Parent Repo Forks3

Last CommitMar 7, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/probe:analyze

Deep analysis of a loaded module in the target process.

Arguments

module (required): Module name (e.g., "target.dll", "engine.dll")

Steps

Get module info -- Call probe_modules to list all loaded modules. Find the target module and note its base address and size. If the module is not found, report available modules and stop.

Module overview -- Report:

Base address
Size
Full path (if available)

Export table -- Call probe_pattern_scan with the module name to locate the PE export directory. Alternatively, use probe_dump at the module base to read the PE headers:

Read DOS header at base (MZ signature at offset 0)
Read PE signature offset at base + 0x3C
Navigate to the Optional Header to find the Export Directory RVA
Dump the export directory to enumerate exported functions

RTTI scan -- Scan for RTTI type descriptors to identify C++ classes:

Pattern scan for .?AV (RTTI type info string prefix) within the module
For each match, read the class name string
Group by namespace if possible
This reveals the class hierarchy implemented in the module

String references -- Scan for interesting strings:

Pattern scan for common string patterns (error messages, debug prints, format strings)
Use probe_find_value for specific strings if looking for something particular
Strings near code often indicate function purpose

Key function identification -- For each interesting string or export:

Find cross-references (LEA instructions pointing to the string)
Disassemble the referencing function
Note the function address and purpose

Report -- Present a structured analysis:

Module: target.dll
Base: 0x7FF612340000
Size: 0x1A0000

Exports: (list)
Classes (RTTI): (list with vtable addresses)
Key Functions: (list with addresses and descriptions)
Notable Strings: (list with addresses)

Tips

Start broad (modules, exports, RTTI) then narrow down to specific functions

RTTI class names are the fastest way to understand what a module does

Export names often follow naming conventions that reveal the module's API

String references are the most reliable way to find specific functionality

/probe:analyze

Deep analysis of a loaded module in the target process.

Arguments

module (required): Module name (e.g., "target.dll", "engine.dll")

Steps

Get module info -- Call probe_modules to list all loaded modules. Find the target module and note its base address and size. If the module is not found, report available modules and stop.

Module overview -- Report:

Base address
Size
Full path (if available)

Export table -- Call probe_pattern_scan with the module name to locate the PE export directory. Alternatively, use probe_dump at the module base to read the PE headers:

Read DOS header at base (MZ signature at offset 0)
Read PE signature offset at base + 0x3C
Navigate to the Optional Header to find the Export Directory RVA
Dump the export directory to enumerate exported functions

RTTI scan -- Scan for RTTI type descriptors to identify C++ classes:

Pattern scan for .?AV (RTTI type info string prefix) within the module
For each match, read the class name string
Group by namespace if possible
This reveals the class hierarchy implemented in the module

String references -- Scan for interesting strings:

Pattern scan for common string patterns (error messages, debug prints, format strings)
Use probe_find_value for specific strings if looking for something particular
Strings near code often indicate function purpose

Key function identification -- For each interesting string or export:

Find cross-references (LEA instructions pointing to the string)
Disassemble the referencing function
Note the function address and purpose

Report -- Present a structured analysis:

Module: target.dll
Base: 0x7FF612340000
Size: 0x1A0000

Exports: (list)
Classes (RTTI): (list with vtable addresses)
Key Functions: (list with addresses and descriptions)
Notable Strings: (list with addresses)

Tips

Start broad (modules, exports, RTTI) then narrow down to specific functions

RTTI class names are the fastest way to understand what a module does

Export names often follow naming conventions that reveal the module's API

String references are the most reliable way to find specific functionality