frida-mem-scan 1.0.0

package/README.md

@@ -0,0 +1,110 @@
+# frida-mem-scan
+
+Fast SIMD-accelerated memory scanner for Frida. Targets either the
+current process or any other process by PID, with the same API.
+
+The scanner core is a self-contained, relocation-free assembly blob
+(SSE4.1 on x86_64, NEON on arm64) that's copied into a JIT page at
+load time. On modern hardware it saturates memory bandwidth on the
+parallel path; see `src/README.md` for measurements on a specific
+machine. The cross-process path uses the platform's native VM API
+(mach\_vm\_\* on macOS, with Windows and Linux backends stubbed for
+future contributions).
+
+## Install
+
+```sh
+frida-pm install frida-mem-scan
+```
+
+## Usage
+
+```ts
+import { Target } from "frida-mem-scan";
+
+// In-process scan: find every Hv::Vm vtable pointer.
+const me = Target.self();
+const hits = me.find(["Hypervisor!_ZTVN2Hv2VmE+16"]);
+for (const h of hits) {
+    console.log(h.addr);
+}
+
+// Cross-process scan, restricted to readable regions <= 100 MB:
+const t = Target.pid(9549);
+const hits = t.find(["Hypervisor!_ZTVN2Hv2VmE+16"], {
+    filter: { readable: true, maxBytes: 100 * 1024 * 1024 },
+});
+
+// Raw memory read (works for both self and cross-process):
+const bytes = t.read(ptr("0x104dbd560"), 128);
+```
+
+Targets are either raw addresses (`NativePointer`, `UInt64`, or
+`number`) or `<module>!<symbol>[+<offset>]` strings that resolve
+against the loaded image set. The `+16` convention matches the
+Itanium C++ ABI vtable address-point so you can scan for object
+instances by their class name.
+
+By default a mask of `0x00007ffffffffff8` is applied to each candidate
+slot before equality comparison; that strips arm64e PAC and the
+non-pointer-isa flag bits in one go. Pass your own `mask` to opt out
+or scan for something else (e.g. `~0` for raw equality).
+
+## API
+
+```ts
+class Target {
+    static self(): Target
+    static pid(pid: number): Target
+
+    find(targets: TargetSpec[], opts?: FindOpts): ScanHit[]
+    read(addr: NativePointer, size: number): ArrayBuffer
+    regions(filter?: RegionFilter): Iterable<Region>
+}
+
+interface FindOpts {
+    mask?: UInt64
+    filter?: RegionFilter
+    capPerThread?: number
+}
+
+interface RegionFilter {
+    readable?: boolean
+    writable?: boolean
+    executable?: boolean
+    tags?: number[] | Set<number>
+    minBytes?: number
+    maxBytes?: number
+}
+```
+
+The lower-level `Scanner` class is also exported for callers that
+want to feed in already-prepared buffers without going through the
+`Target` abstraction.
+
+## Building
+
+The published package ships pre-built JavaScript and TypeScript
+typings; you only need this section if you're modifying the assembly
+core.
+
+```sh
+cd src
+make            # builds scan_<arch>.dylib, regenerates ../lib/scanner/bytes-*.ts
+make test       # native + Rosetta tests with perf numbers
+```
+
+The assembly sources, build scripts, and test harness live in `src/`
+and are excluded from the npm package (only `dist/` ships).
+
+## Platform support
+
+| platform                     | status                                                  |
+| ---------------------------- | ------------------------------------------------------- |
+| Windows                      | stub (planned: `ReadProcessMemory` + `VirtualQueryEx`)  |
+| macOS x86_64 (incl. Rosetta) | full — Mach backend                                     |
+| macOS arm64 (incl. arm64e)   | full — Mach backend                                     |
+| Linux                        | stub (planned: `process_vm_readv` + `/proc/<pid>/maps`) |
+
+The scanner SIMD blob itself is platform-neutral; only the
+cross-process VM access needs per-OS implementation.

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export { DEFAULT_ISA_MASK, Hit, Scanner } from "./scanner/index.js";
+export { ProcessMemory, Region, RegionFilter } from "./process/types.js";
+export { resolveTarget } from "./symbols.js";
+export { FindOpts, ScanHit, Target, TargetSpec } from "./target.js";

package/dist/index.js

@@ -0,0 +1,3 @@
+export { DEFAULT_ISA_MASK, Scanner } from "./scanner/index.js";
+export { resolveTarget } from "./symbols.js";
+export { Target } from "./target.js";

package/dist/process/darwin.d.ts

@@ -0,0 +1,10 @@
+import { ProcessMemory, Region, RegionFilter } from "./types.js";
+export declare class DarwinProcessMemory implements ProcessMemory {
+    #private;
+    readonly pid: number;
+    readonly isSelf: boolean;
+    constructor(pid: number);
+    regions(filter?: RegionFilter): Iterable<Region>;
+    read(addr: NativePointer, size: number): ArrayBuffer | null;
+    readInto(addr: NativePointer, dst: NativePointer, size: number): boolean;
+}

package/dist/process/darwin.js

@@ -0,0 +1,126 @@
+const KERN_SUCCESS = 0;
+const VM_PROT_EXEC = 0x04;
+const VM_PROT_READ = 0x01;
+const VM_PROT_WRITE = 0x02;
+const VM_REGION_INFO_COUNT = 19;
+export class DarwinProcessMemory {
+    pid;
+    isSelf;
+    #task;
+    constructor(pid) {
+        resolveNatives();
+        this.pid = pid;
+        this.isSelf = pid === Process.id;
+        this.#task = openTask(pid);
+    }
+    *regions(filter) {
+        const wantReadable = filter?.readable === true;
+        const wantWritable = filter?.writable === true;
+        const wantExecutable = filter?.executable === true;
+        const tagSet = makeTagSet(filter?.tags);
+        const minBytes = filter?.minBytes;
+        const maxBytes = filter?.maxBytes;
+        let cursor = NULL;
+        while (true) {
+            const r = nextRegion(this.#task, cursor);
+            if (r === null) {
+                break;
+            }
+            cursor = r.base.add(r.size);
+            if (wantReadable && !r.readable) {
+                continue;
+            }
+            if (wantWritable && !r.writable) {
+                continue;
+            }
+            if (wantExecutable && !r.executable) {
+                continue;
+            }
+            if (tagSet !== null && !tagSet.has(r.tag)) {
+                continue;
+            }
+            const sz = r.size.toNumber();
+            if (minBytes !== undefined && sz < minBytes) {
+                continue;
+            }
+            if (maxBytes !== undefined && sz > maxBytes) {
+                continue;
+            }
+            yield r;
+        }
+    }
+    read(addr, size) {
+        const buf = Memory.alloc(size);
+        if (!this.readInto(addr, buf, size)) {
+            return null;
+        }
+        const view = new Uint8Array(buf.readByteArray(size));
+        return view.slice().buffer;
+    }
+    readInto(addr, dst, size) {
+        const outsize = Memory.alloc(8);
+        const kr = machVmReadOverwrite(this.#task, addr, uint64(size), dst, outsize);
+        return kr === KERN_SUCCESS;
+    }
+}
+function makeTagSet(tags) {
+    if (tags === undefined) {
+        return null;
+    }
+    return tags instanceof Set ? tags : new Set(tags);
+}
+function openTask(pid) {
+    if (pid === Process.id) {
+        return machTaskSelf;
+    }
+    const out = Memory.alloc(4);
+    const kr = taskForPid(machTaskSelf, pid, out);
+    if (kr !== KERN_SUCCESS) {
+        throw new Error(`task_for_pid(${pid}) failed: kr=${kr}`);
+    }
+    return out.readU32();
+}
+function nextRegion(task, startAddr) {
+    const ADDR_OFF = 0;
+    const SIZE_OFF = 8;
+    const DEPTH_OFF = 16;
+    const INFO_OFF = 24;
+    const COUNT_OFF = 152;
+    const TOTAL = 156;
+    const scratch = Memory.alloc(TOTAL);
+    const addrPtr = scratch.add(ADDR_OFF);
+    const sizePtr = scratch.add(SIZE_OFF);
+    const depthPtr = scratch.add(DEPTH_OFF);
+    const info = scratch.add(INFO_OFF);
+    const countPtr = scratch.add(COUNT_OFF);
+    addrPtr.writePointer(startAddr);
+    depthPtr.writeU32(2048);
+    countPtr.writeU32(VM_REGION_INFO_COUNT);
+    const kr = machVmRegionRecurse(task, addrPtr, sizePtr, depthPtr, info, countPtr);
+    if (kr !== KERN_SUCCESS) {
+        return null;
+    }
+    const prot = info.readS32();
+    return {
+        base: addrPtr.readPointer(),
+        size: sizePtr.readU64(),
+        readable: (prot & VM_PROT_READ) !== 0,
+        writable: (prot & VM_PROT_WRITE) !== 0,
+        executable: (prot & VM_PROT_EXEC) !== 0,
+        tag: info.add(24).readU32(),
+    };
+}
+let machTaskSelf = 0;
+let machVmReadOverwrite = null;
+let machVmRegionRecurse = null;
+let taskForPid = null;
+function resolveNatives() {
+    if (taskForPid !== null) {
+        return;
+    }
+    const libSystem = Process.getModuleByName("libSystem.B.dylib");
+    machTaskSelf = libSystem.getExportByName("mach_task_self_").readU32();
+    taskForPid = new NativeFunction(libSystem.getExportByName("task_for_pid"), "int", ["uint", "int", "pointer"]);
+    machVmRegionRecurse = new NativeFunction(libSystem.getExportByName("mach_vm_region_recurse"), "int", ["uint", "pointer", "pointer", "pointer", "pointer", "pointer"]);
+    machVmReadOverwrite = new NativeFunction(libSystem.getExportByName("mach_vm_read_overwrite"), "int", ["uint", "pointer", "uint64", "pointer", "pointer"]);
+}

