x64dbg-skills

Claude Code plugin providing skills for x64dbg debugger automation.

Skills

`/state-snapshot`

Captures a full debuggee state snapshot to disk for offline analysis:

All committed memory regions as raw binary files
Complete processor state (registers) as JSON

`/state-diff`

Compares two state snapshots to identify what changed between two points in time:

Register changes (instruction pointer advancement, stack movement, flags, etc.)
Memory region modifications (stack writes, heap mutations, code changes)
Synthesized narrative explaining what the program did between snapshots

`/decompile`

Decompiles a function to C-like pseudocode using angr:

Decompiles the function at the current instruction pointer if no address is specified
Accepts a specific address or symbol as an argument
Tries multiple decompiler strategies for best results
Suggests nearby functions if the specified address isn't a function entry

`/yara-sigs`

Scans snapshot memory dumps with YARA signatures from the x64dbg yarasigs database:

Automatically clones the yarasigs repo (including Yara-Rules and citizenlab submodules) on first use
Scan categories: packers & compilers, crypto constants, anti-debug / anti-VM, or all signatures
Builds on /state-snapshot — uses an existing snapshot or takes a fresh one
Reports matches grouped by rule with memory region addresses and metadata

`/tracealyzer`

Traces execution (into or over calls) for N steps or until a condition is met, then analyzes the recorded instruction log:

Configurable trace mode: step into calls or step over calls
Stop on a max instruction count, an x64dbg expression (e.g. cip == 0x401000), or both
Captures a full instruction log to traces/ with addresses, disassembly, labels, and comments
Summarizes execution flow, hot spots, API calls, loops, and notable patterns
Follow-up actions: annotate key addresses in x64dbg, deeper sub-region analysis, deobfuscation

`/shellcode-analyzer`

Loads, unpacks, and analyzes raw shellcode blobs in x64dbg:

Launches x64dbg with timeout.exe as a sacrificial process (supports 32-bit and 64-bit)
Allocates memory, writes shellcode, and redirects execution with optional NOP sled
Unpacking — identifies and executes decoder stubs (XOR loops, decompression routines, self-modifying code)
Static analysis — disassembly, YARA scanning (/yara-sigs), annotates key addresses with comments and labels
Dynamic analysis — steps through import resolvers, inspects decoded payloads/strings/C2 configs
Produces annotated shellcode in x64dbg and optional markdown reports

`/find-oep`

Smart trace-based OEP finder for packed/protected PE executables:

Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic detection (section transitions, stack restoration, compiler entry patterns, IAT population)
Handles common packers (UPX, ASPack, MPRESS, PECompact, Themida, VMProtect, Enigma) and unknown/custom packers
Detects and evades anti-debug techniques: PEB flags, timing checks, hardware BP detection, exception tricks, self-checksums
Leverages /yara-sigs for packer identification and /state-snapshot for memory capture at OEP
Leaves the debugger paused at the OEP with a state snapshot for downstream analysis or PE reconstruction

`/vuln-hunter`

Hunts for vulnerabilities in a running debuggee through systematic analysis:

Reconnaissance — enumerates imports/exports, categorizes I/O functions by attack context (network, file, registry, etc.), and finds cross-references to dangerous sinks
Triage — ranks code paths by attacker reachability and sink severity, presents a prioritized attack surface map
Bug hunting — iteratively analyzes target functions for buffer overflows, integer wraps, format strings, logic flaws; generates test inputs and observes behavior under the debugger
PoC development — builds proof-of-concept Python scripts that demonstrate impact (crash, info leak, code execution)
Leverages /decompile for complex functions and /tracealyzer for execution tracing
Produces annotated targets in x64dbg and optional markdown vulnerability reports

Prerequisites

x64dbg and x64dbg Automate installed
x64dbg MCP server configured in Claude Code
Python 3 with the x64dbg_automate pip package installed:
```
pip install x64dbg_automate[mcp] --upgrade
```
For the /decompile skill: angr (Python >= 3.10):
```
pip install angr
```
For the /yara-sigs skill: yara-python and Git:
```
pip install yara-python
```
For the /vuln-hunter skill: LIEF for static PE analysis:
```
pip install lief
```

Installation

Add the marketplace and install the plugin:

/plugin marketplace add dariushoule/x64dbg-skills
/plugin install x64dbg-skills

Updating

To update to the latest version:

/plugin install x64dbg-skills

Usage

A decent guide that gives good ideas on how to use these skills: Cooking with x64dbg and MCP

License

MIT

x64dbg-skills

Claude Code plugin providing skills for x64dbg debugger automation.

