OpenSkillIndex← back to search
claude-code

Awesome-omni-skill HexCore Binary Analysis

Skill para analise de binarios com ferramentas HexCore integradas ao editor

install
source · Clone the upstream repo
git clone https://github.com/diegosouzapw/awesome-omni-skill
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skill "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/tools/hexcore-binary-analysis" ~/.claude/skills/diegosouzapw-awesome-omni-skill-hexcore-binary-analysis && rm -rf "$T"
manifest: skills/tools/hexcore-binary-analysis/SKILL.md
source content

HexCore Binary Analysis Skill — v3.5.4

Overview

HexCore is a VS Code fork for reverse engineering and binary analysis (HikariSystem HexCore). It includes 20 extensions with 5 native engines (Capstone, Unicorn, Remill, LLVM MC, better-sqlite3) and a full automation pipeline.

Current version: v3.5.4 "Stability & Isolation" (2026-02-19) Engine versions: capstone 1.3.2 | unicorn 1.2.1 | llvm-mc 1.0.0 | better-sqlite3 2.0.0 | remill 0.1.2

Extensions

Native Engines (no VS Code commands — pure API)

EngineVersionPurposeArchitectures
hexcore-capstone1.3.2Disassemblyx86, x64, ARM, ARM64, MIPS, PPC, SPARC, M68K, RISC-V
hexcore-unicorn1.2.1CPU emulationx86, x64, ARM, ARM64, MIPS, SPARC, PPC, RISC-V
hexcore-remill0.1.2LLVM IR liftingx86, x64, ARM64 only
hexcore-llvm-mc1.0.0Assembly/encodingx86, x64, ARM, ARM64, MIPS, RISC-V, PPC, SPARC
hexcore-better-sqlite32.0.0SQLite databaseN/A

Disassembler (
hexcore-disassembler
v1.3.0)

Professional disassembler with Capstone engine, ELF/PE parsing, CFG, xrefs, patching, and the pipeline runner.

Headless commands (pipeline-safe):

  • hexcore.disasm.analyzeAll
    — Deep analysis (prolog scan + xrefs)
  • hexcore.disasm.buildFormula
    — Symbolic expression extraction (x86/x64 only)
  • hexcore.disasm.checkConstants
    — Validate numeric annotations
  • hexcore.disasm.searchStringHeadless
    — Search string references
  • hexcore.disasm.exportASMHeadless
    — Export assembly to file
  • hexcore.pipeline.runJob
    — Run automation job
  • hexcore.pipeline.listCapabilities
    — Export capability map
  • hexcore.pipeline.validateJob
    — Preflight validation
  • hexcore.pipeline.validateWorkspace
    — Batch validation
  • hexcore.pipeline.createPresetJob
    — Generate job from preset
  • hexcore.pipeline.saveJobAsProfile
    — Save job as profile
  • hexcore.pipeline.doctor
    — Diagnose health

Interactive commands (need UI):

  • hexcore.disasm.openFile
    , 
    analyzeFile
    , 
    goToAddress
    , 
    findXrefs
    , 
    addComment
    , 
    renameFunction
    , 
    showCFG
    , 
    searchString
    , 
    exportASM
    , 
    patchInstruction
    , 
    nopInstruction
    , 
    assemble
    , 
    assembleMultiple
    , 
    savePatchedFile
    , 
    setSyntax
    , 
    showLlvmVersion
    , 
    nativeStatus

Experimental:

  • hexcore.disasm.liftToIR
    — Lift to LLVM IR (requires Remill, x86/x64/ARM64 only)

Architecture auto-detection: Reads ELF 

e_machine
/ PE 
Machine
headers. Supports x86, x64, ARM, ARM64, MIPS. Defaults to x64 for raw files.

Debugger (
hexcore-debugger
v2.0.1)

Emulation-based debugger using Unicorn engine with PE/ELF loading, API hooking, syscall handling, and API call tracing.

Process isolation & Smart Sync: x64 ELF and ARM64 ELF emulation run in dedicated child processes (

x64ElfWorker.js
, 
arm64Worker.js
) to prevent Unicorn heap corruption from crashing the VS Code extension host. The worker communicates via JSON-RPC over IPC. A unique Smart Sync architecture instantly synchronizes heap memory (e.g. dynamically allocated strings) from the Worker to the Host before evaluating any API hook (such as 
__printf_chk
, 
getline
, or 
puts
), guaranteeing flawless validation of complex obfuscated VMs (like active advanced HTB CTFs). PE emulation and other architectures run in-process.

