agentskills.codes
HE

HexCore Binary Analysis

Skill para analise de binarios com ferramentas HexCore integradas ao editor

Install

mkdir -p .claude/skills/hexcore-binary-analysis-diegosouzapw && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16049" && unzip -o skill.zip -d .claude/skills/hexcore-binary-analysis-diegosouzapw && rm skill.zip

Installs to .claude/skills/hexcore-binary-analysis-diegosouzapw

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Skill para analise de binarios com ferramentas HexCore integradas ao editor
75 charsno explicit “when” trigger

About this skill

HexCore Binary Analysis Skill — v3.5.4

Overview

HexCore is a VS Code fork for reverse engineering and binary analysis (HikariSystem HexCore). It includes 20 extensions with 5 native engines (Capstone, Unicorn, Remill, LLVM MC, better-sqlite3) and a full automation pipeline.

Current version: v3.5.4 "Stability & Isolation" (2026-02-19) Engine versions: capstone 1.3.2 | unicorn 1.2.1 | llvm-mc 1.0.0 | better-sqlite3 2.0.0 | remill 0.1.2


Extensions

Native Engines (no VS Code commands — pure API)

EngineVersionPurposeArchitectures
hexcore-capstone1.3.2Disassemblyx86, x64, ARM, ARM64, MIPS, PPC, SPARC, M68K, RISC-V
hexcore-unicorn1.2.1CPU emulationx86, x64, ARM, ARM64, MIPS, SPARC, PPC, RISC-V
hexcore-remill0.1.2LLVM IR liftingx86, x64, ARM64 only
hexcore-llvm-mc1.0.0Assembly/encodingx86, x64, ARM, ARM64, MIPS, RISC-V, PPC, SPARC
hexcore-better-sqlite32.0.0SQLite databaseN/A

Disassembler (hexcore-disassembler v1.3.0)

Professional disassembler with Capstone engine, ELF/PE parsing, CFG, xrefs, patching, and the pipeline runner.

Headless commands (pipeline-safe):

  • hexcore.disasm.analyzeAll — Deep analysis (prolog scan + xrefs)
  • hexcore.disasm.buildFormula — Symbolic expression extraction (x86/x64 only)
  • hexcore.disasm.checkConstants — Validate numeric annotations
  • hexcore.disasm.searchStringHeadless — Search string references
  • hexcore.disasm.exportASMHeadless — Export assembly to file
  • hexcore.pipeline.runJob — Run automation job
  • hexcore.pipeline.listCapabilities — Export capability map
  • hexcore.pipeline.validateJob — Preflight validation
  • hexcore.pipeline.validateWorkspace — Batch validation
  • hexcore.pipeline.createPresetJob — Generate job from preset
  • hexcore.pipeline.saveJobAsProfile — Save job as profile
  • hexcore.pipeline.doctor — Diagnose health

Interactive commands (need UI):

  • hexcore.disasm.openFile, analyzeFile, goToAddress, findXrefs, addComment, renameFunction, showCFG, searchString, exportASM, patchInstruction, nopInstruction, assemble, assembleMultiple, savePatchedFile, setSyntax, showLlvmVersion, nativeStatus

Experimental:

  • hexcore.disasm.liftToIR — Lift to LLVM IR (requires Remill, x86/x64/ARM64 only)

Architecture auto-detection: Reads ELF e_machine / PE Machine headers. Supports x86, x64, ARM, ARM64, MIPS. Defaults to x64 for raw files.

Debugger (hexcore-debugger v2.0.1)

Emulation-based debugger using Unicorn engine with PE/ELF loading, API hooking, syscall handling, and API call tracing.

Process isolation & Smart Sync: x64 ELF and ARM64 ELF emulation run in dedicated child processes (x64ElfWorker.js, arm64Worker.js) to prevent Unicorn heap corruption from crashing the VS Code extension host. The worker communicates via JSON-RPC over IPC. A unique Smart Sync architecture instantly synchronizes heap memory (e.g. dynamically allocated strings) from the Worker to the Host before evaluating any API hook (such as __printf_chk, getline, or puts), guaranteeing flawless validation of complex obfuscated VMs (like active advanced HTB CTFs). PE emulation and other architectures run in-process.

