HexCore Binary Analysis
Skill para analise de binarios com ferramentas HexCore integradas ao editor
Install
mkdir -p .claude/skills/hexcore-binary-analysis && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/14853" && unzip -o skill.zip -d .claude/skills/hexcore-binary-analysis && rm skill.zipInstalls to .claude/skills/hexcore-binary-analysis
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Skill para analise de binarios com ferramentas HexCore integradas ao editorAbout this skill
HexCore Binary Analysis Skill — v3.7.1
Overview
HexCore is a VS Code fork for reverse engineering and binary analysis (HikariSystem HexCore). It includes 20+ extensions with 6 native engines (Capstone, Unicorn, Remill, LLVM MC, better-sqlite3, Helix) and a full automation pipeline with conditional branching.
Current version: v3.7.1 "Dynamic Intelligence + Pipeline Branching" (2026-03-14) Engine versions: capstone 1.3.2 | unicorn 1.2.1 | llvm-mc 1.0.0 | better-sqlite3 2.0.0 | remill 0.1.2 | helix 0.5.0 Deprecated: hexcore-rellic (superseded by Helix MLIR — removal planned for v3.8.0)
Extensions
Native Engines (no VS Code commands — pure API)
| Engine | Version | Purpose | Architectures |
|---|---|---|---|
| hexcore-capstone | 1.3.2 | Disassembly | x86, x64, ARM, ARM64, MIPS, PPC, SPARC, M68K, RISC-V |
| hexcore-unicorn | 1.2.1 | CPU emulation | x86, x64, ARM, ARM64, MIPS, SPARC, PPC, RISC-V |
| hexcore-remill | 0.1.2 | LLVM IR lifting | x86, x64, ARM64 only |
| hexcore-llvm-mc | 1.0.0 | Assembly/encoding | x86, x64, ARM, ARM64, MIPS, RISC-V, PPC, SPARC |
| hexcore-better-sqlite3 | 2.0.0 | SQLite database | N/A |
| hexcore-helix | 0.5.0 | MLIR decompiler (IR → pseudo-C) | x86, x64 |
| hexcore-rellic | — | x86, x64 |
Disassembler (hexcore-disassembler v1.5.0)
Professional disassembler with Capstone engine, ELF/PE parsing, CFG, xrefs, patching, the pipeline runner, and advanced analysis (junk filtering, VM detection, PRNG detection).
Headless commands (pipeline-safe):
hexcore.disasm.analyzeAll— Deep analysis (prolog scan + xrefs). New args:filterJunk,detectVM,detectPRNGhexcore.disasm.buildFormula— Symbolic expression extraction (x86/x64 only)hexcore.disasm.checkConstants— Validate numeric annotationshexcore.disasm.searchStringHeadless— Search string referenceshexcore.disasm.exportASMHeadless— Export assembly to filehexcore.disasm.disassembleAtHeadless— Disassemble N instructions at address. New args:filterJunkhexcore.disasm.liftToIR— Lift to LLVM IR (Remill, x86/x64/ARM64)hexcore.disasm.dumpAndDisassemble— Dump emulation memory + disassemble in one step (v3.7.1)hexcore.pipeline.runJob— Run automation job (now withonResultconditional branching)hexcore.pipeline.listCapabilities— Export capability maphexcore.pipeline.validateJob— Preflight validationhexcore.pipeline.validateWorkspace— Batch validationhexcore.pipeline.createPresetJob— Generate job from presethexcore.pipeline.saveJobAsProfile— Save job as profilehexcore.pipeline.doctor— Diagnose health
Analysis features (v3.7.1):
filterJunkInstructions()— Detect and remove 7 junk patterns (callfuscation, nop sleds, identity ops)detectVM()— VM obfuscation heuristics (dispatcher, handler tables, operand stacks)detectPRNG()— Static PRNG pattern detection (srand/rand call sites, seed extraction)loadBuffer()— Accept raw buffer for disassembly without file on disk (runtime memory)
Interactive commands (need UI):
hexcore.disasm.openFile,analyzeFile,goToAddress,findXrefs,addComment,renameFunction,showCFG,searchString,exportASM,patchInstruction,nopInstruction,assemble,assembleMultiple,savePatchedFile,setSyntax,showLlvmVersion,nativeStatus
Experimental:
hexcore.disasm.liftToIR— Lift to LLVM IR (requires Remill, x86/x64/ARM64 only)
Architecture auto-detection: Reads ELF e_machine / PE Machine headers. Supports x86, x64, ARM, ARM64, MIPS. Defaults to x64 for raw files.
Debugger (hexcore-debugger v2.2.0)
Emulation-based debugger using Unicorn engine with PE/ELF loading, API hooking, syscall handling, API call tracing, faithful PRNG emulation, side-channel analysis, and breakpoint auto-snapshots.
Process isolation & Smart Sync: x64 ELF and ARM64 ELF emulation run in dedicated child processes (x64ElfWorker.js, arm64Worker.js) to prevent Unicorn heap corruption from crashing the VS Code extension host. The worker communicates via JSON-RPC over IPC. A unique Smart Sync architecture instantly synchronizes heap memory (e.g. dynamically allocated strings) from the Worker to the Host before evaluating any API hook (such as __printf_chk, getline, or puts), guaranteeing flawless validation of complex obfuscated VMs (like active advanced HTB CTFs). PE emulation and other architectures run in-process.