package/dist/process/index.d.ts

@@ -0,0 +1,2 @@
+import { ProcessMemory } from "./types.js";
+export declare function openProcessMemory(pid: number): ProcessMemory;

package/dist/process/index.js

@@ -0,0 +1,12 @@
+import { DarwinProcessMemory } from "./darwin.js";
+import { LinuxProcessMemory } from "./linux.js";
+import { WindowsProcessMemory } from "./windows.js";
+export function openProcessMemory(pid) {
+    switch (Process.platform) {
+        case "windows": return new WindowsProcessMemory(pid);
+        case "darwin": return new DarwinProcessMemory(pid);
+        case "linux": return new LinuxProcessMemory(pid);
+        default:
+            throw new Error(`frida-mem-scan: no backend for platform ${Process.platform}`);
+    }
+}

package/dist/process/linux.d.ts

@@ -0,0 +1,9 @@
+import { ProcessMemory, Region, RegionFilter } from "./types.js";
+export declare class LinuxProcessMemory implements ProcessMemory {
+    readonly pid: number;
+    readonly isSelf: boolean;
+    constructor(pid: number);
+    regions(_filter?: RegionFilter): Iterable<Region>;
+    read(_addr: NativePointer, _size: number): ArrayBuffer | null;
+    readInto(_addr: NativePointer, _dst: NativePointer, _size: number): boolean;
+}

package/dist/process/linux.js

@@ -0,0 +1,19 @@
+const UNIMPLEMENTED = "frida-mem-scan: Linux backend not yet implemented";
+export class LinuxProcessMemory {
+    pid;
+    isSelf;
+    constructor(pid) {
+        this.pid = pid;
+        this.isSelf = pid === Process.id;
+        throw new Error(UNIMPLEMENTED);
+    }
+    *regions(_filter) {
+        throw new Error(UNIMPLEMENTED);
+    }
+    read(_addr, _size) {
+        throw new Error(UNIMPLEMENTED);
+    }
+    readInto(_addr, _dst, _size) {
+        throw new Error(UNIMPLEMENTED);
+    }
+}

package/dist/process/types.d.ts

@@ -0,0 +1,23 @@
+export interface Region {
+    base: NativePointer;
+    size: UInt64;
+    readable: boolean;
+    writable: boolean;
+    executable: boolean;
+    tag: number;
+}
+export interface RegionFilter {
+    readable?: boolean;
+    writable?: boolean;
+    executable?: boolean;
+    tags?: number[] | Set<number>;
+    minBytes?: number;
+    maxBytes?: number;
+}
+export interface ProcessMemory {
+    readonly pid: number;
+    readonly isSelf: boolean;
+    regions(filter?: RegionFilter): Iterable<Region>;
+    read(addr: NativePointer, size: number): ArrayBuffer | null;
+    readInto(addr: NativePointer, dst: NativePointer, size: number): boolean;
+}

package/dist/process/types.js

@@ -0,0 +1 @@
+export {};

package/dist/process/windows.d.ts

@@ -0,0 +1,9 @@
+import { ProcessMemory, Region, RegionFilter } from "./types.js";
+export declare class WindowsProcessMemory implements ProcessMemory {
+    readonly pid: number;
+    readonly isSelf: boolean;
+    constructor(pid: number);
+    regions(_filter?: RegionFilter): Iterable<Region>;
+    read(_addr: NativePointer, _size: number): ArrayBuffer | null;
+    readInto(_addr: NativePointer, _dst: NativePointer, _size: number): boolean;
+}

package/dist/process/windows.js

@@ -0,0 +1,19 @@
+const UNIMPLEMENTED = "frida-mem-scan: Windows backend not yet implemented";
+export class WindowsProcessMemory {
+    pid;
+    isSelf;
+    constructor(pid) {
+        this.pid = pid;
+        this.isSelf = pid === Process.id;
+        throw new Error(UNIMPLEMENTED);
+    }
+    *regions(_filter) {
+        throw new Error(UNIMPLEMENTED);
+    }
+    read(_addr, _size) {
+        throw new Error(UNIMPLEMENTED);
+    }
+    readInto(_addr, _dst, _size) {
+        throw new Error(UNIMPLEMENTED);
+    }
+}

package/dist/scanner/bytes-arm64.d.ts

@@ -0,0 +1,2 @@
+export declare const SCAN_ARM64_BYTES: Uint8Array<ArrayBuffer>;
+export declare const SYMBOLS: Record<string, number>;

