explaingit

diabloidyobane/blindspot

Analysis updated 2026-05-18

6PythonAudience · researcherComplexity · 4/5LicenseSetup · hard

TLDR

A security research project that reverse-engineered a manually-mapped cheat DLL in The Division 2 using read-only Windows APIs, documenting the pe-sieve blind spot it exploited and providing all scripts, a reconstructed PE, and an IDA database.

Mindmap

mindmap
  root((BlindSpot))
    What it documents
      Manual-mapped cheat DLL
      pe-sieve blind spot
      Hook table discovery
    Technique explained
      MEM_PRIVATE loading
      PE header wiping
      IAT runtime resolution
    Included files
      Python analysis scripts
      Reconstructed PE32+
      IDA database
    Safety
      Read-only Windows APIs
      No debugger no injection
      Anti-cheat safe
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Study how manual-mapped DLLs evade memory scanners like pe-sieve to build better detection heuristics.

USE CASE 2

Use the included Python scripts as a starting point for your own memory forensics workflow on Windows processes.

USE CASE 3

Open the IDA database to explore the reconstructed cheat DLL and understand how runtime hooks connect to a game's code.

What is it built with?

PythonWindowsIDA Pro

How does it compare?

diabloidyobane/blindspotashishdevasia/ha-proton-drive-backupbro77xp/beginner-friendly-ai-vtuber
Stars666
LanguagePythonPythonPython
Setup difficultyhardmoderatehard
Complexity4/52/53/5
Audienceresearcherops devopsgeneral

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires IDA Pro to open the database and a Windows machine with Python for the analysis scripts, target process must be running.

Use, modify, and distribute freely for any purpose, including commercial use, as long as you keep the copyright notice (MIT).

In plain English

BlindSpot is a security research project documenting how a commercial cheat was reverse-engineered inside the game The Division 2. The cheat had evaded pe-sieve, a widely used tool that scans game processes for injected code. BlindSpot explains why pe-sieve missed it, and provides all the Python scripts, a reconstructed copy of the cheat code, an IDA database, and a written walkthrough of the entire analysis. The cheat used a technique called manual mapping, where code is loaded into a running process without registering it in the standard list of loaded modules. It also wiped the header section of that code after loading. These two steps together create a blind spot in pe-sieve's scanning logic: pe-sieve only examines modules listed in the standard registry, so a memory region loaded this way is invisible to it. The analysis was done without any kernel-level tools, debugger attachment, or code injection. Every Python script in the repo uses read-only Windows APIs to inspect the running process from outside: querying memory regions, reading their contents, and reconstructing the code without touching the game process in a way that anti-cheat systems would flag. The entire workflow runs in about 90 seconds on a standard workstation. No bans resulted from the analysis, which was performed live with the game's anti-cheat software active. The repository includes seven Python scripts covering tasks such as scanning for private executable memory regions, dumping those regions to disk, rebuilding a valid file header so IDA can open the dump, and locating the hook table that connects the cheat to the game's internals. An IDA database with recovered imports and named functions is included so you can open the analysis without starting from scratch. The project is licensed under MIT and is intended for defensive security research and education in memory forensics and Windows internals.

Copy-paste prompts

Prompt 1
I'm analyzing a Windows process that shows no modules in pe-sieve. Using the BlindSpot scan_exec_private.py approach, help me adapt the script to scan a different target process for MEM_PRIVATE executable regions.
Prompt 2
Walk me through the BlindSpot method for rebuilding a headerless memory dump into an IDA-loadable PE32+ file using rebuild_headerless.py.
Prompt 3
I want to extend the BlindSpot cross-reference scan to find absolute pointers from an injected region into a different host EXE. What changes do I need to make to the xref scanning script?
Prompt 4
Explain how the MEM_PRIVATE plus header-wiping technique creates a blind spot in pe-sieve's enumeration logic and what detection approaches would catch it.

Frequently asked questions

What is blindspot?

A security research project that reverse-engineered a manually-mapped cheat DLL in The Division 2 using read-only Windows APIs, documenting the pe-sieve blind spot it exploited and providing all scripts, a reconstructed PE, and an IDA database.

What language is blindspot written in?

Mainly Python. The stack also includes Python, Windows, IDA Pro.

What license does blindspot use?

Use, modify, and distribute freely for any purpose, including commercial use, as long as you keep the copyright notice (MIT).

How hard is blindspot to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is blindspot for?

Mainly researcher.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub diabloidyobane on gitmyhub

Verify against the repo before relying on details.