// ANALYST GUIDE
The same guide that ships inside the TUI (the Guide tab), expanded. Six sections — from the global risk score down to individual string heuristics.
The global score (0–100) estimates the probability that a file is malicious. It is the sum of five weighted axes:
Override rule: any YARA match forces the score to 100 / Critical, regardless of the heuristics. A named signature beats a probability.
Shannon entropy measures data randomness on a 0–8 scale. Compiled code is structured; encrypted or packed code is not.
Tip: if an executable section (.text) shows entropy of 7.9+, the malware is trying to hide.
Overlay: data appended past the end of the declared sections. Droppers and installers commonly stash payloads there — Hacksguard scans overlays for embedded PE files automatically.
A packer compresses or encrypts the executable to defeat static analysis. Not all packing is malicious — but it always deserves a look.
Hacksguard's YARA layer runs Elastic protections-artifacts and Neo23x0 signature-base to identify specific malware families, packers, and evasion techniques by signature.
The Import Address Table reveals which system libraries a binary talks to. Hacksguard groups the dangerous ones:
The inverse also matters: a binary with zero imports is hiding its IAT — expect PEB walking, API hashing, or manual syscalls. Hacksguard raises IAT Spoofing / Hidden IAT and Selective API Obfuscation checks for exactly this.
Indicators that the file was manually manipulated or forged:
Modern EDR evasion bypasses hooked user-mode APIs by invoking the kernel directly. Hacksguard statically detects both flavors with iced-x86:
syscall / sysenter opcodes inside executable sections — the binary carries its own kernel gate.mov eax, SSN followed by jmp/call reg — jumping through ntdll to look legitimate.Detected System Service Numbers are resolved to likely NT API names (e.g. possibly NtProtectVirtualMemory) — marked "possibly" because SSN mappings vary by Windows build. Either detection triggers a Critical alert.