package/dist/scanner/bytes-arm64.js

@@ -0,0 +1,106 @@
+// Generated by extract_text.sh + emit_ts.sh from build/scan_arm64.bin
+// Do not edit by hand; rerun `make` after editing the .S source.
+export const SCAN_ARM64_BYTES = new Uint8Array([
+    0xff, 0x83, 0x01, 0xd1, 0xfd, 0x7b, 0x05, 0xa9, 0xfd, 0x43, 0x01, 0x91,
+    0xe9, 0x33, 0x40, 0xf9, 0xea, 0x37, 0x40, 0xf9, 0xeb, 0x3b, 0x40, 0xf9,
+    0xec, 0x3f, 0x40, 0xf9, 0x8d, 0x05, 0x00, 0xd1, 0x6d, 0x00, 0x0d, 0x8b,
+    0xad, 0x09, 0xcc, 0x9a, 0xe2, 0x37, 0x00, 0xa9, 0xe3, 0x13, 0x01, 0xa9,
+    0xe5, 0x1b, 0x02, 0xa9, 0xe7, 0x27, 0x03, 0xa9, 0xea, 0x2f, 0x04, 0xa9,
+    0xf0, 0x03, 0x00, 0xaa, 0xe0, 0x03, 0x0c, 0xaa, 0xe2, 0x03, 0x00, 0x91,
+    0xc3, 0x00, 0x00, 0x10, 0x00, 0x02, 0x3f, 0xd6, 0xfd, 0x7b, 0x45, 0xa9,
+    0xff, 0x83, 0x01, 0x91, 0xc0, 0x03, 0x5f, 0xd6, 0x1f, 0x20, 0x03, 0xd5,
+    0xfd, 0x7b, 0xbe, 0xa9, 0xfd, 0x03, 0x00, 0x91, 0xe0, 0x07, 0x01, 0xa9,
+    0x0a, 0x2c, 0x40, 0xa9, 0x0c, 0x34, 0x41, 0xa9, 0x0e, 0x3c, 0x42, 0xa9,
+    0x10, 0x44, 0x43, 0xa9, 0x09, 0x24, 0x40, 0xf9, 0x22, 0x7c, 0x0b, 0x9b,
+    0x22, 0x79, 0x21, 0xf8, 0x5f, 0x00, 0x0c, 0xeb, 0x83, 0x00, 0x00, 0x54,
+    0x09, 0x20, 0x40, 0xf9, 0x3f, 0x79, 0x21, 0xf8, 0x12, 0x00, 0x00, 0x14,
+    0x83, 0x01, 0x02, 0xcb, 0x7f, 0x00, 0x0b, 0xeb, 0x63, 0x30, 0x8b, 0x9a,
+    0x4a, 0x0d, 0x02, 0x8b, 0x24, 0x7c, 0x11, 0x9b, 0x10, 0x0a, 0x04, 0x8b,
+    0xe0, 0x03, 0x0a, 0xaa, 0xe1, 0x03, 0x03, 0xaa, 0xe2, 0x03, 0x0d, 0xaa,
+    0xe3, 0x03, 0x0e, 0xaa, 0xe4, 0x03, 0x0f, 0xaa, 0xe5, 0x03, 0x10, 0xaa,
+    0xe6, 0x03, 0x11, 0xaa, 0x44, 0x00, 0x00, 0x94, 0xe9, 0x2b, 0x41, 0xa9,
+    0x2b, 0x21, 0x40, 0xf9, 0x60, 0x79, 0x2a, 0xf8, 0xfd, 0x7b, 0xc2, 0xa8,
+    0xc0, 0x03, 0x5f, 0xd6, 0x1f, 0x20, 0x03, 0xd5, 0x1f, 0x20, 0x03, 0xd5,
+    0xff, 0x83, 0x01, 0xd1, 0xfd, 0x7b, 0x05, 0xa9, 0xfd, 0x43, 0x01, 0x91,
+    0xe9, 0x33, 0x40, 0xf9, 0xea, 0x37, 0x40, 0xf9, 0xeb, 0x3b, 0x40, 0xf9,
+    0x6c, 0x05, 0x00, 0xd1, 0x6c, 0x00, 0x0c, 0x8b, 0x8c, 0x09, 0xcb, 0x9a,
+    0xe2, 0x33, 0x00, 0xa9, 0xe3, 0x13, 0x01, 0xa9, 0xe5, 0x13, 0x00, 0xf9,
+    0xe6, 0x1f, 0x03, 0xa9, 0xe9, 0x2b, 0x04, 0xa9, 0xf0, 0x03, 0x00, 0xaa,
+    0xe0, 0x03, 0x0b, 0xaa, 0xe2, 0x03, 0x00, 0x91, 0xe3, 0x00, 0x00, 0x10,
+    0x00, 0x02, 0x3f, 0xd6, 0xfd, 0x7b, 0x45, 0xa9, 0xff, 0x83, 0x01, 0x91,
+    0xc0, 0x03, 0x5f, 0xd6, 0x1f, 0x20, 0x03, 0xd5, 0x1f, 0x20, 0x03, 0xd5,
+    0xfd, 0x7b, 0xbe, 0xa9, 0xfd, 0x03, 0x00, 0x91, 0xe0, 0x07, 0x01, 0xa9,
+    0x0a, 0x2c, 0x40, 0xa9, 0x0c, 0x34, 0x41, 0xa9, 0x0e, 0x10, 0x40, 0xf9,
+    0x0f, 0x40, 0x43, 0xa9, 0x09, 0x24, 0x40, 0xf9, 0x22, 0x7c, 0x0b, 0x9b,
+    0x22, 0x79, 0x21, 0xf8, 0x5f, 0x00, 0x0c, 0xeb, 0x83, 0x00, 0x00, 0x54,
+    0x09, 0x20, 0x40, 0xf9, 0x3f, 0x79, 0x21, 0xf8, 0x11, 0x00, 0x00, 0x14,
+    0x83, 0x01, 0x02, 0xcb, 0x7f, 0x00, 0x0b, 0xeb, 0x63, 0x30, 0x8b, 0x9a,
+    0x4a, 0x0d, 0x02, 0x8b, 0x24, 0x7c, 0x10, 0x9b, 0xef, 0x09, 0x04, 0x8b,
+    0xe0, 0x03, 0x0a, 0xaa, 0xe1, 0x03, 0x03, 0xaa, 0xe2, 0x03, 0x0d, 0xaa,
+    0xe3, 0x03, 0x0e, 0xaa, 0xe4, 0x03, 0x0f, 0xaa, 0xe5, 0x03, 0x10, 0xaa,
+    0x75, 0x00, 0x00, 0x94, 0xe9, 0x2b, 0x41, 0xa9, 0x2b, 0x21, 0x40, 0xf9,
+    0x60, 0x79, 0x2a, 0xf8, 0xfd, 0x7b, 0xc2, 0xa8, 0xc0, 0x03, 0x5f, 0xd6,
+    0x1f, 0x20, 0x03, 0xd5, 0x1f, 0x20, 0x03, 0xd5, 0x1f, 0x20, 0x03, 0xd5,
+    0xfd, 0x7b, 0xbf, 0xa9, 0xfd, 0x03, 0x00, 0x91, 0xe7, 0x03, 0x1f, 0xaa,
+    0xa1, 0x0c, 0x00, 0xb4, 0x40, 0x0c, 0x08, 0x4e, 0x9f, 0x10, 0x00, 0xf1,
+    0x4c, 0x09, 0x00, 0x54, 0x62, 0x00, 0x40, 0xfd, 0x9f, 0x04, 0x00, 0xf1,
+    0x20, 0x01, 0x00, 0x54, 0x63, 0x04, 0x40, 0xfd, 0x9f, 0x08, 0x00, 0xf1,
+    0x60, 0x01, 0x00, 0x54, 0x64, 0x08, 0x40, 0xfd, 0x9f, 0x0c, 0x00, 0xf1,
+    0xa0, 0x01, 0x00, 0x54, 0x65, 0x0c, 0x40, 0xfd, 0x10, 0x00, 0x00, 0x14,
+    0x42, 0x04, 0x08, 0x4e, 0x43, 0x1c, 0xa2, 0x4e, 0x44, 0x1c, 0xa2, 0x4e,
