HexCore Binary Analysis
Skill para analise de binarios com ferramentas HexCore integradas ao editor
Install
mkdir -p .claude/skills/hexcore-binary-analysis-diegosouzapw && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16049" && unzip -o skill.zip -d .claude/skills/hexcore-binary-analysis-diegosouzapw && rm skill.zipInstalls to .claude/skills/hexcore-binary-analysis-diegosouzapw
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Skill para analise de binarios com ferramentas HexCore integradas ao editorAbout this skill
HexCore Binary Analysis Skill — v3.5.4
Overview
HexCore is a VS Code fork for reverse engineering and binary analysis (HikariSystem HexCore). It includes 20 extensions with 5 native engines (Capstone, Unicorn, Remill, LLVM MC, better-sqlite3) and a full automation pipeline.
Current version: v3.5.4 "Stability & Isolation" (2026-02-19) Engine versions: capstone 1.3.2 | unicorn 1.2.1 | llvm-mc 1.0.0 | better-sqlite3 2.0.0 | remill 0.1.2
Extensions
Native Engines (no VS Code commands — pure API)
| Engine | Version | Purpose | Architectures |
|---|---|---|---|
| hexcore-capstone | 1.3.2 | Disassembly | x86, x64, ARM, ARM64, MIPS, PPC, SPARC, M68K, RISC-V |
| hexcore-unicorn | 1.2.1 | CPU emulation | x86, x64, ARM, ARM64, MIPS, SPARC, PPC, RISC-V |
| hexcore-remill | 0.1.2 | LLVM IR lifting | x86, x64, ARM64 only |
| hexcore-llvm-mc | 1.0.0 | Assembly/encoding | x86, x64, ARM, ARM64, MIPS, RISC-V, PPC, SPARC |
| hexcore-better-sqlite3 | 2.0.0 | SQLite database | N/A |
Disassembler (hexcore-disassembler v1.3.0)
Professional disassembler with Capstone engine, ELF/PE parsing, CFG, xrefs, patching, and the pipeline runner.
Headless commands (pipeline-safe):
hexcore.disasm.analyzeAll— Deep analysis (prolog scan + xrefs)hexcore.disasm.buildFormula— Symbolic expression extraction (x86/x64 only)hexcore.disasm.checkConstants— Validate numeric annotationshexcore.disasm.searchStringHeadless— Search string referenceshexcore.disasm.exportASMHeadless— Export assembly to filehexcore.pipeline.runJob— Run automation jobhexcore.pipeline.listCapabilities— Export capability maphexcore.pipeline.validateJob— Preflight validationhexcore.pipeline.validateWorkspace— Batch validationhexcore.pipeline.createPresetJob— Generate job from presethexcore.pipeline.saveJobAsProfile— Save job as profilehexcore.pipeline.doctor— Diagnose health
Interactive commands (need UI):
hexcore.disasm.openFile,analyzeFile,goToAddress,findXrefs,addComment,renameFunction,showCFG,searchString,exportASM,patchInstruction,nopInstruction,assemble,assembleMultiple,savePatchedFile,setSyntax,showLlvmVersion,nativeStatus
Experimental:
hexcore.disasm.liftToIR— Lift to LLVM IR (requires Remill, x86/x64/ARM64 only)
Architecture auto-detection: Reads ELF e_machine / PE Machine headers. Supports x86, x64, ARM, ARM64, MIPS. Defaults to x64 for raw files.
Debugger (hexcore-debugger v2.0.1)
Emulation-based debugger using Unicorn engine with PE/ELF loading, API hooking, syscall handling, and API call tracing.
Process isolation & Smart Sync: x64 ELF and ARM64 ELF emulation run in dedicated child processes (x64ElfWorker.js, arm64Worker.js) to prevent Unicorn heap corruption from crashing the VS Code extension host. The worker communicates via JSON-RPC over IPC. A unique Smart Sync architecture instantly synchronizes heap memory (e.g. dynamically allocated strings) from the Worker to the Host before evaluating any API hook (such as __printf_chk, getline, or puts), guaranteeing flawless validation of complex obfuscated VMs (like active advanced HTB CTFs). PE emulation and other architectures run in-process.
