explaingit

rhacknarok/hacksguard

Analysis updated 2026-05-18

22YARAAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

TLDR

A terminal UI malware analysis tool for Windows PE files that runs YARA scanning, entropy analysis, deep structure parsing, and heuristic risk scoring in a fast Rust implementation.

Mindmap

mindmap
  root((HacksGuard))
    What it does
      PE file static analysis
      Heuristic risk scoring
      YARA rule scanning
      Entropy visualization
      String extraction
    Views
      Radar chart risk score
      Entropy graph
      Disassembler at entry point
      Hex dump viewer
    Tech Stack
      Rust
      YARA boreal engine
      ratatui TUI
      iced-x86 disassembler
    Use Cases
      Malware triage
      Threat hunting
      CI pipeline JSON output
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Quickly triage a suspicious .exe file by running HacksGuard to get a 0-100 risk score and an overview of imported APIs, entropy, and packing indicators.

USE CASE 2

Load a set of YARA rules from Elastic's protections-artifacts to scan a binary for known malware signatures and packer patterns in the terminal.

USE CASE 3

Export the full PE analysis as JSON with hacksguard --json for ingestion into a SIEM or SOAR pipeline without displaying the interactive TUI.

What is it built with?

RustYARAratatuigobliniced-x86

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Rust and Cargo to compile from source, VirusTotal integration requires a VT_API_KEY environment variable.

MIT license: use freely for any purpose, including commercial use, as long as you keep the copyright notice.

In plain English

HacksGuard is a terminal-based malware analysis tool written in Rust that lets security analysts inspect suspicious Windows executable files without leaving their command line. It runs all its analysis concurrently in multiple threads so the interface stays responsive even while processing large files. When you point HacksGuard at an executable, it produces a risk score from 0 to 100 percent by weighing five heuristic factors: how much of the file appears encrypted or compressed (entropy), whether the file imports functions often associated with malicious behavior, structural anomalies in the file format, suspicious strings, and signs that the file has been packed to hide its contents. The score is displayed as an interactive radar chart in the terminal dashboard. Beyond the overall score, the tool provides several dedicated views. A YARA scanning tab loads local YARA rule files and checks the binary against known threat signatures, packer patterns, and evasion techniques. A PE inspection tab breaks down the file's headers, sections, imported functions grouped by risk level, security features like address space layout randomization, and a digital signature check. An entropy graph shows the distribution of randomness across sections, making it easier to spot encrypted or packed regions visually. A built-in disassembler shows the raw assembly instructions at the file's entry point, and a hex dump viewer lets you inspect raw bytes. The tool also extracts and categorizes strings from the binary, decoding Base64-encoded strings automatically and flagging IP addresses, URLs, and registry keys. A separate check looks for data appended to the end of a binary, a technique some malware installers use to hide a payload. For automated pipelines, a command-line mode outputs the full analysis as JSON instead of displaying the terminal UI, making it usable in SIEM or SOAR integrations. Installation requires Rust and Cargo to compile from source, or via Nixpkgs for NixOS users. The VirusTotal lookup feature requires a separate API key. The project is released under the MIT license.

Copy-paste prompts

Prompt 1
I have a suspicious Windows .exe file. Walk me through using HacksGuard to analyze it: what does each tab show and how do I interpret the risk score?
Prompt 2
How does HacksGuard's entropy graph work? What does high entropy in a PE section indicate and how does the sparkline visualization help spot packed malware?
Prompt 3
I want to load my own YARA rules into HacksGuard to detect a specific threat family. Where do I put the rule files and how does the YARA scan tab display results?
Prompt 4
Show me how to run HacksGuard in JSON output mode and explain what fields are included in the report for use in a SIEM integration.

Frequently asked questions

What is hacksguard?

A terminal UI malware analysis tool for Windows PE files that runs YARA scanning, entropy analysis, deep structure parsing, and heuristic risk scoring in a fast Rust implementation.

What language is hacksguard written in?

Mainly YARA. The stack also includes Rust, YARA, ratatui.

What license does hacksguard use?

MIT license: use freely for any purpose, including commercial use, as long as you keep the copyright notice.

How hard is hacksguard to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is hacksguard for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub rhacknarok on gitmyhub

Verify against the repo before relying on details.