START HERE — load a PE executable into x64dbg and create a debugging session. Returns a sessionId that ALL other tools require as their first parameter. Auto-detects 32-bit vs 64-bit PE and launches x32dbg or x64dbg accordingly. With breakOnEntry=true (default): execution stops at the entry point and the session state becomes 'paused' — you can immediately call step_into, get_registers, or disassemble. With breakOnEntry=false: the debuggee starts running; use set_breakpoint then continue_execution to pause it later. Only one session can be active at a time. Call terminate_session first if one exists.

Resume execution of a paused debuggee. Runs until the next breakpoint, exception, or program exit. REQUIRES: session state must be 'paused' (check with get_status). Returns stopReason ('breakpoint', 'paused', or 'exited') and the address where execution stopped. If stopReason is 'exited', the process has terminated.

Execute one or more instructions, stepping INTO function calls. REQUIRES: session state must be 'paused'. Returns the new address, disassembly, module, and key register values after stepping. Use step_over instead if you want to skip over CALL instructions.

Execute one or more instructions, stepping OVER function calls. REQUIRES: session state must be 'paused'. If the current instruction is a CALL, the entire called function executes and control returns to the instruction after the CALL. Use step_into if you want to trace inside the called function.

Run until the current function returns (execute until RET). REQUIRES: session state must be 'paused'. Useful for quickly leaving a called function and returning to the caller without stepping through every instruction.

Set a one-shot breakpoint at the given address and continue execution. Stops when the address is reached or another breakpoint/exception fires first.

Set a breakpoint. Supports software BPs, hardware BPs (execute/read/write), and memory BPs. Optionally supply a condition expression or log text.

Remove a previously set breakpoint at the given address.

List all breakpoints in the session, including hit counts and conditions.

Stop the debuggee process and close the debugging session. x64dbg itself stays open and ready for the next load_executable call. Call this before loading a new executable, or when analysis is complete.

Query the current state of the debugger and active session. Returns bridge connectivity, session state (idle/paused/running/stepping/terminated), current instruction pointer, active thread, and a next-step hint. Call this whenever you are unsure what state the debugger is in before issuing step/continue/breakpoint operations. This is always safe to call — it does not change any debugger state.

List all active debugging sessions with their state and metadata.

Kill the x64dbg or x32dbg process. Works even if the bridge is not connected. Use this to cleanly shut down the debugger before deploying updated plugins or when you need to restart the debugger.

Continue execution in a loop, collecting a memory expression at each breakpoint hit. Use this to trace repeated calls (e.g. AddMoudle, GetClassObject). The default expr 'ptr_utf16@[esp+4]' reads a wchar_t* arg from the x86 stack.

Execute a raw x64dbg command string. Use this for advanced operations not covered by other tools. Returns the command output.

Read raw bytes from the debuggee's virtual address space. Returns a hex+ASCII dump. Address must be in the debuggee's mapped memory (see get_memory_map for valid ranges). REQUIRES: session must be paused.

Write bytes to the debuggee's virtual memory. Use with caution — writing to wrong addresses can crash the debuggee.

Search the debuggee's memory for a byte pattern or string. Supports hex patterns with wildcards (e.g. '4D 5A ?? ??') and text strings.

Return the virtual memory map of the debuggee process: all regions with base address, size, protection, type, and associated module.

Read the current CPU register values of the active thread. Includes general-purpose registers, instruction pointer (RIP/EIP), flags, and optionally segment and debug registers. REQUIRES: session must be paused (call get_status to check). On x64: returns RAX, RBX, RCX, RDX, RSI, RDI, RSP, RBP, RIP, R8-R15. On x86: returns EAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP, EIP.

Set the value of a single CPU register.

Get the call stack (backtrace) of the current thread. Shows return addresses, module names, and function names where available.

List all threads in the debuggee process with their current state.

Switch the active thread. Subsequent register/stack/step operations will apply to this thread.

Disassemble instructions starting at a given address in the loaded module. Returns address, raw bytes, mnemonic, operands, and metadata (is_call, is_jump, reference target) for each instruction. Safe to call while paused. Address may be a hex value ('0x401000') or a symbol name ('main', 'kernel32.CreateFileW'). Tip: after load_executable with breakOnEntry=true, disassemble the entry point returned in the load result to see where execution begins.

Analyse the function that contains the given address. Returns boundaries, size, call graph (callers + callees), and whether the function is a leaf.

Find all cross-references (xrefs) to or from the given address. Returns code references (calls/jumps) and data references (reads/writes).

List recognised functions in the debuggee. Can filter by module name and/or name substring.

List all modules (DLLs and the main EXE) loaded in the debuggee with base address, size, entry point, and file path.

List all imported functions for a specific module. Shows DLL name, function name, ordinal, and IAT address.

List all exported functions/symbols for a specific module.

Search for ASCII and Unicode strings in the debuggee's memory. Optionally filter by content substring or module.

Parse and return the PE header information for a module: DOS header, NT headers, section table, data directories, timestamp, subsystem, characteristics, etc.

Record an execution trace from the current position. Steps through instructions and records address + disassembly at each step. Stops after maxInstructions or a breakpoint.

Analyse the loaded executable for signs of packing or obfuscation. Checks section entropy, section name anomalies, import table size, entry-point location, and known packer signatures. Returns a confidence score and list of indicators.

Cross-reference the executable's import table against a database of Windows APIs commonly used by malware, grouped by category (process injection, network, crypto, anti-debug, etc.). Returns per-category findings and an overall risk level.

Scan the loaded executable for common anti-debugging techniques: API checks (IsDebuggerPresent, NtQueryInformationProcess), timing checks, PEB flags, int 2d / int 3, TLS callbacks, etc.

Check PE sections for anomalies that may indicate packing, code injection, or tampering: writable+executable sections, unusual names, zero raw-size with non-zero virtual-size, high entropy.

Run all security analysis tools and produce a consolidated report: packing detection, suspicious API analysis, anti-debug detection, and section anomaly checks. Useful as a first-pass triage.