Skill

inject

Injects ARC Probe into a running Windows process by name or PID, verifies TCP connection, and enables commands for memory dumps, disassembly, and pattern scans.

cli-tools

developer-tools

npx claudepluginhub vzco/arc-probe --plugin arc-probe

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Inject ARC Probe into a running process and verify the connection.

SKILL.md

Similar Skills

re-handbook

Provides reverse engineering reference for ARC Probe: safe memory read/write, address validation heuristics, instruction patching (NOP/INT3/RET), and binary identification. For process probing sessions.

arc-probe

detecting-process-injection-techniques

Detects and analyzes malware process injection techniques like DLL injection, process hollowing, APC injection, thread hijacking using Volatility memory forensics, Sysmon events, and API monitoring.

3 files

cybersecurity-skills-zh

detecting-process-injection-techniques

Detects and analyzes malware process injection techniques like DLL injection, process hollowing, APC injection, thread hijacking via memory forensics (Volatility), Sysmon, and API monitoring. For EDR alerts and in-memory threats.

asi

Stats

Parent Repo Stars10

Parent Repo Forks3

Last CommitMar 8, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

/probe:inject

Inject ARC Probe into a running process and verify the connection.

Arguments

target (required): Process name (e.g., "notepad.exe") or PID (e.g., "12345")

Steps

Verify the target process is running:

tasklist /FI "IMAGENAME eq <process_name>" /NH

Or for PID:

tasklist /FI "PID eq <pid>" /NH

Run the injector with the target:
```
probe-inject.exe <target>
```
The injector is located in the ARC Probe build output directory. If the path is not in PATH, use the full path.
Wait 2 seconds for the DLL to initialize and start the TCP server.
Verify the probe is connected:
```
probe.exe "status"
```
Or via MCP: probe_status. This should return process info including PID, module bases, and driver status.
If probe_status fails:
- Check that the target process is still running
- Check that port 9998 is not in use by another instance: netstat -ano | findstr :9998
- The DLL may have failed to initialize -- check the probe log file in %TEMP%
Report the initial status to the user, including:
- Target process name and PID
- Number of loaded modules
- Available memory regions
- Probe version

Error Handling

If the process is not found, suggest the user start it first
If injection fails with access denied, remind the user to run as Administrator
If the TCP connection fails, the DLL may not have loaded -- suggest checking Event Viewer or probe logs
If port 9998 is already in use, suggest setting PROBE_PORT to a different value

What to do next

After successful injection, you can send commands via:

CLI: probe.exe "<command>" — returns JSON
TCP: connect to 127.0.0.1:9998, send command\n
HTTP Bridge: POST http://localhost:9996 (requires GUI running)

Good first commands:

probe.exe "status"           # Process info, PID, modules
probe.exe "modules list"     # All loaded DLLs with base addresses
probe.exe "ping"             # Health check

Then explore with:

dump <addr> <size> — hex dump unknown memory
read_int <addr> / read_float <addr> / read_ptr <addr> — read typed values
write_int <addr> <value> / write_float <addr> <value> — modify values
disasm <addr> [count] — disassemble code
rtti scan <module> — discover C++ classes
pattern <bytes> [module] — search for byte patterns