High-risk tools in x64dbg MCP Server
11 of the 39 tools in x64dbg MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
attach_to_processExecuteAttach to a running process by PID and create a debugging session.
-
collect_bp_argsExecuteLoop: continue execution → hit breakpoint → read a memory expression → repeat N times.
-
continue_executionExecuteResume a paused debuggee. Runs until the next breakpoint, exception, manual pause, or process exit.
-
detach_sessionExecuteDetach the debugger from the process without killing it — the target process continues running.
-
execute_commandExecuteExecute a raw x64dbg script command synchronously and return its console output.
-
load_executableExecuteSTART HERE. Load a PE executable (.exe or .dll) and create a debugging session.
-
pause_executionExecuteInterrupt a running debuggee. No-op if already paused — returns current state immediately.
-
step_intoExecuteSingle-step N instructions, following CALL instructions into callees.
-
step_outExecuteRun until the current function returns (executes to its matching RET instruction).
-
step_overExecuteSingle-step N instructions, treating each CALL as a single step (does not enter callees).
-
write_memoryExecutePatch bytes in the debuggee
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.