+    0x45, 0x1c, 0xa2, 0x4e, 0x0f, 0x00, 0x00, 0x14, 0x42, 0x04, 0x08, 0x4e,
+    0x63, 0x04, 0x08, 0x4e, 0x44, 0x1c, 0xa2, 0x4e, 0x45, 0x1c, 0xa2, 0x4e,
+    0x0a, 0x00, 0x00, 0x14, 0x42, 0x04, 0x08, 0x4e, 0x63, 0x04, 0x08, 0x4e,
+    0x84, 0x04, 0x08, 0x4e, 0x45, 0x1c, 0xa2, 0x4e, 0x05, 0x00, 0x00, 0x14,
+    0x42, 0x04, 0x08, 0x4e, 0x63, 0x04, 0x08, 0x4e, 0x84, 0x04, 0x08, 0x4e,
+    0xa5, 0x04, 0x08, 0x4e, 0xe8, 0x03, 0x1f, 0xaa, 0x29, 0xf8, 0x7f, 0x92,
+    0x1f, 0x01, 0x09, 0xeb, 0x2a, 0x03, 0x00, 0x54, 0x0a, 0x0c, 0x08, 0x8b,
+    0x41, 0x01, 0xc0, 0x3d, 0x21, 0x1c, 0x20, 0x4e, 0x30, 0x8c, 0xe2, 0x6e,
+    0x31, 0x8c, 0xe3, 0x6e, 0x32, 0x8c, 0xe4, 0x6e, 0x33, 0x8c, 0xe5, 0x6e,
+    0x10, 0x1e, 0xb1, 0x4e, 0x52, 0x1e, 0xb3, 0x4e, 0x10, 0x1e, 0xb2, 0x4e,
+    0x0b, 0x3e, 0x08, 0x4e, 0x0c, 0x3e, 0x18, 0x4e, 0x6d, 0x01, 0x0c, 0xaa,
+    0x2d, 0x01, 0x00, 0xb4, 0x4b, 0x00, 0x00, 0xb4, 0x2a, 0x00, 0x00, 0x94,
+    0xcc, 0x00, 0x00, 0xb4, 0x0e, 0x05, 0x00, 0x91, 0xef, 0x03, 0x08, 0xaa,
+    0xe8, 0x03, 0x0e, 0xaa, 0x25, 0x00, 0x00, 0x94, 0xe8, 0x03, 0x0f, 0xaa,
+    0x08, 0x09, 0x00, 0x91, 0xe7, 0xff, 0xff, 0x17, 0x1f, 0x01, 0x01, 0xeb,
+    0xca, 0x04, 0x00, 0x54, 0x0a, 0x0c, 0x08, 0x8b, 0x4b, 0x01, 0x40, 0xf9,
+    0x6b, 0x01, 0x02, 0x8a, 0xec, 0x03, 0x1f, 0xaa, 0x9f, 0x01, 0x04, 0xeb,
+    0x0a, 0x04, 0x00, 0x54, 0x6d, 0x78, 0x6c, 0xf8, 0x7f, 0x01, 0x0d, 0xeb,
+    0x61, 0x00, 0x00, 0x54, 0x16, 0x00, 0x00, 0x94, 0x1b, 0x00, 0x00, 0x14,
+    0x8c, 0x05, 0x00, 0x91, 0xf8, 0xff, 0xff, 0x17, 0xe8, 0x03, 0x1f, 0xaa,
+    0x1f, 0x01, 0x01, 0xeb, 0xca, 0x02, 0x00, 0x54, 0x0a, 0x0c, 0x08, 0x8b,
+    0x4b, 0x01, 0x40, 0xf9, 0x6b, 0x01, 0x02, 0x8a, 0xec, 0x03, 0x1f, 0xaa,
+    0x9f, 0x01, 0x04, 0xeb, 0x0a, 0x01, 0x00, 0x54, 0x6d, 0x78, 0x6c, 0xf8,
+    0x7f, 0x01, 0x0d, 0xeb, 0x61, 0x00, 0x00, 0x54, 0x06, 0x00, 0x00, 0x94,
+    0x03, 0x00, 0x00, 0x14, 0x8c, 0x05, 0x00, 0x91, 0xf8, 0xff, 0xff, 0x17,
+    0x08, 0x05, 0x00, 0x91, 0xf0, 0xff, 0xff, 0x17, 0xe7, 0x04, 0x00, 0x91,
+    0xff, 0x00, 0x06, 0xeb, 0x68, 0x00, 0x00, 0x54, 0xf0, 0x04, 0x00, 0xd1,
+    0xa8, 0x78, 0x30, 0xb8, 0xc0, 0x03, 0x5f, 0xd6, 0xe0, 0x03, 0x07, 0xaa,
+    0xfd, 0x7b, 0xc1, 0xa8, 0xc0, 0x03, 0x5f, 0xd6, 0x1f, 0x20, 0x03, 0xd5,
+    0xfd, 0x7b, 0xbf, 0xa9, 0xfd, 0x03, 0x00, 0x91, 0xe6, 0x03, 0x1f, 0xaa,
+    0xc1, 0x06, 0x00, 0xb4, 0x40, 0x0c, 0x08, 0x4e, 0x62, 0x0c, 0x08, 0x4e,
+    0xe8, 0x03, 0x1f, 0xaa, 0x29, 0xf4, 0x7e, 0x92, 0x1f, 0x01, 0x09, 0xeb,
+    0x0a, 0x04, 0x00, 0x54, 0x0a, 0x0c, 0x08, 0x8b, 0x41, 0x0d, 0x40, 0xad,
+    0x21, 0x1c, 0x20, 0x4e, 0x63, 0x1c, 0x20, 0x4e, 0x21, 0x8c, 0xe2, 0x6e,
+    0x63, 0x8c, 0xe2, 0x6e, 0x24, 0x1c, 0xa3, 0x4e, 0x8b, 0x3c, 0x08, 0x4e,
+    0x8c, 0x3c, 0x18, 0x4e, 0x6d, 0x01, 0x0c, 0xaa, 0x6d, 0x02, 0x00, 0xb4,
+    0x2b, 0x3c, 0x08, 0x4e, 0x4b, 0x00, 0x00, 0xb4, 0x1c, 0x00, 0x00, 0x94,
+    0x2b, 0x3c, 0x18, 0x4e, 0x8b, 0x00, 0x00, 0xb4, 0x08, 0x05, 0x00, 0x91,
+    0x18, 0x00, 0x00, 0x94, 0x08, 0x05, 0x00, 0xd1, 0x6b, 0x3c, 0x08, 0x4e,
+    0x8b, 0x00, 0x00, 0xb4, 0x08, 0x09, 0x00, 0x91, 0x13, 0x00, 0x00, 0x94,
+    0x08, 0x09, 0x00, 0xd1, 0x6b, 0x3c, 0x18, 0x4e, 0x8b, 0x00, 0x00, 0xb4,
+    0x08, 0x0d, 0x00, 0x91, 0x0e, 0x00, 0x00, 0x94, 0x08, 0x0d, 0x00, 0xd1,
+    0x08, 0x11, 0x00, 0x91, 0xe0, 0xff, 0xff, 0x17, 0x1f, 0x01, 0x01, 0xeb,
+    0xea, 0x01, 0x00, 0x54, 0x0a, 0x0c, 0x08, 0x8b, 0x4b, 0x01, 0x40, 0xf9,
+    0x6b, 0x01, 0x02, 0x8a, 0x7f, 0x01, 0x03, 0xeb, 0x41, 0x00, 0x00, 0x54,
+    0x03, 0x00, 0x00, 0x94, 0x08, 0x05, 0x00, 0x91, 0xf7, 0xff, 0xff, 0x17,
+    0xc6, 0x04, 0x00, 0x91, 0xdf, 0x00, 0x05, 0xeb, 0x68, 0x00, 0x00, 0x54,
+    0xce, 0x04, 0x00, 0xd1, 0x88, 0x78, 0x2e, 0xb8, 0xc0, 0x03, 0x5f, 0xd6,
+    0xe0, 0x03, 0x06, 0xaa, 0xfd, 0x7b, 0xc1, 0xa8, 0xc0, 0x03, 0x5f, 0xd6
+]);
+export const SYMBOLS = {
+    scan: 0x1e0,
+    scan1: 0x390,
+    scan1_parallel: 0xf0,
+    scan_parallel: 0x0,
+};