Headless commands (pipeline-safe):

  • hexcore.debug.emulateFullHeadless
    Unified single-shot emulation (load → configure → run → collect → dispose). Recommended for pipeline jobs. Args: 
    { file, arch?, stdin?, maxInstructions?, breakpoints?, keepAlive?, output?, quiet? }
    . Aliases: 
    hexcore.debug.emulate.full
    , 
    hexcore.debug.run
  • hexcore.debug.writeMemoryHeadless
    — Write data to emulation memory. Args: 
    { address, data, output?, quiet? }
    . Data accepts base64 or 
    0x
    -prefixed hex.
  • hexcore.debug.setRegisterHeadless
    — Set CPU register value. Args: 
    { name, value, output?, quiet? }
    . Value accepts hex string or decimal.
  • hexcore.debug.setStdinHeadless
    — Set STDIN buffer for emulation. Args: 
    { input, output?, quiet? }
    . Supports escape sequences (
    \n
    , 
    \t
    , 
    \r
    , 
    \\
    ).
  • hexcore.debug.disposeHeadless
    — Dispose emulation session (idempotent, safe to call without active session). Args: 
    { output?, quiet? }
  • hexcore.debug.snapshotHeadless
    — Save emulation snapshot
  • hexcore.debug.restoreSnapshotHeadless
    — Restore emulation snapshot
  • hexcore.debug.exportTraceHeadless
    — Export API/libc call trace as JSON

Interactive commands (need UI):

  • hexcore.debug.emulate
    — Start emulation (auto-detect arch)
  • hexcore.debug.emulateWithArch
    — Start with manual arch selection
  • hexcore.debug.emulationStep
    — Step one instruction
  • hexcore.debug.emulationContinue
    — Continue to breakpoint/end
  • hexcore.debug.emulationBreakpoint
    — Set breakpoint
  • hexcore.debug.emulationReadMemory
    — Read memory region
  • hexcore.debug.setStdin
    — Set STDIN buffer for ELF emulation
  • hexcore.debug.saveSnapshot
    — Save emulation snapshot
  • hexcore.debug.restoreSnapshot
    — Restore snapshot
  • hexcore.debug.unicornStatus
    — Show Unicorn status

Internal engine capabilities (programmatic, not exposed as headless commands):

  • PE loading with import resolution and Windows API hooks
  • ELF loading with PLT stubs and Linux API hooks (libc emulation)
  • Linux syscall handler (x86/x64: int 0x80, syscall instruction; ARM64: SVC #0)
  • Architecture auto-detection from ELF/PE headers
  • Deterministic ELF continue (250K instruction budget)
  • STDIN buffer injection for scanf/read emulation
  • Snapshot save/restore via Unicorn context
  • x64 ELF worker process isolation with Smart Sync (prevents host heap corruption & guarantees dynamic string visibility)
  • ARM64 ELF worker process isolation (same pattern)

Architecture support in debugger:

Featurex86x64ARM64ARMMIPS
Unicorn initYesYesYesYesYes
Register read/writeYesYesYesNoNo
ELF loadingYesYesYesNoNo
PE loadingYesYesNoNoNo
Stack initializationYesYesYesNoNo
Syscall handlerYesYesYesNoNo
API hooks (Linux)YesYesYesNoNo
API hooks (Windows)YesYesNoNoNo
Worker process isolationNoYes (ELF)YesNoNo

Other Extensions

ExtensionVersionHeadlessCommands
hexcore-peanalyzerYes
peanalyzer.analyze
, 
peanalyzer.analyzeActive
hexcore-elfanalyzer1.0.0Yes
elfanalyzer.analyze
, 
elfanalyzer.analyzeActive
hexcore-hexviewerYes
hexview.dumpHeadless
, 
hexview.searchHeadless
, 
openHexView
, 
goToOffset
, 
searchHex
, 
copyAsHex
, 
copyAsC
, 
copyAsPython
, 
addBookmark
, 
applyTemplate
, 
toggleEdit
hexcore-stringsYes
strings.extract
, 
strings.extractAdvanced
(now with multi-byte XOR, rolling XOR, increment XOR)
hexcore-entropyYes
entropy.analyze
hexcore-filetypeYes
filetype.detect
hexcore-hashcalcYes
hashcalc.calculate
, 
hashcalc.quick
, 
hashcalc.verify
hexcore-base64Yes
base64.decodeHeadless
, 
base64.decode
hexcore-yaraPartial
yara.scan
(headless), 
yara.updateRules
(headless), rest interactive
hexcore-iocYes
ioc.extract
, 
ioc.extractActive
hexcore-minidumpYes
minidump.parse
, 
minidump.threads
, 
minidump.modules
, 
minidump.memory
hexcore-report-composer1.0.0Yes
pipeline.composeReport
— aggregates reports into unified Markdown
hexcore-commonN/AUtility library (formatBytes, loadNativeModule, etc.)