Skills

`/state-snapshot`

Captures a full debuggee state snapshot to disk for offline analysis:

All committed memory regions as raw binary files
Complete processor state (registers) as JSON

`/state-diff`

Compares two state snapshots to identify what changed between two points in time:

Register changes (instruction pointer advancement, stack movement, flags, etc.)
Memory region modifications (stack writes, heap mutations, code changes)
Synthesized narrative explaining what the program did between snapshots

`/decompile`

Decompiles a function to C-like pseudocode using angr:

Decompiles the function at the current instruction pointer if no address is specified
Accepts a specific address or symbol as an argument
Tries multiple decompiler strategies for best results
Suggests nearby functions if the specified address isn't a function entry

`/yara-sigs`

Scans snapshot memory dumps with YARA signatures from the x64dbg yarasigs database:

Automatically clones the yarasigs repo (including Yara-Rules and citizenlab submodules) on first use
Scan categories: packers & compilers, crypto constants, anti-debug / anti-VM, or all signatures
Builds on /state-snapshot — uses an existing snapshot or takes a fresh one
Reports matches grouped by rule with memory region addresses and metadata

`/tracealyzer`

Traces execution (into or over calls) for N steps or until a condition is met, then analyzes the recorded instruction log:

Configurable trace mode: step into calls or step over calls
Stop on a max instruction count, an x64dbg expression (e.g. cip == 0x401000), or both
Captures a full instruction log to traces/ with addresses, disassembly, labels, and comments
Summarizes execution flow, hot spots, API calls, loops, and notable patterns
Follow-up actions: annotate key addresses in x64dbg, deeper sub-region analysis, deobfuscation

`/shellcode-analyzer`

Loads, unpacks, and analyzes raw shellcode blobs in x64dbg:

Launches x64dbg with timeout.exe as a sacrificial process (supports 32-bit and 64-bit)
Allocates memory, writes shellcode, and redirects execution with optional NOP sled
Unpacking — identifies and executes decoder stubs (XOR loops, decompression routines, self-modifying code)
Static analysis — disassembly, YARA scanning (/yara-sigs), annotates key addresses with comments and labels
Dynamic analysis — steps through import resolvers, inspects decoded payloads/strings/C2 configs
Produces annotated shellcode in x64dbg and optional markdown reports

`/find-oep`

Smart trace-based OEP finder for packed/protected PE executables:

Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic detection (section transitions, stack restoration, compiler entry patterns, IAT population)
Handles common packers (UPX, ASPack, MPRESS, PECompact, Themida, VMProtect, Enigma) and unknown/custom packers
Detects and evades anti-debug techniques: PEB flags, timing checks, hardware BP detection, exception tricks, self-checksums
Leverages /yara-sigs for packer identification and /state-snapshot for memory capture at OEP
Leaves the debugger paused at the OEP with a state snapshot for downstream analysis or PE reconstruction

`/vuln-hunter`

Hunts for vulnerabilities in a running debuggee through systematic analysis:

Reconnaissance — enumerates imports/exports, categorizes I/O functions by attack context (network, file, registry, etc.), and finds cross-references to dangerous sinks
Triage — ranks code paths by attacker reachability and sink severity, presents a prioritized attack surface map
Bug hunting — iteratively analyzes target functions for buffer overflows, integer wraps, format strings, logic flaws; generates test inputs and observes behavior under the debugger
PoC development — builds proof-of-concept Python scripts that demonstrate impact (crash, info leak, code execution)
Leverages /decompile for complex functions and /tracealyzer for execution tracing
Produces annotated targets in x64dbg and optional markdown vulnerability reports

Prerequisites

x64dbg and x64dbg Automate installed
x64dbg MCP server configured in Claude Code
Python 3 with the x64dbg_automate pip package installed:
```
pip install x64dbg_automate[mcp] --upgrade
```
For the /decompile skill: angr (Python >= 3.10):
```
pip install angr
```
For the /yara-sigs skill: yara-python and Git:
```
pip install yara-python
```
For the /vuln-hunter skill: LIEF for static PE analysis:
```
pip install lief
```

Installation

Add the marketplace and install the plugin:

/plugin marketplace add dariushoule/x64dbg-skills
/plugin install x64dbg-skills

Updating

To update to the latest version:

/plugin install x64dbg-skills

Usage

A decent guide that gives good ideas on how to use these skills: Cooking with x64dbg and MCP

License

MIT

x64dbg-skills

x64dbg-skills

Skills

`/state-snapshot`

`/state-diff`

`/decompile`

`/yara-sigs`

`/tracealyzer`

`/shellcode-analyzer`

`/find-oep`

`/vuln-hunter`

Prerequisites

Installation

Updating

Usage

License

Related Skills

x64dbg-skills

x64dbg-skills

Skills

`/state-snapshot`

`/state-diff`

`/decompile`

`/yara-sigs`

`/tracealyzer`

`/shellcode-analyzer`

`/find-oep`

`/vuln-hunter`

Prerequisites

Installation

Updating

Usage

License

Related Skills