SoftRX is a focused runtime-revelation laboratory for unpacking, observing, and extracting intent from opaque binaries without ever allowing execution to complete or cause harm.
SoftRX was born out of real-world malware research where traditional static analysis and generic sandboxes failed. Instead of trying to understand everything, SoftRX is designed to let binaries betray themselves — just long enough to expose their payloads, strings, and operational intent.
Execution is allowed only long enough to reveal intent.
Completion is never allowed.
SoftRX is not:
- a malware sandbox
- an emulator farm
- a behavioral AV engine
- an exploitation framework
SoftRX is:
- a runtime unpacking lab
- a syscall-semantic instrument
- a memory revelation engine
- a research-grade artifact extractor
SoftRX automates and instruments the exact workflow analysts often perform manually:
- Classify an unknown binary (architecture, packing signals, entropy)
- Launch it in a tightly constrained runtime
- Intercept semantic syscalls (
mprotect,fork,execve, etc.) - Pause execution at critical transitions (RW→RX, fork divergence)
- Dump only the memory that matters (anonymous executable regions)
- Extract strings, indicators, and artifacts
- Report findings in structured, disclosure-ready form
At no point is the sample allowed to:
- reach the real network
- persist on disk
- delete files
- execute secondary payloads
- complete its lifecycle
Toggle different variations of permissions to change the runtime behavior and expose/prevent execution from doing specific syscalls etc.
After execution, examine the run in detail to see what the software did:
- Outcome sandboxing, not behavior sandboxing
- Semantic breakpoints, not instruction stepping
- Memory truth over static illusion
- User-in-the-loop analysis
- Architecture-agnostic where possible
SoftRX/
│
├── softrxctl.py # CLI entrypoint
│
├── core/
│ ├── classifier.py # Static recon & execution planning
│ ├── launcher.c # Seccomp-based controlled launch
│ ├── sysmon.c # Syscall semantic interception
│ ├── memdump.py # Targeted memory dumping
│ ├── artifacts.py # Strings & indicator extraction
│ └── report.py # Structured output generation
│
├── debug/
│ ├── gdb_bridge.py # Optional GDB/QEMU integration
│ └── mi_parse.py
│
├── web/
│ └── app.py # Flask-based operator console
│
└── policies/
├── seccomp_policy.h
├── fs_policy.json
└── net_policy.json
- ELF headers
- architecture detection
- packing signals (UPX, entropy, missing sections)
- seccomp-based syscall gating
- no real network access
- tightly limited filesystem interaction
- semantic syscall hooks:
mprotect(RW→RX)fork/cloneexecve/proc/self/exeaccess
- execution pauses on meaning, not time
- dump anonymous RX regions
- dump executable heap
- tag dumps with triggering events
- protocol strings
- persistence attempts
- credential lists
- device fingerprints
- command templates
- JSON (machine-readable)
- Markdown (human-readable)
- VirusTotal-ready artifacts
SoftRX enforces the following invariants:
- Network syscalls are logged but never succeed
- File creation and execution are mutually exclusive
- Destructive filesystem operations are denied
- Fork/clone/vfork-based evasion is tracked and neutralized (first attempt is logged, then the sample is killed)
- Execution is forcibly halted after artifact capture
SoftRX is designed for:
- malware researchers
- threat intelligence analysts
- reverse engineers
- academic study
- responsible disclosure workflows
It is not intended for:
- mass automation
- exploitation
- botnet research beyond artifact extraction
- running malware at scale
Build the launcher:
makeRun a single sample:
python3 softrxctl.py ./sample.bin --outdir softrx_runs --timeout-ms 4000 --max-events 8Batch-run a directory of samples (writes an NDJSON index alongside the run folders):
python3 tools/batch_orchestrator.py ./samples --outdir softrx_runs --jobs 4 --timeout-ms 4000 --max-events 8Notes:
- Filesystem mutation attempts are logged with high-fidelity arguments (paths/flags) and denied.
- Fork/clone/vfork are logged and immediately neutralized.
SoftRX is an active research tool under construction.
The initial milestone focuses on:
- RW→RX detection
- memory dumping
- artifact extraction
- structured reporting
Everything else is iterative.
SoftRX exists to make opaque systems legible.
It favors:
- clarity over completeness
- evidence over speculation
- restraint over power
Copyright 2026 Cas1m1r
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
SoftRX — Reveal the payload, not the damage.