package/dist/scanner/bytes-x86_64.d.ts

@@ -0,0 +1,2 @@
+export declare const SCAN_X86_64_BYTES: Uint8Array<ArrayBuffer>;
+export declare const SYMBOLS: Record<string, number>;

package/dist/scanner/bytes-x86_64.js

@@ -0,0 +1,104 @@
+// Generated by extract_text.sh + emit_ts.sh from build/scan_x86_64.bin
+// Do not edit by hand; rerun `make` after editing the .S source.
+export const SCAN_X86_64_BYTES = new Uint8Array([
+    0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x60, 0x48, 0x89, 0x14, 0x24,
+    0x48, 0x89, 0x4c, 0x24, 0x10, 0x4c, 0x89, 0x44, 0x24, 0x18, 0x4c, 0x89,
+    0x4c, 0x24, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x44, 0x24, 0x28,
+    0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8b, 0x45,
+    0x20, 0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89,
+    0x44, 0x24, 0x40, 0x48, 0x8b, 0x45, 0x30, 0x48, 0x89, 0x44, 0x24, 0x48,
+    0x48, 0x89, 0xc8, 0x4c, 0x8b, 0x55, 0x38, 0x4c, 0x01, 0xd0, 0x48, 0xff,
+    0xc8, 0x31, 0xd2, 0x49, 0xf7, 0xf2, 0x48, 0x89, 0x44, 0x24, 0x08, 0x48,
+    0x89, 0x7c, 0x24, 0x58, 0x4c, 0x89, 0xd7, 0x48, 0x89, 0xe2, 0x48, 0x8d,
+    0x0d, 0x0f, 0x00, 0x00, 0x00, 0xff, 0x54, 0x24, 0x58, 0x48, 0x83, 0xc4,
+    0x60, 0x5d, 0xc3, 0x0f, 0x1f, 0x44, 0x00, 0x00, 0x55, 0x48, 0x89, 0xe5,
+    0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x7d, 0xf8, 0x48, 0x89, 0x75, 0xf0,
+    0x4c, 0x8b, 0x57, 0x08, 0x4c, 0x8b, 0x5f, 0x10, 0x48, 0x89, 0xf0, 0x49,
+    0x0f, 0xaf, 0xc2, 0x48, 0x8b, 0x4f, 0x48, 0x48, 0x89, 0x04, 0xf1, 0x4c,
+    0x39, 0xd8, 0x72, 0x0e, 0x48, 0x8b, 0x4f, 0x40, 0x48, 0xc7, 0x04, 0xf1,
+    0x00, 0x00, 0x00, 0x00, 0xeb, 0x4f, 0x49, 0x29, 0xc3, 0x4d, 0x39, 0xd3,
+    0x4d, 0x0f, 0x43, 0xda, 0x48, 0x8b, 0x57, 0x38, 0x48, 0x89, 0xf1, 0x48,
+    0x0f, 0xaf, 0xca, 0x48, 0xc1, 0xe1, 0x02, 0x48, 0x03, 0x4f, 0x30, 0x48,
+    0x89, 0x14, 0x24, 0x49, 0x89, 0xc9, 0x4c, 0x8b, 0x47, 0x28, 0x48, 0x8b,
+    0x57, 0x18, 0x48, 0x8b, 0x4f, 0x20, 0x4c, 0x89, 0xde, 0x4c, 0x8b, 0x17,
+    0x49, 0x8d, 0x3c, 0xc2, 0xe8, 0x27, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x4d,
+    0xf8, 0x48, 0x8b, 0x75, 0xf0, 0x4c, 0x8b, 0x59, 0x40, 0x49, 0x89, 0x04,
+    0xf3, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x90, 0x55, 0x48, 0x89, 0xe5,
+    0x48, 0x83, 0xec, 0x60, 0x48, 0x89, 0x14, 0x24, 0x48, 0x89, 0x4c, 0x24,
+    0x10, 0x4c, 0x89, 0x44, 0x24, 0x18, 0x4c, 0x89, 0x4c, 0x24, 0x20, 0x48,
+    0x8b, 0x45, 0x10, 0x48, 0x89, 0x44, 0x24, 0x30, 0x48, 0x8b, 0x45, 0x18,
+    0x48, 0x89, 0x44, 0x24, 0x38, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0x44,
+    0x24, 0x40, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x44, 0x24, 0x48, 0x48,
+    0x89, 0xc8, 0x4c, 0x8b, 0x55, 0x30, 0x4c, 0x01, 0xd0, 0x48, 0xff, 0xc8,
+    0x31, 0xd2, 0x49, 0xf7, 0xf2, 0x48, 0x89, 0x44, 0x24, 0x08, 0x48, 0x89,
+    0x7c, 0x24, 0x58, 0x4c, 0x89, 0xd7, 0x48, 0x89, 0xe2, 0x48, 0x8d, 0x0d,
+    0x18, 0x00, 0x00, 0x00, 0xff, 0x54, 0x24, 0x58, 0x48, 0x83, 0xc4, 0x60,
+    0x5d, 0xc3, 0x66, 0x2e, 0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x0f, 0x1f, 0x40, 0x00, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
+    0x48, 0x89, 0x7d, 0xf8, 0x48, 0x89, 0x75, 0xf0, 0x4c, 0x8b, 0x57, 0x08,
+    0x4c, 0x8b, 0x5f, 0x10, 0x48, 0x89, 0xf0, 0x49, 0x0f, 0xaf, 0xc2, 0x48,
+    0x8b, 0x4f, 0x48, 0x48, 0x89, 0x04, 0xf1, 0x4c, 0x39, 0xd8, 0x72, 0x0e,
+    0x48, 0x8b, 0x4f, 0x40, 0x48, 0xc7, 0x04, 0xf1, 0x00, 0x00, 0x00, 0x00,
+    0xeb, 0x4a, 0x49, 0x29, 0xc3, 0x4d, 0x39, 0xd3, 0x4d, 0x0f, 0x43, 0xda,
+    0x48, 0x8b, 0x57, 0x38, 0x48, 0x89, 0xf1, 0x48, 0x0f, 0xaf, 0xca, 0x48,
+    0xc1, 0xe1, 0x02, 0x48, 0x03, 0x4f, 0x30, 0x49, 0x89, 0xc8, 0x49, 0x89,
+    0xd1, 0x48, 0x8b, 0x4f, 0x20, 0x48, 0x8b, 0x57, 0x18, 0x4c, 0x89, 0xde,
+    0x4c, 0x8b, 0x17, 0x49, 0x8d, 0x3c, 0xc2, 0xe8, 0x7c, 0x01, 0x00, 0x00,
+    0x48, 0x8b, 0x4d, 0xf8, 0x48, 0x8b, 0x75, 0xf0, 0x4c, 0x8b, 0x59, 0x40,
