A specialized IDE for malware analysis, reverse engineering, and binary emulation
Features | Extensions | Debugger | Automation | Installation | Usage | License
binary analysis · reverse engineering · malware analysis · CPU emulation · PE/ELF · CTF tools · disassembler · debugger
HikariSystem HexCore is a comprehensive binary analysis IDE built on VS Code. It provides security researchers with a unified environment for malware analysis, reverse engineering, and threat hunting — from static analysis to full CPU emulation.
Latest stability update (2026-02-10): v3.2.2 pipeline hotfix release.
What makes HexCore different:
- Full PE and ELF emulation with 65+ API hooks (Windows + Linux)
- Native Capstone/Unicorn/LLVM MC engines via N-API (no external installs)
- Headless automation pipeline for batch analysis
- Tested against real CTF binaries (HackTheBox)
- Disassembly — Native multi-architecture disassembler (x86, x64, ARM, ARM64, MIPS, RISC-V)
- Emulation — CPU emulation via Unicorn Engine with PE and ELF loading, API hooking, stdin emulation
- Assembly Patching — Inline patching with LLVM MC backend, NOP sleds, multi-arch support
- PE/ELF Analysis — Import/export parsing, section analysis, packer detection, PIE support
- Hex Viewer — Virtual scrolling, data inspector, bookmarks, structure templates
- Hash Calculator — MD5, SHA-1, SHA-256, SHA-512 with VirusTotal integration
- String Extraction — ASCII/UTF-16, auto-categorization, cross-reference tracking
- Entropy Analysis — Block-by-block entropy with packer/encryption detection
- YARA Scanning — Rule loading, match highlighting, custom rules
- Automation — Headless pipeline system for batch binary analysis
| Extension | Version | Description |
|---|---|---|
| Debugger | 2.0.1 | PE/ELF emulation with Unicorn Engine, 65+ API hooks, stdin emulation |
| Disassembler | 1.3.0 | Multi-arch disassembler with inline PE/ELF parsing, function detection, string xrefs |
| Hex Viewer | 1.2.1 | Professional binary file viewer with virtual scrolling |
| PE Analyzer | 1.1.0 | Comprehensive PE executable analysis with headless mode |
| Strings Extractor | 1.1.0 | Memory-efficient string extraction with cross-references |
| Hash Calculator | 1.1.0 | Fast file hashing with VirusTotal integration |
| Entropy Analyzer | 1.1.0 | Streaming entropy analysis with adaptive block sizing and modular report pipeline |
| File Type Detector | 1.0.0 | Magic bytes signature detection |
| Base64 Decoder | 1.0.0 | Detect and decode Base64 strings |
| YARA Scanner | 2.1.0 | YARA scanning with DefenderYara integration and headless pipeline support |
These engines ship with HexCore and can also be used independently in Node.js projects.
| Package | Version | Description |
|---|---|---|
| hexcore-capstone | 1.3.0 | Capstone v5 N-API binding — async disassembly, detail mode, all architectures |
| hexcore-unicorn | 1.0.0 | Unicorn N-API binding — CPU emulation, hooks, context save/restore |
| hexcore-llvm-mc | 1.0.0 | LLVM 18.1.8 MC N-API binding — multi-arch assembly and patching |
| hexcore-keystone | 1.0.0 | Legacy assembler binding (superseded by LLVM MC) |
The HexCore Debugger provides full CPU emulation for PE (Windows) and ELF (Linux) binaries via Unicorn Engine. No native debugger or target OS required — everything runs in-process.
- PE (x86/x64) — Automatic section loading, import resolution via IAT, 25+ Windows API hooks
- ELF (x86_64) — PIE support, PLT/GOT resolution (
.rela.plt+.rela.dyn), 40+ Linux API hooks - Raw binaries — Direct memory mapping for shellcode and firmware
- Step / Continue / Breakpoints — Standard debugger controls with register and memory inspection
- API Hooking — Transparent interception of library calls (no real DLLs/SOs needed)
- stdin Emulation — Configurable input buffer for
scanf,read(0),getchar,fgets - TLS/FS_BASE — Automatic Thread Local Storage with stack canary for
-fstack-protectorbinaries - Syscall Handler — Linux syscall interception (read, write, mmap, brk, arch_prctl, exit)
__libc_start_mainredirect — Skip CRT init, jump directly tomain()with argc/argv/envp- Snapshot save/restore — Save and restore full emulation state
I/O, string, memory, heap, conversion, process, time, file stubs, and security functions — all using System V AMD64 ABI argument passing.
Kernel32, user32, msvcrt emulation for common PE analysis scenarios.
Powered by hexcore-unicorn and hexcore-capstone.
Native multi-architecture disassembler powered by Capstone Engine v5.0 with assembly patching via LLVM MC.
- Architectures: x86, x64, ARM, ARM64, MIPS, RISC-V
- Inline PE/ELF parsing — Imports, exports, sections without external dependencies
- Function detection — Prolog scanning, call target analysis, up to 1000 functions
- String cross-references — Track which instructions reference which strings
- Graph View — IDA-style control flow graph visualization
- Patching — Assemble, patch instructions, NOP sleds (LLVM MC)
- Headless mode —
hexcore.disasm.analyzeAllfor automation with JSON/MD output
Powered by hexcore-capstone and hexcore-llvm-mc.
