Documentation
Everything you need to build, run, and integrate Hacksguard v0.3.0.
§ Installation
Requires Rust (stable) and Cargo. Clone with submodules to pull the YARA rulesets:
Already cloned without submodules?
The binary lands at target/release/hacksguard.
A package is available in Nixpkgs. Latest releases may only be in the unstable channel.
§ Usage
Point Hacksguard at the binary you want to triage:
A progress gauge shows while the background threads work; the dashboard opens as soon as basic analysis completes. YARA streams its verdict in live, updating the global risk score with an animated spinner.
§ Keyboard shortcuts
§ The nine tabs
When an embedded PE is extracted from an overlay, press e to toggle the dynamic tabs (Headers, Sections, Imports, Disasm) between the parent and the embedded payload.
§ Analysis pipeline
The file is memory-mapped once (memmap2, zero-copy) and analyzed by independent threads. Nothing blocks the UI.
Within basic analysis, rayon parallelizes MD5 / SHA-1 / SHA-256 / byte distribution / string extraction on the same buffer. On Linux, jemalloc is the global allocator for faster YARA heap churn.
§ YARA rules
Signatures load recursively from rules/, tracked as git submodules:
- Compiled rules are cached to
.yara_cachewith SHA-256 fingerprinting — subsequent launches skip recompilation. - Cache validation uses file metadata (size, mtime) for instant startup on large rulesets.
- Any YARA match overrides the risk score to 100 / Critical.
§ CLI / JSON mode
For CI/CD gates and SIEM/SOAR ingestion, skip the TUI entirely:
{
"file": { "name": "sf.exe", "size": 94208, "type": "PE32+ EXE (x86-64)" },
"hashes": { "md5": "9690468b…", "sha256": "aa3516dd…" },
"risk": { "score": 100, "level": "Critical" },
"yara_matches": [ "Windows_Trojan_Adaptix_b2cda978" ],
"detections": [ "indirect_syscalls", "hidden_iat", "peb_walking" ],
"entropy": { "global": 5.4801, "peak": 5.55 }
}