Headless commands (pipeline-safe):
hexcore.debug.emulateFullHeadless— Unified single-shot emulation (load → configure → run → collect → dispose). New v3.7.1 args:permissiveMemoryMapping,prngMode,prngSeed,collectSideChannels,memoryDumps,breakpointConfigs(withautoSnapshot). Aliases:hexcore.debug.emulate.full,hexcore.debug.runhexcore.debug.writeMemoryHeadless— Write data to emulation memoryhexcore.debug.setRegisterHeadless— Set CPU register valuehexcore.debug.setStdinHeadless— Set STDIN buffer for emulationhexcore.debug.disposeHeadless— Dispose emulation session (idempotent)hexcore.debug.snapshotHeadless— Save emulation snapshothexcore.debug.restoreSnapshotHeadless— Restore emulation snapshothexcore.debug.exportTraceHeadless— Export API/libc call trace as JSON
v3.7.1 Emulation Features:
- Permissive Memory Mapping —
permissiveMemoryMapping: truemaps all segments with RWX permissions, allowing self-modifying VMs to jump to .rodata/.data without UC_ERR_FETCH_PROT - PRNG Modes —
prngMode: 'glibc'(344-state TYPE_3 algorithm),'msvcrt'(LCG: seed * 214013 + 2531011),'stub'(returns 0, default). Faithful implementations that match native rand() sequences for any seed. - Memory Dumps —
memoryDumps: [{ address, size, trigger: 'breakpoint'|'end' }]captures arbitrary memory ranges during emulation - Breakpoint Auto-Snapshots —
breakpointConfigs: [{ address, autoSnapshot: true, dumpRanges? }]automatically captures registers, stack, and optional memory ranges at breakpoints, then continues execution - Side-Channel Analysis —
collectSideChannels: trueinstalls instrumentation hooks to collect instruction counts per basic block, memory access patterns, and branch statistics - Runtime Memory Disassembly —
dumpAndDisassemble(address, size)combines memory reading and Capstone disassembly in one operation for analyzing runtime-decrypted code
Interactive commands (need UI):
hexcore.debug.emulate— Start emulation (auto-detect arch)hexcore.debug.emulateWithArch— Start with manual arch selectionhexcore.debug.emulationStep— Step one instructionhexcore.debug.emulationContinue— Continue to breakpoint/endhexcore.debug.emulationBreakpoint— Set breakpointhexcore.debug.emulationReadMemory— Read memory regionhexcore.debug.setStdin— Set STDIN buffer for ELF emulationhexcore.debug.saveSnapshot— Save emulation snapshothexcore.debug.restoreSnapshot— Restore snapshothexcore.debug.unicornStatus— Show Unicorn status
Internal engine capabilities (programmatic, not exposed as headless commands):
- PE loading with import resolution and Windows API hooks
- ELF loading with PLT stubs and Linux API hooks (libc emulation)
- Linux syscall handler (x86/x64: int 0x80, syscall instruction; ARM64: SVC #0)
- Architecture auto-detection from ELF/PE headers
- Deterministic ELF continue (250K instruction budget)
- STDIN buffer injection for scanf/read emulation
- Snapshot save/restore via Unicorn context
- x64 ELF worker process isolation with Smart Sync (prevents host heap corruption & guarantees dynamic string visibility)
- ARM64 ELF worker process isolation (same pattern)
Architecture support in debugger:
| Feature | x86 | x64 | ARM64 | ARM | MIPS |
|---|---|---|---|---|---|
| Unicorn init | Yes | Yes | Yes | Yes | Yes |
| Register read/write | Yes | Yes | Yes | No | No |
| ELF loading | Yes | Yes | Yes | No | No |
| PE loading | Yes | Yes | No | No | No |
| Stack initialization | Yes | Yes | Yes | No | No |
| Syscall handler | Yes | Yes | Yes | No | No |
| API hooks (Linux) | Yes | Yes | Yes | No | No |
| API hooks (Windows) | Yes | Yes | No | No | No |
| Worker process isolation | No | Yes (ELF) | Yes | No | No |
Other Extensions
| Extension | Version | Headless | Commands |
|---|---|---|---|
| hexcore-peanalyzer | — | Yes | peanalyzer.analyze, peanalyzer.analyzeActive |
| hexcore-elfanalyzer | 1.0.0 | Yes | elfanalyzer.analyze, elfanalyzer.analyzeActive |
| hexcore-hexviewer | — | Yes | hexview.dumpHeadless, hexview.searchHeadless, openHexView, goToOffset, searchHex, copyAsHex, copyAsC, copyAsPython, addBookmark, applyTemplate, toggleEdit |
| hexcore-strings | — | Yes | strings.extract, strings.extractAdvanced (now with multi-byte XOR, rolling XOR, increment XOR) |
| hexcore-entropy | — | Yes | entropy.analyze |
| hexcore-filetype | — | Yes | filetype.detect |
| hexcore-hashcalc | — | Yes | hashcalc.calculate, hashcalc.quick, hashcalc.verify |
| hexcore-base64 | — | Yes | base64.decodeHeadless, base64.decode |
| hexcore-yara | — | Partial | yara.scan (headless), yara.updateRules (headless), rest interactive |
| hexcore-ioc | — | Yes | ioc.extract, ioc.extractActive |
| hexcore-minidump | — | Yes | minidump.parse, minidump.threads, minidump.modules, minidump.memory |
| hexcore-report-composer | 1.0.0 | Yes | pipeline.composeReport — aggregates reports into unified Markdown |
| hexcore-common | — | N/A | Utility library (formatBytes, loadNativeModule, etc.) |
Pipeline Automation
Creating Jobs
- From preset: Run
hexcore.pipeline.createPresetJob— c
Content truncated.