nevercheese-pcileech-memprocfs-mcp
Allows extraction of IL2CPP metadata from Unity games, dumping C# class definitions with fields, methods, and offsets automatically.
Provides tools for dumping UE4/UE5 GNames table, UObject list, and generating C++ SDK headers with field offsets from Unreal Engine games via reflection.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@nevercheese-pcileech-memprocfs-mcpList all processes"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
nevercheese-pcileech-memprocfs-mcp
A Linux-native Model Context Protocol server that gives AI assistants direct access to DMA-based memory operations through PCILeech / MemProcFS.
34 tools for memory inspection, process analysis, reverse engineering, and game engine SDK extraction — all through natural language.
Why this exists
DMA hardware lets you read and write the memory of a target system from an external machine over PCIe. This project turns that capability into an MCP server so AI assistants can operate it directly — no manual CLI interaction, no copy-pasting hex dumps.
What you can do with it:
Inspect live memory — read, write, search, dump, and diff memory regions on a target system
Analyze processes — enumerate processes, modules, exports, imports, PE sections, memory regions
Reverse engineer binaries — scan for byte patterns, resolve code signatures, discover RTTI class hierarchies
Discover pointer chains — find stable paths from module bases to dynamic addresses
Find cross-references — locate all code and data references to any address in a module
Dump game engine SDKs — extract full C++ SDKs from Unreal Engine 4/5 games via reflection
Extract Unity metadata — dump IL2CPP class definitions from Unity games automatically
Control FPGA hardware — benchmark DMA speed, send raw PCIe TLPs, read/write config space
Key features
Native Linux implementation
Built on the memprocfs and leechcorepyc Python packages directly — no subprocess wrapping, no text parsing, no Windows dependency.
This project | ||
Platform | Windows only | Linux native |
Backend | Subprocess → | Native Python API |
Read size | 256-byte chunks | Up to 1MB direct |
Connection | New process per op | Persistent handle |
Tools | 9 | 34 |
Game reverse engineering
Go from "I have a DMA device connected to a game" to a full SDK without touching a disassembler:
1. "List processes" → find the game PID
2. "List modules for game.exe" → find module bases
3. "Scan for RTTI classes in game.exe" → discover class names + vtables
4. "Find the GNames signature in game.exe" → locate UE globals
5. "Dump the UE5 SDK with GNames and GObjects"→ generate C++ headersPointer chain discovery
Found a dynamic address that changes every restart? Find the static chain:
"Find pointer chains from module bases to 0x1a2b3c4d in game.exe"
→ [[game.exe+0x1234]+0x10]+0x48 (depth 2)
→ [[game.exe+0x5678]+0x20]+0x100 (depth 2)Cross-reference scanning
Find every instruction and data pointer that references an address:
"Find all xrefs to 0x7ff6a013580 in game.exe"
→ Code: 0x7ff6a012345 [rip_rel_7] 48 8b 05 35 12 00 00 (.text)
→ Data: 0x7ff6a101000 (.rdata)Engine-specific tools
Engine | Tools | What you get |
Unreal Engine 4/5 |
| FName table, UObject list, C++ SDK headers with field offsets |
Unity (IL2CPP) |
| C# class definitions with fields, methods, and offsets — fully automatic |
Tools (34)
Category | Count | Tools |
Core Memory | 4 |
|
System | 6 |
|
Address Translation | 2 |
|
Modules | 5 |
|
Game / RE | 4 |
|
Advanced RE | 4 |
|
Pointer / XRef | 2 |
|
Engine Tools | 4 |
|
FPGA | 3 |
|
* memory_patch is stubbed — .sig files are a CLI-only feature. Use memory_search + memory_write instead.
Full parameter reference: docs/tools.md
UE signature reference: docs/ue_signatures.md
Requirements
Linux (x86_64)
Python 3.10+
PCILeech-compatible FPGA hardware (Screamer, ZDMA, etc.)