HexCore supports headless batch analysis via .hexcore_job.json job files.
{
"file": "C:\\bin\\sample.exe",
"outDir": "C:\\reports\\sample",
"steps": [
{ "cmd": "hexcore.filetype.detect" },
{ "cmd": "hexcore.peanalyzer.analyze" },
{ "cmd": "hexcore.hashcalc.calculate" },
{ "cmd": "hexcore.entropy.analyze" },
{ "cmd": "hexcore.strings.extract", "args": { "minLength": 5 } },
{ "cmd": "hexcore.disasm.analyzeAll" },
{ "cmd": "hexcore.yara.scan" }
]
}- Auto-trigger — Workspace watcher detects
.hexcore_job.jsonon creation - Step controls — Per-step timeout, error handling, output validation
- Extension preflight — Auto-activates required extensions before each step
- Capability audit —
hexcore.pipeline.listCapabilitiesexports headless/interactive capability map - Safety model — Interactive commands are explicitly blocked in pipeline mode with clear errors
- Output — JSON/Markdown reports +
hexcore-pipeline.status.json+hexcore-pipeline.log
All analysis extensions support headless execution with file, output, and quiet parameters.
See docs/HEXCORE_AUTOMATION.md for full documentation.
Professional binary file viewer with virtual scrolling for large files.
- Virtual Scrolling — Handles files of any size efficiently
- Data Inspector — View bytes as Int8/16/32/64, Float, Unix timestamp
- Bookmarks — Save and navigate to important offsets
- Structure Templates — Parse common binary structures
- Search — Find hex patterns (e.g.,
4D 5Afor PE headers) - Go to Offset — Jump directly to any offset
- Copy Selection — Export as Hex, C Array, or Python bytes
- Little/Big Endian toggle
# Clone the repository
git clone https://github.com/LXrdKnowkill/HikariSystem-HexCore.git
cd HikariSystem-HexCore
# Install dependencies
npm install
# Run in development mode
$env:VSCODE_SKIP_NODE_VERSION_CHECK="1"
.\scripts\code.bat- Node.js 18.x or higher
- npm 8.x or higher
- Windows 10/11
- Visual Studio Build Tools 2022 (for native modules)
- Python 3.x (for node-gyp)
HikariSystem-HexCore/
├── extensions/
│ ├── hexcore-debugger/ # Emulation-based debugger (PE/ELF)
│ ├── hexcore-disassembler/ # Multi-arch disassembler + patching
│ ├── hexcore-hexviewer/ # Binary file viewer
│ ├── hexcore-peanalyzer/ # PE file analyzer
│ ├── hexcore-capstone/ # Capstone N-API binding
│ ├── hexcore-llvm-mc/ # LLVM MC N-API binding
│ ├── hexcore-unicorn/ # Unicorn N-API binding
│ ├── hexcore-keystone/ # Legacy assembler binding
│ ├── hexcore-yara/ # YARA scanner
│ ├── hexcore-hashcalc/ # Hash calculator
│ ├── hexcore-strings/ # Strings extractor
│ ├── hexcore-entropy/ # Entropy analyzer
│ ├── hexcore-base64/ # Base64 decoder
│ └── hexcore-filetype/ # File type detector
├── .agent/
│ └── skills/hexcore/ # AI skill for agent integration
├── docs/ # Documentation
├── src/ # Core IDE source
├── resources/ # Icons and assets
├── build/ # Build scripts
└── product.json # Product configuration
HexCore includes an AI skill definition for integration with AI agents (Claude Code, etc.). The skill provides:
- Complete command reference for all HexCore extensions
- Emulator memory layout and API hook documentation
- Typical analysis workflow guides
- Automation pipeline job file generation
See .agent/skills/hexcore/SKILL.md for details.
- Open any PE or ELF binary
- Run "HexCore: Start Emulation" to begin CPU emulation
- Use Step, Continue, and Breakpoints for dynamic analysis
- Set stdin input with "HexCore: Set Stdin Buffer" for interactive binaries
- Right-click any executable file
- Select "HexCore: Disassemble File"
- Use function tree, string references, and graph view for navigation
- Right-click any file and select "HexCore: Open Hex View"
- Or use "Open With..." > "HexCore Hex Editor"
- Right-click any
.exe,.dll,.sys, or.ocxfile - Select "HexCore: Analyze PE File"
- Right-click any file
- Select "HexCore: Calculate File Hashes"
- Right-click any file
- Select "HexCore: Extract Strings"
- Create a
.hexcore_job.jsonin your workspace - HexCore auto-detects and runs it, or run manually via "Run HexCore Automation Job"
- Fork the repository
- Create a feature branch (
git checkout -b feature/your-feature) - Commit your changes (
git commit -m 'Add your feature') - Push to the branch (
git push origin feature/your-feature) - Open a Pull Request
This project is licensed under the MIT License. See the LICENSE.txt file for details.
HikariSystem — Security Tools for Professionals