Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
June 6, 2023 11:52
June 6, 2023 11:52
July 9, 2021 12:38
January 11, 2020 15:22


CodeHawk Binary Analyzer for malware analysis and general reverse engineering

This repository contains the command-line interface (in python) to run the CodeHawk Binary Analyzer and report its results. The command-line interface can be invoked as follows (adjust paths for actual location):

> export PYTHONPATH=$HOME/CodeHawk-Binary
> export PATH=$HOME/CodeHawk-Binary/chb/cmdline:$PATH
> chkx

This will show an overview of the commands available.

At present the analyzer supports x86 (32-bits), both ELF and PE32, mips32, and arm32 (both ARM and Thumb-2) binaries (ELF only); arm32 is stil under active development and thus somewhat experimental.


The command-line interface requires python3.5 or higher. The analyzer requires a Java runtime environment.

Build instructions for the CodeHawk Binary Analyzer are available here. Upon completion copy the analyzer, chx86_analyze, from the CodeHawk/CHB/bchcmdline directory to the appropriate directory in chb/bin/binaries, or point the (or in chb/util/ to its location. You can check the configuration with

> chkx info
Analyzer configuration:
  analyzer : /home/myname/codehawk/CodeHawk/CHB/bchcmdline/chx86_analyze (found)
  summaries: /home/myname/codehawk/CodeHawk/CHB/bchsummaries/bchsummaries.jar (found)

and check whether it works correctly by running some tests:

> chkx test runall
 --ok--  arm32 elf   suite_001   test_001
 --ok--  x86   elf   suite_001   test_001
 --ok--  x86   elf   suite_001   test_002
 --ok--  x86   elf   suite_001   test_003
 --ok--  x86   elf   suite_001   test_004
 --ok--  x86   elf   suite_001   test_005
 --ok--  x86   pe    suite_001   test_001.exe
 --ok--  x86   pe    suite_001   test_002.exe
 --ok--  x86   pe    suite_001   test_003.exe
 --ok--  x86   pe    suite_001   test_004.exe
 --ok--  x86   pe    suite_001   test_005.exe
All 11 tests passed.

Quick Start

> cd
> git clone
> export PYTHONPATH=$HOME/CodeHawk-Binary
> export PATH=$HOME/CodeHawk-Binary/chb/cmdline:$PATH

To disassmble an x86, arm32, or mips32 executable:

> chkx analyze -d mybinary

This will show some statistics on the disassembly, but will not perform any analysis. It usually is a good first step, especially if the the binary is large, to check if disassembly succeeded. If this looks okay, analysis can be performed with (use --reset to remove any previous intermediate results):

> chkx analyze mybinary --reset
> chkx results stats mybinary

The following commands are available to see more detailed results:

    results stats <xname>         output a summary of results with one line per function
    results functions <xname> ... output a listing of annotated assembly functions
    results function <xname> <fn> output a listing of a single annotated assembly function
    results cfg <xname> <fn> ...  produce a control flow graph for a function (in pdf)
    results cfgpaths <xname> <fn> ... find paths throug a cfg with a given target

    results appcalls <xname>      output a listing of application calls
    results dllcalls <xname>      output a listing of dll calls (PE32 only)
    results stringargs <xname>    output a listing of calls with string arguments
    results iocs <xname>          output a listing of indicators of compromise encountered

Finally, it is usually a good idea to reset the analysis results when re-analyzing a binary that was analyzed before:

> chkx analyze mybinary --reset

to avoid inconsistent intermediate results.


CodeHawk Binary Analyzer for malware analysis and general reverse engineering







No releases published


No packages published