Pipeline Automation

Creating Jobs

  1. From preset: Run 
    hexcore.pipeline.createPresetJob
    — choose quick-triage, full-static, or ctf-reverse
  2. Manual: Create 
    .hexcore_job.json
    in workspace root (see 
    docs/HEXCORE_JOB_TEMPLATES.md
    )
  3. Save profile: Run 
    hexcore.pipeline.saveJobAsProfile
    to store in 
    .hexcore_profiles.json

Running Jobs

  • Auto: HexCore watches 
    .hexcore_job.json
    and runs on create/change
  • Manual: Run 
    hexcore.pipeline.runJob
  • Validate first: Run 
    hexcore.pipeline.validateJob
    for preflight check

Job Contract

Every headless command receives:

  • file
    — path to target binary
  • quiet
    — suppress UI notifications
  • output
    { path, format }
    for writing results

Output

Jobs produce in 

outDir
:

  • hexcore-pipeline.log
    — execution log with timestamps
  • hexcore-pipeline.status.json
    — structured status per step (ok/failed/timed-out)
  • Per-step output files (JSON or MD)

Architecture Support Matrix

Componentx86x64ARMARM64MIPS
Disassembly (Capstone)YesYesYesYesYes
Emulation (Unicorn)YesYesYesYesYes
IR Lifting (Remill)YesYesNoYesNo
Assembly (LLVM MC)YesYesYesYesYes
Debugger (full)YesYesNoYesNo
PE AnalysisYesYesNoNoNo
MinidumpYesYesNoNoNo
buildFormulaYesYesNoNoNo

Known Gaps (Critical for Agents)

  1. Debugger interactive commands still need UIMOSTLY RESOLVED: 
    emulateFullHeadless
    provides full headless emulation (load → run → collect → dispose) without UI. 
    writeMemoryHeadless
    , 
    setRegisterHeadless
    , 
    setStdinHeadless
    , and 
    disposeHeadless
    fill remaining gaps. Only 
    emulateWithArch
    (manual arch picker) remains interactive.
  2. Debugger ARM64 ELF is incompleteRESOLVED in v3.5.1: Full ARM64 DebugEngine with stack initialization, process stack layout (argc/argv via X0/X1/X2), SVC syscall handler, register state mapping, and 20+ Linux syscalls.
  3. Debugger + static ELF — statically-linked binaries have no PLT stubs, so LinuxApiHooks cannot intercept libc calls. Only direct syscall interception works (and only for x86/x64/ARM64).
  4. buildFormula is x86/x64 only — the register regex doesn't recognize ARM64 registers (x0-x30, sp, lr). (ARM64 formulaBuilder added in v3.5.1 but limited to 15 mnemonics)
  5. No ELF analyzer extensionRESOLVED in v3.5.2: 
    hexcore-elfanalyzer
    provides full ELF analysis (sections, segments, symbols, security mitigations).
  6. Base64 decode has no headless modeRESOLVED in v3.5.2: 
    hexcore.base64.decodeHeadless
    is pipeline-safe.
  7. Hex viewer has no headless dumpRESOLVED in v3.5.2: 
    hexcore.hexview.dumpHeadless
    and 
    hexcore.hexview.searchHeadless
    are pipeline-safe.
  8. Strings XOR is 1-byte onlyRESOLVED in v3.5.2: 
    extractAdvanced
    now supports multi-byte XOR (2, 4, 8, 16 bytes), rolling XOR, and XOR with increment.
  9. Prebuilds are win32-x64 only — Linux/macOS need 
    node-gyp rebuild
    fallback.

What Agents CAN Do

  1. Create 
    .hexcore_job.json
     files and run analysis via 
    hexcore.pipeline.runJob
  2. Read pipeline output from 
    hexcore-pipeline.status.json
    and step output files
  3. Interpret results — entropy reports, string extractions, YARA matches, IOC lists
  4. Validate jobs with 
    hexcore.pipeline.validateJob
    before execution
  5. Use presets via 
    hexcore.pipeline.createPresetJob
    for quick setup
  6. Search strings headlessly via 
    hexcore.disasm.searchStringHeadless
  7. Export assembly headlessly via 
    hexcore.disasm.exportASMHeadless
  8. Analyze ELF binaries via 
    hexcore.elfanalyzer.analyze
    (sections, segments, symbols, security)
  9. Decode Base64 via 
    hexcore.base64.decodeHeadless
  10. Dump hex ranges via 
    hexcore.hexview.dumpHeadless
  11. Search hex patterns via 
    hexcore.hexview.searchHeadless
  12. Run full emulation headlessly via 
    hexcore.debug.emulateFullHeadless
    (single-shot: load → configure → run → collect → dispose)
  13. Write emulation memory via 
    hexcore.debug.writeMemoryHeadless
  14. Set CPU registers via 
    hexcore.debug.setRegisterHeadless
  15. Set STDIN buffer via 
    hexcore.debug.setStdinHeadless
  16. Dispose emulation sessions via 
    hexcore.debug.disposeHeadless
  17. Save/restore emulation snapshots via 
    hexcore.debug.snapshotHeadless
    / 
    restoreSnapshotHeadless
  18. Export API call traces via 
    hexcore.debug.exportTraceHeadless
  19. Compose unified reports via 
    hexcore.pipeline.composeReport