+    0x49, 0x89, 0x04, 0xf3, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x66, 0x0f,
+    0x1f, 0x44, 0x00, 0x00, 0x55, 0x48, 0x89, 0xe5, 0x53, 0x41, 0x54, 0x31,
+    0xdb, 0x48, 0x85, 0xf6, 0x0f, 0x84, 0x3d, 0x01, 0x00, 0x00, 0x4c, 0x8b,
+    0x5d, 0x10, 0x49, 0x89, 0xcc, 0x66, 0x48, 0x0f, 0x6e, 0xc2, 0x66, 0x0f,
+    0x6c, 0xc0, 0x49, 0x83, 0xf8, 0x04, 0x0f, 0x87, 0xe9, 0x00, 0x00, 0x00,
+    0xf3, 0x0f, 0x7e, 0x11, 0x66, 0x0f, 0x6c, 0xd2, 0x49, 0x83, 0xf8, 0x01,
+    0x74, 0x29, 0xf3, 0x0f, 0x7e, 0x59, 0x08, 0x66, 0x0f, 0x6c, 0xdb, 0x49,
+    0x83, 0xf8, 0x02, 0x74, 0x28, 0xf3, 0x0f, 0x7e, 0x61, 0x10, 0x66, 0x0f,
+    0x6c, 0xe4, 0x49, 0x83, 0xf8, 0x03, 0x74, 0x23, 0xf3, 0x0f, 0x7e, 0x69,
+    0x18, 0x66, 0x0f, 0x6c, 0xed, 0xeb, 0x1c, 0x66, 0x0f, 0x6f, 0xda, 0x66,
+    0x0f, 0x6f, 0xe2, 0x66, 0x0f, 0x6f, 0xea, 0xeb, 0x0e, 0x66, 0x0f, 0x6f,
+    0xe2, 0x66, 0x0f, 0x6f, 0xea, 0xeb, 0x04, 0x66, 0x0f, 0x6f, 0xea, 0x4d,
+    0x31, 0xd2, 0x48, 0x89, 0xf0, 0x48, 0x83, 0xe0, 0xfe, 0x49, 0x39, 0xc2,
+    0x73, 0x62, 0xf3, 0x42, 0x0f, 0x6f, 0x0c, 0xd7, 0x66, 0x0f, 0xdb, 0xc8,
+    0x66, 0x0f, 0x6f, 0xf1, 0x66, 0x0f, 0x38, 0x29, 0xf2, 0x66, 0x0f, 0x6f,
+    0xf9, 0x66, 0x0f, 0x38, 0x29, 0xfb, 0x66, 0x0f, 0xeb, 0xf7, 0x66, 0x0f,
+    0x6f, 0xf9, 0x66, 0x0f, 0x38, 0x29, 0xfc, 0x66, 0x0f, 0xeb, 0xf7, 0x66,
+    0x0f, 0x6f, 0xf9, 0x66, 0x0f, 0x38, 0x29, 0xfd, 0x66, 0x0f, 0xeb, 0xf7,
+    0x66, 0x0f, 0x50, 0xce, 0x84, 0xc9, 0x74, 0x1a, 0xf6, 0xc1, 0x01, 0x74,
+    0x05, 0xe8, 0x68, 0x00, 0x00, 0x00, 0xf6, 0xc1, 0x02, 0x74, 0x0b, 0x49,
+    0xff, 0xc2, 0xe8, 0x5b, 0x00, 0x00, 0x00, 0x49, 0xff, 0xca, 0x49, 0x83,
+    0xc2, 0x02, 0xeb, 0x99, 0x49, 0x39, 0xf2, 0x73, 0x5a, 0x4a, 0x8b, 0x04,
+    0xd7, 0x48, 0x21, 0xd0, 0x31, 0xc9, 0x4c, 0x39, 0xc1, 0x73, 0x4c, 0x49,
+    0x3b, 0x04, 0xcc, 0x75, 0x07, 0xe8, 0x34, 0x00, 0x00, 0x00, 0xeb, 0x3f,
+    0x48, 0xff, 0xc1, 0xeb, 0xe9, 0x4d, 0x31, 0xd2, 0x49, 0x39, 0xf2, 0x73,
+    0x32, 0x4a, 0x8b, 0x04, 0xd7, 0x48, 0x21, 0xd0, 0x31, 0xc9, 0x4c, 0x39,
+    0xc1, 0x73, 0x12, 0x49, 0x3b, 0x04, 0xcc, 0x75, 0x07, 0xe8, 0x0c, 0x00,
+    0x00, 0x00, 0xeb, 0x05, 0x48, 0xff, 0xc1, 0xeb, 0xe9, 0x49, 0xff, 0xc2,
+    0xeb, 0xd6, 0x4c, 0x39, 0xdb, 0x73, 0x04, 0x45, 0x89, 0x14, 0x99, 0x48,
+    0xff, 0xc3, 0xc3, 0x48, 0x89, 0xd8, 0x41, 0x5c, 0x5b, 0x5d, 0xc3, 0x66,
+    0x0f, 0x1f, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0x48, 0x89, 0xe5,
+    0x53, 0x41, 0x54, 0x31, 0xdb, 0x48, 0x85, 0xf6, 0x0f, 0x84, 0xc3, 0x00,
+    0x00, 0x00, 0x49, 0x89, 0xcc, 0x66, 0x48, 0x0f, 0x6e, 0xc2, 0x66, 0x0f,
+    0x6c, 0xc0, 0x66, 0x48, 0x0f, 0x6e, 0xd1, 0x66, 0x0f, 0x6c, 0xd2, 0x4d,
+    0x31, 0xd2, 0x49, 0x89, 0xf3, 0x49, 0x83, 0xe3, 0xfc, 0x4d, 0x39, 0xda,
+    0x73, 0x77, 0xf3, 0x42, 0x0f, 0x6f, 0x0c, 0xd7, 0xf3, 0x42, 0x0f, 0x6f,
+    0x5c, 0xd7, 0x10, 0x66, 0x0f, 0xdb, 0xc8, 0x66, 0x0f, 0xdb, 0xd8, 0x66,
+    0x0f, 0x38, 0x29, 0xca, 0x66, 0x0f, 0x38, 0x29, 0xda, 0x66, 0x0f, 0x6f,
+    0xe1, 0x66, 0x0f, 0xeb, 0xe3, 0x66, 0x0f, 0x50, 0xc4, 0x85, 0xc0, 0x74,
+    0x42, 0x66, 0x0f, 0x50, 0xc1, 0xa8, 0x01, 0x74, 0x05, 0xe8, 0x56, 0x00,
+    0x00, 0x00, 0xa8, 0x02, 0x74, 0x0b, 0x49, 0xff, 0xc2, 0xe8, 0x4a, 0x00,
+    0x00, 0x00, 0x49, 0xff, 0xca, 0x66, 0x0f, 0x50, 0xc3, 0xa8, 0x01, 0x74,
+    0x0d, 0x49, 0x83, 0xc2, 0x02, 0xe8, 0x36, 0x00, 0x00, 0x00, 0x49, 0x83,
+    0xea, 0x02, 0xa8, 0x02, 0x74, 0x0d, 0x49, 0x83, 0xc2, 0x03, 0xe8, 0x25,
+    0x00, 0x00, 0x00, 0x49, 0x83, 0xea, 0x03, 0x49, 0x83, 0xc2, 0x04, 0xeb,
+    0x84, 0x49, 0x39, 0xf2, 0x73, 0x23, 0x4a, 0x8b, 0x04, 0xd7, 0x48, 0x21,
+    0xd0, 0x4c, 0x39, 0xe0, 0x75, 0x05, 0xe8, 0x05, 0x00, 0x00, 0x00, 0x49,
+    0xff, 0xc2, 0xeb, 0xe5, 0x4c, 0x39, 0xcb, 0x73, 0x04, 0x45, 0x89, 0x14,
+    0x98, 0x48, 0xff, 0xc3, 0xc3, 0x48, 0x89, 0xd8, 0x41, 0x5c, 0x5b, 0x5d,
+    0xc3
+]);
+export const SYMBOLS = {
+    scan: 0x220,
+    scan1: 0x380,
+    scan1_parallel: 0x110,
+    scan_parallel: 0x0,
+};

