Analysis updated 2026-05-18
Study how manual-mapped DLLs evade memory scanners like pe-sieve to build better detection heuristics.
Use the included Python scripts as a starting point for your own memory forensics workflow on Windows processes.
Open the IDA database to explore the reconstructed cheat DLL and understand how runtime hooks connect to a game's code.
| diabloidyobane/blindspot | ashishdevasia/ha-proton-drive-backup | bro77xp/beginner-friendly-ai-vtuber | |
|---|---|---|---|
| Stars | 6 | 6 | 6 |
| Language | Python | Python | Python |
| Setup difficulty | hard | moderate | hard |
| Complexity | 4/5 | 2/5 | 3/5 |
| Audience | researcher | ops devops | general |
Figures from each repo's GitHub metadata at analysis time.
Requires IDA Pro to open the database and a Windows machine with Python for the analysis scripts, target process must be running.
BlindSpot is a security research project documenting how a commercial cheat was reverse-engineered inside the game The Division 2. The cheat had evaded pe-sieve, a widely used tool that scans game processes for injected code. BlindSpot explains why pe-sieve missed it, and provides all the Python scripts, a reconstructed copy of the cheat code, an IDA database, and a written walkthrough of the entire analysis. The cheat used a technique called manual mapping, where code is loaded into a running process without registering it in the standard list of loaded modules. It also wiped the header section of that code after loading. These two steps together create a blind spot in pe-sieve's scanning logic: pe-sieve only examines modules listed in the standard registry, so a memory region loaded this way is invisible to it. The analysis was done without any kernel-level tools, debugger attachment, or code injection. Every Python script in the repo uses read-only Windows APIs to inspect the running process from outside: querying memory regions, reading their contents, and reconstructing the code without touching the game process in a way that anti-cheat systems would flag. The entire workflow runs in about 90 seconds on a standard workstation. No bans resulted from the analysis, which was performed live with the game's anti-cheat software active. The repository includes seven Python scripts covering tasks such as scanning for private executable memory regions, dumping those regions to disk, rebuilding a valid file header so IDA can open the dump, and locating the hook table that connects the cheat to the game's internals. An IDA database with recovered imports and named functions is included so you can open the analysis without starting from scratch. The project is licensed under MIT and is intended for defensive security research and education in memory forensics and Windows internals.
A security research project that reverse-engineered a manually-mapped cheat DLL in The Division 2 using read-only Windows APIs, documenting the pe-sieve blind spot it exploited and providing all scripts, a reconstructed PE, and an IDA database.
Mainly Python. The stack also includes Python, Windows, IDA Pro.
Use, modify, and distribute freely for any purpose, including commercial use, as long as you keep the copyright notice (MIT).
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.