USB drivers configured (MemProcFS Linux setup)
Installation
git clone https://github.com/Neverdecel/nevercheese-pcileech-memprocfs-mcp.git
cd nevercheese-pcileech-memprocfs-mcp
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtSystem dependencies (if needed):
sudo apt install libusb-1.0-0-dev libfuse-dev openssl libssl-dev liblz4-devConfiguration
Edit config.json:
{
"device": {
"type": "fpga",
"remote": "",
"extra_args": []
}
}Field | Description | Examples |
| Device type |
|
| Remote LeechAgent |
|
| Extra memprocfs args |
|
Adding to Claude Code
claude mcp add -s user nevercheese-pcileech-memprocfs-mcp -- \
/path/to/nevercheese-pcileech-memprocfs-mcp/.venv/bin/python \
/path/to/nevercheese-pcileech-memprocfs-mcp/main.pyOr add to your MCP config manually:
{
"mcpServers": {
"nevercheese-pcileech-memprocfs-mcp": {
"command": "/path/to/.venv/bin/python",
"args": ["/path/to/main.py"]
}
}
}Usage examples
Once connected, use natural language:
Memory operations
Read 256 bytes from physical address 0x1000
Write 90909090 (NOPs) to 0x7ff7f3a90000 in PID 1234
Search for the MZ header in the first 16MB of memory
Take a snapshot of 256 bytes at 0x1a000000, then diff after taking damageProcess analysis
List all processes on the target system
Show me modules loaded by explorer.exe
Show the exports of engine2.dll in cs2.exe
List PE sections of game.exe with protection flagsReverse engineering
Scan for AOB pattern "48 8B 05 ?? ?? ?? ?? 48 85 C0" in game.exe
Resolve the signature "48 8D 05 ?? ?? ?? ?? EB 27" to find GNames
Scan for RTTI classes in client.dll
Analyze the struct at address 0x1a000000 — identify field typesPointer & xref scanning
Find pointer chains from module bases to address 0x1a2b3c4d in PID 1234
Find all code and data references to 0x7ff6a013580 in game.exe
Follow the pointer chain [[game.exe+0x1A8B230]+0x50]+0x100 and read 4 bytesEngine SDK extraction
Dump the UE5 GNames table at 0x7ff6a500000 from the game process
Generate a C++ SDK from the UE game with GObjects at 0x... and GNames at 0x...
Dump IL2CPP metadata from the Unity game process to /tmp/dump.csTesting
source .venv/bin/activate
python test_server.py161 tests — all use mocks, no hardware needed. Covers tool registration, handler output formatting, and algorithm correctness (pointer scanning, xref scanning with crafted PE binaries).
Architecture
Claude Code / MCP Client
|
| (MCP stdio transport)
|
main.py ← 34 tool schemas + async handlers + output formatting
|
vmm_wrapper.py ← Device init, memory ops, process/module enumeration
|
├── pointer_scanner.py ← Pointer chain discovery + cross-reference scanning
├── engine_tools.py ← UE4/UE5 SDK dump + Unity IL2CPP extraction
|
├── memprocfs ← High-level API: processes, virtual memory, modules
| └── vmmpyc.so → libvmm.so → libleechcore.so
|
└── leechcorepyc ← Low-level API: physical memory, FPGA, TLP
└── leechcore.soCredits
PCILeech / MemProcFS / LeechCore: Ulf Frisk
Original MCP concept: evan7198/mcp_server_pcileech
Model Context Protocol: Anthropic
License
This project wraps PCILeech/MemProcFS which are licensed under AGPL-3.0 / GPL-3.0. See MemProcFS License and LeechCore License.
Disclaimer
This tool is intended for authorized security research, debugging, and educational purposes only. Do not use it for unauthorized access. You are responsible for complying with all applicable laws.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Neverdecel/nevercheese-pcileech-memprocfs-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server