package/dist/scanner/index.d.ts

@@ -0,0 +1,11 @@
+export interface Hit {
+    value: NativePointer;
+    index: number;
+}
+export declare const DEFAULT_ISA_MASK: UInt64;
+export declare class Scanner {
+    #private;
+    constructor(nthreads?: number);
+    scanRemoteRegion(remoteBase: NativePointer, localBuf: NativePointer, byteLen: number, mask: UInt64, targets: (UInt64 | number)[], capPerThread?: number): Hit[];
+    scanLocal(buf: NativePointer, qcount: number | UInt64, mask: UInt64, targets: (UInt64 | number)[], capPerThread?: number): Hit[];
+}

package/dist/scanner/index.js

@@ -0,0 +1,140 @@
+import { SCAN_ARM64_BYTES, SYMBOLS as SYMBOLS_ARM64 } from "./bytes-arm64.js";
+import { SCAN_X86_64_BYTES, SYMBOLS as SYMBOLS_X86_64 } from "./bytes-x86_64.js";
+// arm64e PAC + non-pointer-isa bits masked off; leaves bits 3..47.
+export const DEFAULT_ISA_MASK = uint64("0x00007ffffffffff8");
+const PARALLEL_THRESHOLD_BYTES = 4 * 1024 * 1024;
+const QOS_CLASS_USER_INITIATED = 0x21;
+export class Scanner {
+    #scan;
+    #scan1;
+    #scanParallel;
+    #scan1Parallel;
+    #dispatchApplyF;
+    #queue;
+    #nthreads;
+    // Pin the JIT page so the runtime doesn't reclaim it while the
+    // NativeFunction descriptors below still hold raw pointers into it.
+    #code;
+    constructor(nthreads) {
+        const blob = selectBlob();
+        this.#code = Memory.alloc(Math.max(blob.bytes.byteLength, Process.pageSize));
+        Memory.patchCode(this.#code, blob.bytes.byteLength, (dst) => {
+            dst.writeByteArray(blob.bytes.buffer);
+        });
+        this.#scan = new NativeFunction(this.#code.add(blob.symbols.scan), "uint64", ["pointer", "uint64", "uint64", "pointer", "uint64", "pointer", "uint64"]);
+        this.#scan1 = new NativeFunction(this.#code.add(blob.symbols.scan1), "uint64", ["pointer", "uint64", "uint64", "uint64", "pointer", "uint64"]);
+        this.#scanParallel = new NativeFunction(this.#code.add(blob.symbols.scan_parallel), "void", ["pointer", "pointer", "pointer", "uint64", "uint64", "pointer", "uint64", "pointer", "uint64",
+            "pointer", "pointer", "uint64"]);
+        this.#scan1Parallel = new NativeFunction(this.#code.add(blob.symbols.scan1_parallel), "void", ["pointer", "pointer", "pointer", "uint64", "uint64", "uint64", "pointer", "uint64",
+            "pointer", "pointer", "uint64"]);
+        const libSystem = Process.getModuleByName("libSystem.B.dylib");
+        this.#dispatchApplyF = libSystem.getExportByName("dispatch_apply_f");
+        const getQueue = new NativeFunction(libSystem.getExportByName("dispatch_get_global_queue"), "pointer", ["long", "ulong"]);
+        this.#queue = getQueue(QOS_CLASS_USER_INITIATED, 0);
+        this.#nthreads = hwThreadCount(libSystem, nthreads);
+    }
+    scanRemoteRegion(remoteBase, localBuf, byteLen, mask, targets, capPerThread = 1024) {
+        const qcount = Math.floor(byteLen / 8);
+        const localHits = this.scanLocal(localBuf, qcount, mask, targets, capPerThread);
+        return localHits.map(h => ({
+            value: remoteBase.add(h.index * 8),
+            index: h.index,
+        }));
+    }
+    scanLocal(buf, qcount, mask, targets, capPerThread = 1024) {
+        const qc = uint64(qcount);
+        const small = qc.toNumber() * 8 < PARALLEL_THRESHOLD_BYTES;
+        if (targets.length === 1) {
+            const target = uint64(targets[0]).and(mask);
+            if (small) {
+                return this.#runScan1Single(buf, qc, mask, target, capPerThread);
+            }
+            return this.#runScan1Parallel(buf, qc, mask, target, capPerThread);
+        }
+        const targetsMem = packTargets(targets, mask);
+        if (small) {
+            return this.#runScanSingle(buf, qc, mask, targetsMem, targets.length, capPerThread);
+        }
+        return this.#runScanParallel(buf, qc, mask, targetsMem, targets.length, capPerThread);
+    }
+    #runScan1Single(buf, qc, mask, target, cap) {
+        const out = Memory.alloc(cap * 4);
+        const hits = this.#scan1(buf, qc, mask, target, out, uint64(cap)).toNumber();
+        return readHits(buf, out, Math.min(hits, cap), 0);
+    }
+    #runScan1Parallel(buf, qc, mask, target, capPerThread) {
+        const nthreads = this.#nthreads;
+        const scratch = allocScratch(nthreads, capPerThread);
+        this.#scan1Parallel(this.#dispatchApplyF, this.#queue, buf, qc, mask, target, scratch.outFlat, uint64(capPerThread), scratch.counts, scratch.offs, uint64(nthreads));
+        return collectHits(buf, scratch.outFlat, scratch.counts, scratch.offs, nthreads, capPerThread);
+    }
+    #runScanSingle(buf, qc, mask, targetsMem, ntargets, cap) {
+        const out = Memory.alloc(cap * 4);
+        const hits = this.#scan(buf, qc, mask, targetsMem, uint64(ntargets), out, uint64(cap)).toNumber();
+        return readHits(buf, out, Math.min(hits, cap), 0);
+    }
+    #runScanParallel(buf, qc, mask, targetsMem, ntargets, capPerThread) {
+        const nthreads = this.#nthreads;
+        const scratch = allocScratch(nthreads, capPerThread);
+        this.#scanParallel(this.#dispatchApplyF, this.#queue, buf, qc, mask, targetsMem, uint64(ntargets), scratch.outFlat, uint64(capPerThread), scratch.counts, scratch.offs, uint64(nthreads));
+        return collectHits(buf, scratch.outFlat, scratch.counts, scratch.offs, nthreads, capPerThread);
+    }
+}
+function allocScratch(nthreads, capPerThread) {
+    const outFlatBytes = nthreads * capPerThread * 4;
+    const countsBytes = nthreads * 8;
+    const offsBytes = nthreads * 8;
+    const scratch = Memory.alloc(outFlatBytes + countsBytes + offsBytes);
+    return {
+        outFlat: scratch,
+        counts: scratch.add(outFlatBytes),
+        offs: scratch.add(outFlatBytes + countsBytes),
+    };
+}
+function packTargets(targets, mask) {
+    const mem = Memory.alloc(Math.max(1, targets.length) * 8);
+    for (let i = 0; i !== targets.length; i++) {
+        const masked = uint64(targets[i]).and(mask);
+        mem.add(i * 8).writeU64(masked);
+    }
+    return mem;
+}
+function collectHits(buf, outFlat, counts, offs, nthreads, capPerThread) {
+    const hits = [];
+    for (let i = 0; i !== nthreads; i++) {
+        const count = counts.add(i * 8).readU64().toNumber();
+        const chunkOff = offs.add(i * 8).readU64().toNumber();
+        const base = outFlat.add(i * capPerThread * 4);
+        hits.push(...readHits(buf, base, Math.min(count, capPerThread), chunkOff));
+    }
+    return hits;
+}
+function readHits(buf, out, n, chunkOff) {
+    const hits = [];
+    for (let j = 0; j !== n; j++) {
+        const index = chunkOff + out.add(j * 4).readU32();
+        hits.push({ value: buf.add(index * 8), index });
+    }
+    return hits;
+}
+function selectBlob() {
+    if (Process.arch === "x64") {
+        return { bytes: SCAN_X86_64_BYTES, symbols: SYMBOLS_X86_64 };
+    }
+    if (Process.arch === "arm64") {
+        return { bytes: SCAN_ARM64_BYTES, symbols: SYMBOLS_ARM64 };
+    }
+    throw new Error(`frida-mem-scan: unsupported arch ${Process.arch}`);
+}
+function hwThreadCount(libSystem, override) {
+    if (override !== undefined) {
+        return override;
+    }
+    const sysctlbyname = new NativeFunction(libSystem.getExportByName("sysctlbyname"), "int", ["pointer", "pointer", "pointer", "pointer", "size_t"]);
+    const name = Memory.allocUtf8String("hw.logicalcpu");
+    const out = Memory.alloc(4);
+    const len = Memory.alloc(8);
+    len.writeU64(4);
+    sysctlbyname(name, out, len, NULL, 0);
+    return out.readU32();
+}