Headless commands (pipeline-safe):

  • hexcore.debug.emulateFullHeadlessUnified single-shot emulation (load → configure → run → collect → dispose). Recommended for pipeline jobs. Args: { file, arch?, stdin?, maxInstructions?, breakpoints?, keepAlive?, output?, quiet? }. Aliases: hexcore.debug.emulate.full, hexcore.debug.run
  • hexcore.debug.writeMemoryHeadless — Write data to emulation memory. Args: { address, data, output?, quiet? }. Data accepts base64 or 0x-prefixed hex.
  • hexcore.debug.setRegisterHeadless — Set CPU register value. Args: { name, value, output?, quiet? }. Value accepts hex string or decimal.
  • hexcore.debug.setStdinHeadless — Set STDIN buffer for emulation. Args: { input, output?, quiet? }. Supports escape sequences (\n, \t, \r, \\).
  • hexcore.debug.disposeHeadless — Dispose emulation session (idempotent, safe to call without active session). Args: { output?, quiet? }
  • hexcore.debug.snapshotHeadless — Save emulation snapshot
  • hexcore.debug.restoreSnapshotHeadless — Restore emulation snapshot
  • hexcore.debug.exportTraceHeadless — Export API/libc call trace as JSON

Interactive commands (need UI):

  • hexcore.debug.emulate — Start emulation (auto-detect arch)
  • hexcore.debug.emulateWithArch — Start with manual arch selection
  • hexcore.debug.emulationStep — Step one instruction
  • hexcore.debug.emulationContinue — Continue to breakpoint/end
  • hexcore.debug.emulationBreakpoint — Set breakpoint
  • hexcore.debug.emulationReadMemory — Read memory region
  • hexcore.debug.setStdin — Set STDIN buffer for ELF emulation
  • hexcore.debug.saveSnapshot — Save emulation snapshot
  • hexcore.debug.restoreSnapshot — Restore snapshot
  • hexcore.debug.unicornStatus — Show Unicorn status

Internal engine capabilities (programmatic, not exposed as headless commands):

  • PE loading with import resolution and Windows API hooks
  • ELF loading with PLT stubs and Linux API hooks (libc emulation)
  • Linux syscall handler (x86/x64: int 0x80, syscall instruction; ARM64: SVC #0)
  • Architecture auto-detection from ELF/PE headers
  • Deterministic ELF continue (250K instruction budget)
  • STDIN buffer injection for scanf/read emulation
  • Snapshot save/restore via Unicorn context
  • x64 ELF worker process isolation with Smart Sync (prevents host heap corruption & guarantees dynamic string visibility)
  • ARM64 ELF worker process isolation (same pattern)

Architecture support in debugger:

Featurex86x64ARM64ARMMIPS
Unicorn initYesYesYesYesYes
Register read/writeYesYesYesNoNo
ELF loadingYesYesYesNoNo
PE loadingYesYesNoNoNo
Stack initializationYesYesYesNoNo
Syscall handlerYesYesYesNoNo
API hooks (Linux)YesYesYesNoNo
API hooks (Windows)YesYesNoNoNo
Worker process isolationNoYes (ELF)YesNoNo

Other Extensions

ExtensionVersionHeadlessCommands
hexcore-peanalyzerYespeanalyzer.analyze, peanalyzer.analyzeActive
hexcore-elfanalyzer1.0.0Yeselfanalyzer.analyze, elfanalyzer.analyzeActive
hexcore-hexviewerYeshexview.dumpHeadless, hexview.searchHeadless, openHexView, goToOffset, searchHex, copyAsHex, copyAsC, copyAsPython, addBookmark, applyTemplate, toggleEdit
hexcore-stringsYesstrings.extract, strings.extractAdvanced (now with multi-byte XOR, rolling XOR, increment XOR)
hexcore-entropyYesentropy.analyze
hexcore-filetypeYesfiletype.detect
hexcore-hashcalcYeshashcalc.calculate, hashcalc.quick, hashcalc.verify
hexcore-base64Yesbase64.decodeHeadless, base64.decode
hexcore-yaraPartialyara.scan (headless), yara.updateRules (headless), rest interactive
hexcore-iocYesioc.extract, ioc.extractActive
hexcore-minidumpYesminidump.parse, minidump.threads, minidump.modules, minidump.memory
hexcore-report-composer1.0.0Yespipeline.composeReport — aggregates reports into unified Markdown
hexcore-commonN/AUtility library (formatBytes, loadNativeModule, etc.)

