Memory Profiling
Capture heap snapshots, trace allocations, and isolate leaks in your Nimbus-protected process without destabilizing the target.
Heap Snapshot
Walk the default process heap via Heap32ListFirst and enumerate blocks. Correlate sizes with allocation backtraces captured through a lightweight detour on RtlAllocateHeap.
VAD Tree Walk
Use NtQueryVirtualMemory with MemoryBasicInformation to enumerate committed regions. Flag suspicious MEM_PRIVATE pages with RWX protection.
ETW Allocation Tracing
Subscribe to the Microsoft-Windows-Kernel-Memoryprovider. Parse MemInfoWS events for working-set deltas across your instrumentation window.
Leak Isolation
Diff two snapshots taken 30 seconds apart under steady load. Group unfreed blocks by allocation size and call-site hash. The top 3 buckets are your candidates.
Pro tip
Always run profiling on a debug build first. Themida's virtualized sections will distort heap-walk results on retail payloads. Use the unpacked dump fromdumps/oreo_payload_unpacked/ for accurate call-site resolution.