package/dist/symbols.d.ts

@@ -0,0 +1 @@
+export declare function resolveTarget(t: string): UInt64;

package/dist/symbols.js

@@ -0,0 +1,16 @@
+export function resolveTarget(t) {
+    if (!t.includes("!")) {
+        return uint64(t);
+    }
+    const m = t.match(/^([^!]+)!([^+]+)(?:\+(0x[0-9a-fA-F]+|\d+))?$/);
+    if (m === null) {
+        throw new Error(`bad target spec: ${t}`);
+    }
+    const [, modName, symName, offStr] = m;
+    let addr = Process.getModuleByName(modName).getSymbolByName(symName);
+    if (offStr !== undefined) {
+        const off = offStr.startsWith("0x") ? parseInt(offStr, 16) : parseInt(offStr, 10);
+        addr = addr.add(off);
+    }
+    return uint64(addr.toString());
+}

package/dist/target.d.ts

@@ -0,0 +1,26 @@
+import { ProcessMemory, Region, RegionFilter } from "./process/types.js";
+export type TargetSpec = string | NativePointer | UInt64 | number;
+export interface FindOpts {
+    mask?: UInt64;
+    filter?: RegionFilter;
+    capPerThread?: number;
+}
+export interface ScanHit {
+    addr: NativePointer;
+    target: UInt64;
+    region: {
+        base: NativePointer;
+        size: number;
+        tag: number;
+    };
+}
+export declare class Target {
+    #private;
+    readonly memory: ProcessMemory;
+    static self(): Target;
+    static pid(pid: number): Target;
+    constructor(memory: ProcessMemory);
+    find(targets: TargetSpec[], opts?: FindOpts): ScanHit[];
+    read(addr: NativePointer, size: number): ArrayBuffer;
+    regions(filter?: RegionFilter): Iterable<Region>;
+}

package/dist/target.js

@@ -0,0 +1,78 @@
+import { openProcessMemory } from "./process/index.js";
+import { DEFAULT_ISA_MASK, Scanner } from "./scanner/index.js";
+import { resolveTarget } from "./symbols.js";
+export class Target {
+    memory;
+    #scanner = null;
+    static self() {
+        return new Target(openProcessMemory(Process.id));
+    }
+    static pid(pid) {
+        return new Target(openProcessMemory(pid));
+    }
+    constructor(memory) {
+        this.memory = memory;
+    }
+    find(targets, opts = {}) {
+        const mask = opts.mask ?? DEFAULT_ISA_MASK;
+        const cap = opts.capPerThread ?? 1024;
+        const filter = opts.filter ?? { readable: true };
+        const targetVals = targets.map(normalizeTarget);
+        const maskedTargets = targetVals.map(v => v.and(mask));
+        const sc = this.#getScanner();
+        const hits = [];
+        for (const region of this.memory.regions(filter)) {
+            const sz = region.size.toNumber();
+            const buf = Memory.alloc(sz);
+            if (!this.memory.readInto(region.base, buf, sz)) {
+                continue;
+            }
+            const regionHits = sc.scanRemoteRegion(region.base, buf, sz, mask, targetVals, cap);
+            const regionInfo = { base: region.base, size: sz, tag: region.tag };
+            for (const h of regionHits) {
+                hits.push({
+                    addr: h.value,
+                    target: pickMatchingTarget(maskedTargets, h.value.readU64().and(mask)),
+                    region: regionInfo,
+                });
+            }
+        }
+        return hits;
+    }
+    read(addr, size) {
+        const buf = this.memory.read(addr, size);
+        if (buf === null) {
+            throw new Error(`read(${addr}, ${size}) failed`);
+        }
+        return buf;
+    }
+    regions(filter) {
+        return this.memory.regions(filter);
+    }
+    #getScanner() {
+        if (this.#scanner === null) {
+            this.#scanner = new Scanner();
+        }
+        return this.#scanner;
+    }
+}
+function normalizeTarget(t) {
+    if (typeof t === "string") {
+        return resolveTarget(t);
+    }
+    if (typeof t === "number") {
+        return uint64(t);
+    }
+    if (t instanceof NativePointer) {
+        return uint64(t.toString());
+    }
+    return t;
+}
+function pickMatchingTarget(maskedTargets, slot) {
+    for (const t of maskedTargets) {
+        if (t.compare(slot) === 0) {
+            return t;
+        }
+    }
+    return slot;
+}

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "frida-mem-scan",
+  "version": "1.0.0",
+  "description": "Fast SIMD-accelerated memory scanner for Frida — in-process and cross-process (PID).",
+  "author": "Ole André Vadla Ravnås <oleavr@frida.re>",
+  "license": "MIT",
+  "repository": "github:oleavr/frida-mem-scan",
+  "keywords": [
+    "cross-process",
+    "frida",
+    "frida-gum",
+    "mach",
+    "memory",
+    "neon",
+    "scanner",
+    "simd",
+    "sse"
+  ],
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "/dist/**/*.js",
+    "/dist/**/*.d.ts"
+  ],
+  "type": "module",
+  "scripts": {
+    "prepare": "npm run build",
+    "build": "tsc",
+    "watch": "tsc -w"
+  },
+  "devDependencies": {
+    "@types/frida-gum": "^19.1.0",
+    "@types/node": "^18.19.130",
+    "typescript": "^6.0.3"
+  }
+}