Pipeline Automation

Creating Jobs

  1. From preset: Run hexcore.pipeline.createPresetJob — choose quick-triage, full-static, or ctf-reverse
  2. Manual: Create .hexcore_job.json in workspace root (see docs/HEXCORE_JOB_TEMPLATES.md)
  3. Save profile: Run hexcore.pipeline.saveJobAsProfile to store in .hexcore_profiles.json

Running Jobs

  • Auto: HexCore watches .hexcore_job.json and runs on create/change
  • Manual: Run hexcore.pipeline.runJob
  • Validate first: Run hexcore.pipeline.validateJob for preflight check

Job Contract

Every headless command receives:

  • file — path to target binary
  • quiet — suppress UI notifications
  • output{ path, format } for writing results

Output

Jobs produce in outDir:

  • hexcore-pipeline.log — execution log with timestamps
  • hexcore-pipeline.status.json — structured status per step (ok/failed/timed-out)
  • Per-step output files (JSON or MD)

Architecture Support Matrix

Componentx86x64ARMARM64MIPS
Disassembly (Capstone)YesYesYesYesYes
Emulation (Unicorn)YesYesYesYesYes
IR Lifting (Remill)YesYesNoYesNo
Assembly (LLVM MC)YesYesYesYesYes
Debugger (full)YesYesNoYesNo
PE AnalysisYesYesNoNoNo
MinidumpYesYesNoNoNo
buildFormulaYesYesNoNoNo

Known Gaps (Critical for Agents)

  1. Debugger interactive commands still need UIMOSTLY RESOLVED: emulateFullHeadless provides full headless emulation (load → run → collect → dispose) without UI. writeMemoryHeadless, setRegisterHeadless, setStdinHeadless, and disposeHeadless fill remaining gaps. Only emulateWithArch (manual arch picker) remains interactive.
  2. Debugger ARM64 ELF is incompleteRESOLVED in v3.5.1: Full ARM64 DebugEngine with stack initialization, process stack layout (argc/argv via X0/X1/X2), SVC syscall handler, register state mapping, and 20+ Linux syscalls.
  3. Debugger + static ELF — statically-linked binaries have no PLT stubs, so L

Content truncated.

More by diegosouzapw

View all by diegosouzapw

helm-chart-scaffolding-v2

diegosouzapw

Helm Chart Scaffolding workflow skill. Use this skill when the user needs Comprehensive guidance for creating, organizing, and managing Helm charts for packaging and deploying Kubernetes applications and the operator should preserve the upstream workflow, copied support files, and provenance before

00

cc-skill-coding-standards-v2

diegosouzapw

Coding Standards & Best Practices workflow skill. Use this skill when the user needs Universal coding standards, best practices, and patterns for TypeScript, JavaScript, React, and Node.js development and the operator should preserve the upstream workflow, copied support files, and provenance before

00

worktree-setup

diegosouzapw

Automatically invoked after `git worktree add` to create data/shared symlink and data/local directory. Required before starting work in any new worktree.

00

parsehub-automation

diegosouzapw

Automate Parsehub tasks via Rube MCP (Composio). Always search tools first for current schemas.

00

signalwire-agents-sdk

diegosouzapw

Expert assistance for building SignalWire AI Agents in Python. Automatically activates when working with AgentBase, SWAIG functions, skills, SWML, voice configuration, DataMap, or any signalwire_agents code. Provides patterns, best practices, and complete working examples.

00

agent-sales-engineer

diegosouzapw

Expert sales engineer specializing in technical pre-sales, solution architecture, and proof of concepts. Masters technical demonstrations, competitive positioning, and translating complex technology into business value for prospects and customers.

00

Search skills

Search the agent skills registry