RESX

Windows Binary Analysis & Reverse Engineering Toolkit

RESX is a Windows binary analysis toolkit for PE inspection, export/import analysis, PDB-backed symbols, targeted disassembly, pseudo-C reconstruction, CFG recovery, startup-flow reconstruction, triage, structural diffing, corpus indexing, sample hunting, YARA scanning, and native DLL/FFI integration.

It ships as:

• A Rust CLI (resx.exe) for terminal and automation workflows.
• A VS Code binary viewer for .exe, .dll, and .sys files.
• A native DLL/FFI surface for host applications that want RESX analysis in-process.

Documentation

• CLI documentation
• VS Code extension documentation
• DLL / FFI integration
• Analysis surfaces
• JSON schemas

What RESX Does

• PE metadata, section, data directory, debug, CLR, TLS, load config, signer/version, and anomaly inspection.
• Export Address Table and Import Address Table browsing.
• Export and PDB symbol loading, type browsing, and symbol-backed navigation.
• Targeted disassembly by name, RVA, or ordinal.
• C-like reconstruction for selected functions.
• Basic CFG rendering for selected targets.
• Startup flow reconstruction from entry point, TLS callbacks, thread/workpool callbacks, import calls, indirect edges, and x64 unwind/exception-handler evidence.
• Static triage with hook/thunk indicators, string references, API call maps, and suspicious control-flow hints.
• Hostile-mode tracing for packed or deliberately confusing binaries.
• Reverse caller tracing across priority modules and custom scan scopes.
• Structural diffing, CFG diff views, code/control heatmaps, corpus indexing, and sample hunting.
• Folder scanning with fuzz target candidate ranking.
• YARA scanning.
• Versioned JSON output for automation.

Build The CLI

cargo build --release

Run:

.\target\release\resx.exe help
.\target\release\resx.exe version

Common commands:

resx dump <image> <function>
resx dump <image> --at <rva>
resx cfg <image> <function>
resx reconstruct-cfg <image>
resx intelli <image> [function]
resx peinfo <image>
resx sections <image>
resx eat <image>
resx iat <image>
resx syms <image>
resx types <image> [query]
resx callers <image> <function>
resx locate <name>
resx locate-sym <name>
resx scan <path>
resx diff <old-image> <new-image>
resx index <dir-or-image> --db <file>
resx hunt <sample> --db <file>
resx yara <image> <rule.yar>

See docs/cli.md for the full command and option reference.

Install The VS Code Extension

cd resx-vscode
npm install
npm run compile
npm run package

Install the generated .vsix with:

Extensions: Install from VSIX...

The extension contributes a custom editor for Windows binaries and command-palette workflows:

• RESX: Refresh Binary Analysis
• RESX: Locate
• RESX: Locate Symbol
• RESX: Dump
• RESX: Reconstruct CFG
• RESX: Scan Folder

The viewer includes Overview, Entry, Triage, Sections, Exports, Imports, Symbols, Types, Flow, Scan, Dump, and Dev tabs.

See docs/vscode-extension.md for build, packaging, settings, trust model, and workflow details.

Use The DLL / FFI

Build the DLL:

cargo build -p resx --release

Use the public header:

resx/include/resx.h

Example C call:

#include "resx.h"

char *json = NULL;
int status = RsxPeInfo(
    "C:\\Windows\\System32\\kernel32.dll",
    "{\"no_pdb\":true}",
    &json
);

if (json) {
    /* parse or print json */
    RsxFreeString(json);
}

See docs/dll.md for exported functions, status codes, option JSON, output envelopes, memory ownership, and smoke-test instructions.

Screenshots

VS Code Binary Viewer

Command Palette Workflows

JSON Automation

Use --json for machine-readable output:

resx peinfo .\sample.dll --json
resx dump .\sample.dll DllMain --json
resx reconstruct-cfg .\sample.dll --json
resx scan .\samples --json
resx diff .\old.dll .\new.dll --json

Where possible, RESX emits versioned JSON envelopes. Consumers should tolerate additional fields across releases.

Development Checks

Before pushing Rust changes:

cargo fmt -p resx -- --check
cargo clippy -p resx --all-targets -- -D warnings
cargo test -p resx

Before pushing VS Code extension changes:

cd resx-vscode
npx tsc -p ./ --noEmit
npx tsc -p ./tsconfig.webview.json --noEmit
node --experimental-default-type=module ./test/run-tests.mjs

Before packaging the extension:

cd resx-vscode
npm run compile
npm run package

resx-vscode/bin/, target/, target-codex/, generated packages, and local signing/build artifacts are ignored by git.

Repository Layout

resx/                 Rust CLI, library, FFI, analyzers, and tests
resx/include/         Public C header for DLL/FFI users
resx-vscode/          VS Code extension source and webview assets
docs/                 CLI, VS Code, DLL, schema, and analysis docs
examples/             FFI smoke-test examples
resx-palace/          Test/sample binaries used by RESX integration tests
media/                README screenshots

Notes

RESX analysis is static best-effort evidence. Runtime dispatch, obfuscation, dynamically generated code, packed images, and data-dependent control flow can make static results incomplete. Use hostile-mode and startup-flow reconstruction as investigation aids, not as proof of runtime behaviour.