Headless commands (pipeline-safe):
hexcore.debug.emulateFullHeadless— Unified single-shot emulation (load → configure → run → collect → dispose). Recommended for pipeline jobs. Args:{ file, arch?, stdin?, maxInstructions?, breakpoints?, keepAlive?, output?, quiet? }. Aliases:hexcore.debug.emulate.full,hexcore.debug.runhexcore.debug.writeMemoryHeadless— Write data to emulation memory. Args:{ address, data, output?, quiet? }. Data accepts base64 or0x-prefixed hex.hexcore.debug.setRegisterHeadless— Set CPU register value. Args:{ name, value, output?, quiet? }. Value accepts hex string or decimal.hexcore.debug.setStdinHeadless— Set STDIN buffer for emulation. Args:{ input, output?, quiet? }. Supports escape sequences (\n,\t,\r,\\).hexcore.debug.disposeHeadless— Dispose emulation session (idempotent, safe to call without active session). Args:{ output?, quiet? }hexcore.debug.snapshotHeadless— Save emulation snapshothexcore.debug.restoreSnapshotHeadless— Restore emulation snapshothexcore.debug.exportTraceHeadless— Export API/libc call trace as JSON
Interactive commands (need UI):
hexcore.debug.emulate— Start emulation (auto-detect arch)hexcore.debug.emulateWithArch— Start with manual arch selectionhexcore.debug.emulationStep— Step one instructionhexcore.debug.emulationContinue— Continue to breakpoint/endhexcore.debug.emulationBreakpoint— Set breakpointhexcore.debug.emulationReadMemory— Read memory regionhexcore.debug.setStdin— Set STDIN buffer for ELF emulationhexcore.debug.saveSnapshot— Save emulation snapshothexcore.debug.restoreSnapshot— Restore snapshothexcore.debug.unicornStatus— Show Unicorn status
Internal engine capabilities (programmatic, not exposed as headless commands):
- PE loading with import resolution and Windows API hooks
- ELF loading with PLT stubs and Linux API hooks (libc emulation)
- Linux syscall handler (x86/x64: int 0x80, syscall instruction; ARM64: SVC #0)
- Architecture auto-detection from ELF/PE headers
- Deterministic ELF continue (250K instruction budget)
- STDIN buffer injection for scanf/read emulation
- Snapshot save/restore via Unicorn context
- x64 ELF worker process isolation with Smart Sync (prevents host heap corruption & guarantees dynamic string visibility)
- ARM64 ELF worker process isolation (same pattern)
Architecture support in debugger:
| Feature | x86 | x64 | ARM64 | ARM | MIPS |
|---|---|---|---|---|---|
| Unicorn init | Yes | Yes | Yes | Yes | Yes |
| Register read/write | Yes | Yes | Yes | No | No |
| ELF loading | Yes | Yes | Yes | No | No |
| PE loading | Yes | Yes | No | No | No |
| Stack initialization | Yes | Yes | Yes | No | No |
| Syscall handler | Yes | Yes | Yes | No | No |
| API hooks (Linux) | Yes | Yes | Yes | No | No |
| API hooks (Windows) | Yes | Yes | No | No | No |
| Worker process isolation | No | Yes (ELF) | Yes | No | No |
Other Extensions
| Extension | Version | Headless | Commands |
|---|---|---|---|
| hexcore-peanalyzer | — | Yes | peanalyzer.analyze, peanalyzer.analyzeActive |
| hexcore-elfanalyzer | 1.0.0 | Yes | elfanalyzer.analyze, elfanalyzer.analyzeActive |
| hexcore-hexviewer | — | Yes | hexview.dumpHeadless, hexview.searchHeadless, openHexView, goToOffset, searchHex, copyAsHex, copyAsC, copyAsPython, addBookmark, applyTemplate, toggleEdit |
| hexcore-strings | — | Yes | strings.extract, strings.extractAdvanced (now with multi-byte XOR, rolling XOR, increment XOR) |
| hexcore-entropy | — | Yes | entropy.analyze |
| hexcore-filetype | — | Yes | filetype.detect |
| hexcore-hashcalc | — | Yes | hashcalc.calculate, hashcalc.quick, hashcalc.verify |
| hexcore-base64 | — | Yes | base64.decodeHeadless, base64.decode |
| hexcore-yara | — | Partial | yara.scan (headless), yara.updateRules (headless), rest interactive |
| hexcore-ioc | — | Yes | ioc.extract, ioc.extractActive |
| hexcore-minidump | — | Yes | minidump.parse, minidump.threads, minidump.modules, minidump.memory |
| hexcore-report-composer | 1.0.0 | Yes | pipeline.composeReport — aggregates reports into unified Markdown |
| hexcore-common | — | N/A | Utility library (formatBytes, loadNativeModule, etc.) |
Pipeline Automation
Creating Jobs
- From preset: Run
hexcore.pipeline.createPresetJob— choose quick-triage, full-static, or ctf-reverse - Manual: Create
.hexcore_job.jsonin workspace root (seedocs/HEXCORE_JOB_TEMPLATES.md) - Save profile: Run
hexcore.pipeline.saveJobAsProfileto store in.hexcore_profiles.json
Running Jobs
- Auto: HexCore watches
.hexcore_job.jsonand runs on create/change - Manual: Run
hexcore.pipeline.runJob - Validate first: Run
hexcore.pipeline.validateJobfor preflight check
Job Contract
Every headless command receives:
file— path to target binaryquiet— suppress UI notificationsoutput—{ path, format }for writing results
Output
Jobs produce in outDir:
hexcore-pipeline.log— execution log with timestampshexcore-pipeline.status.json— structured status per step (ok/failed/timed-out)- Per-step output files (JSON or MD)
Architecture Support Matrix
| Component | x86 | x64 | ARM | ARM64 | MIPS |
|---|---|---|---|---|---|
| Disassembly (Capstone) | Yes | Yes | Yes | Yes | Yes |
| Emulation (Unicorn) | Yes | Yes | Yes | Yes | Yes |
| IR Lifting (Remill) | Yes | Yes | No | Yes | No |
| Assembly (LLVM MC) | Yes | Yes | Yes | Yes | Yes |
| Debugger (full) | Yes | Yes | No | Yes | No |
| PE Analysis | Yes | Yes | No | No | No |
| Minidump | Yes | Yes | No | No | No |
| buildFormula | Yes | Yes | No | No | No |
Known Gaps (Critical for Agents)
Debugger interactive commands still need UI— MOSTLY RESOLVED:emulateFullHeadlessprovides full headless emulation (load → run → collect → dispose) without UI.writeMemoryHeadless,setRegisterHeadless,setStdinHeadless, anddisposeHeadlessfill remaining gaps. OnlyemulateWithArch(manual arch picker) remains interactive.Debugger ARM64 ELF is incomplete— RESOLVED in v3.5.1: Full ARM64 DebugEngine with stack initialization, process stack layout (argc/argv via X0/X1/X2), SVC syscall handler, register state mapping, and 20+ Linux syscalls.- Debugger + static ELF — statically-linked binaries have no PLT stubs, so L
Content truncated.