Skip to content
CodeHawk Binary Analyzer for malware analysis and general reverse engineering
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


CodeHawk Binary Analyzer for malware analysis and general reverse engineering

quick start

Try it out on a smallish PE 32-bit executable, located in, say, ~/executables/p.exe:

> cd
> git clone
> export PYTHONPATH=$HOME/CodeHawk-Binary
> cd CodeHawk-Binary/chb/cmdline/pe32
> python ~/executables/p.exe

The invocation of the disassembler will extract the executable content from the executable, and save it in multiple xml files, which are packaged into a .tar.gz file. Once this file exists, it will be the basis for all further analysis; the original executable can be removed (much like an .idb file obviates the need for the executable when using IDA Pro).

At this point no analysis has yet been performed. To run the analyzer on the same executable:

> python ~/executables/p.exe

which will perform an iterative analysis until analysis stabilizes or a maximum number of iterations is reached (default 12 iterations). Analysis results are saved in xml files and can be accessed via a variety of other scripts, e.g., to see an overview of the functions and a summary of the analysis statistics:

> python ~/executables/p.exe

or, to view a list of the calls to dll library functions:

> python ~/executables/p.exe

The annotated assembly code of any one or more functions can be viewed with the script:

> python ~/executables/p.exe --assembly --esp \
     --functions <address-1-in-hex>...<address-n-in-hex>

by specifying the addresses of the functions in hexadecimal in a space-separated list.

A more detailed description of all of the scripts, with example output, is available here.

You can’t perform that action at this time.