What Agents CANNOT Do

  1. Start emulationRESOLVED: Use 
    hexcore.debug.emulateFullHeadless
    (or aliases 
    hexcore.debug.emulate.full
    / 
    hexcore.debug.run
    ) for headless emulation. Interactive 
    emulateWithArch
    still requires UI for manual arch selection.
  2. See webviews — CFG graph, hex viewer, debugger view are visual only
  3. Use interactive commands — file pickers, input boxes, quick-picks
  4. Patch binaries
    patchInstruction
    , 
    nopInstruction
    , 
    savePatchedFile
    need the disassembler UI open
  5. Run YARA quick scan — requires prior UI context

Workflow: Static Analysis

1. hexcore.filetype.detect         → Identify file type
2. hexcore.hashcalc.calculate      → Compute hashes (VT lookup)
3. hexcore.entropy.analyze         → Detect packing/encryption
4. hexcore.strings.extract         → Extract strings
5. hexcore.strings.extractAdvanced → XOR deobfuscation (1-byte + multi-byte + rolling + increment) + stack strings
6. hexcore.base64.decodeHeadless   → Detect Base64 encoded strings
7. hexcore.hexview.dumpHeadless    → Inspect file header bytes
8. hexcore.peanalyzer.analyze      → PE headers/imports (PE files only)
9. hexcore.elfanalyzer.analyze     → ELF sections/segments/symbols/security (ELF files only)
10. hexcore.disasm.analyzeAll      → Deep disassembly + xrefs
11. hexcore.yara.scan              → Threat detection
12. hexcore.ioc.extract            → IOC extraction
13. hexcore.pipeline.composeReport → Unified report

Workflow: CTF Reverse Engineering

1. hexcore.filetype.detect              → Verify binary format
2. hexcore.disasm.analyzeAll            → Function discovery + xrefs
3. hexcore.disasm.exportASMHeadless     → Full disassembly export
4. hexcore.disasm.searchStringHeadless  → Find flag patterns
5. hexcore.strings.extractAdvanced      → Find obfuscated strings (multi-byte XOR, rolling, increment)
6. hexcore.base64.decodeHeadless        → Find Base64 encoded data
7. hexcore.hexview.searchHeadless       → Search for flag byte patterns
8. hexcore.disasm.buildFormula          → Extract key computations (x86/x64 only)

Workflow: Dynamic Analysis (Emulation)

1. hexcore.debug.emulateFullHeadless    → Single-shot emulation (recommended for pipeline jobs)
   Args: { file, arch?, stdin?, maxInstructions?, breakpoints?, keepAlive?, output? }
   Returns: FullEmulationResult with registers, apiCalls, stdout, memoryRegions, crash status

For advanced multi-step emulation (keepAlive: true):
2. hexcore.debug.emulateFullHeadless    → Start with keepAlive: true
3. hexcore.debug.writeMemoryHeadless    → Patch memory (base64 or 0x hex data)
4. hexcore.debug.setRegisterHeadless    → Modify CPU registers
5. hexcore.debug.setStdinHeadless       → Inject STDIN input
6. hexcore.debug.snapshotHeadless       → Save state checkpoint
7. hexcore.debug.disposeHeadless        → Clean up session

File Format Support

FormatExtensionsPE AnalysisELF AnalysisDisassemblyEmulation
PE32.exe, .dllYesNoYes (x86)Yes
PE64.exe, .dllYesNoYes (x64)Yes
ELF32.elf, .so, .oNoYesYes (x86/ARM)Yes
ELF64.elf, .soNoYesYes (x64/ARM64/MIPS)Yes (worker isolated)
Raw.bin, .rawNoNoYes (default x64)Yes
Minidump.dmpN/AN/AN/AN/A

HexCore v3.5.4 "Stability & Isolation" — Powered by Capstone 1.3.2 / Unicorn 1.2.1 / LLVM MC 1.0.0 / Remill 0.1.2