x64dbg-skills

x64dbg-skills

Claude Code plugin providing skills for x64dbg debugger automation.

Skills

/state-snapshot

Captures a full debuggee state snapshot to disk for offline analysis:

• All committed memory regions as raw binary files
• Complete processor state (registers) as JSON

/state-diff

Compares two state snapshots to identify what changed between two points in time:

• Register changes (instruction pointer advancement, stack movement, flags, etc.)
• Memory region modifications (stack writes, heap mutations, code changes)
• Synthesized narrative explaining what the program did between snapshots

/decompile

Decompiles a function to C-like pseudocode using angr:

• Decompiles the function at the current instruction pointer if no address is specified
• Accepts a specific address or symbol as an argument
• Tries multiple decompiler strategies for best results
• Suggests nearby functions if the specified address isn't a function entry

/yara-sigs

Scans snapshot memory dumps with YARA signatures from the x64dbg yarasigs database:

• Automatically clones the yarasigs repo (including Yara-Rules and citizenlab submodules) on first use
• Scan categories: packers & compilers, crypto constants, anti-debug / anti-VM, or all signatures
• Builds on /state-snapshot — uses an existing snapshot or takes a fresh one
• Reports matches grouped by rule with memory region addresses and metadata

/tracealyzer

Traces execution (into or over calls) for N steps or until a condition is met, then analyzes the recorded instruction log:

• Configurable trace mode: step into calls or step over calls
• Stop on a max instruction count, an x64dbg expression (e.g. cip == 0x401000), or both
• Captures a full instruction log to traces/ with addresses, disassembly, labels, and comments
• Summarizes execution flow, hot spots, API calls, loops, and notable patterns
• Follow-up actions: annotate key addresses in x64dbg, deeper sub-region analysis, deobfuscation

/shellcode-analyzer

Loads, unpacks, and analyzes raw shellcode blobs in x64dbg:

• Launches x64dbg with timeout.exe as a sacrificial process (supports 32-bit and 64-bit)
• Allocates memory, writes shellcode, and redirects execution with optional NOP sled
• Unpacking — identifies and executes decoder stubs (XOR loops, decompression routines, self-modifying code)
• Static analysis — disassembly, YARA scanning (/yara-sigs), annotates key addresses with comments and labels
• Dynamic analysis — steps through import resolvers, inspects decoded payloads/strings/C2 configs
• Produces annotated shellcode in x64dbg and optional markdown reports

/find-oep

Smart trace-based OEP finder for packed/protected PE executables:

• Traces through packer stubs using intelligent stepping, anti-debug evasion, and heuristic detection (section transitions, stack restoration, compiler entry patterns, IAT population)
• Handles common packers (UPX, ASPack, MPRESS, PECompact, Themida, VMProtect, Enigma) and unknown/custom packers
• Detects and evades anti-debug techniques: PEB flags, timing checks, hardware BP detection, exception tricks, self-checksums
• Leverages /yara-sigs for packer identification and /state-snapshot for memory capture at OEP
• Leaves the debugger paused at the OEP with a state snapshot for downstream analysis or PE reconstruction

/vuln-hunter

Hunts for vulnerabilities in a running debuggee through systematic analysis:

• Reconnaissance — enumerates imports/exports, categorizes I/O functions by attack context (network, file, registry, etc.), and finds cross-references to dangerous sinks
• Triage — ranks code paths by attacker reachability and sink severity, presents a prioritized attack surface map
• Bug hunting — iteratively analyzes target functions for buffer overflows, integer wraps, format strings, logic flaws; generates test inputs and observes behavior under the debugger
• PoC development — builds proof-of-concept Python scripts that demonstrate impact (crash, info leak, code execution)
• Leverages /decompile for complex functions and /tracealyzer for execution tracing
• Produces annotated targets in x64dbg and optional markdown vulnerability reports

Prerequisites