HORUS โ€” The All-Seeing Eye
๐“‚€ the all-seeing eye ยท Windows ยท C++17

Point it at anything. Get a verdict.

One self-contained .exe for Windows malware triage โ€” PE static analysis + live threat-intel enrichment. No Python, no installers, zero dependencies.

Windows x64 C++17 Zero deps MIT License
What is Horus

Hand it anything โ€” it figures out what to do

No flags to memorize. horus <thing> auto-detects what you gave it and runs the right analysis.

a file path
Hashes it (MD5/SHA-1/SHA-256), parses the PE, scores risk, pivots on embedded indicators
a hash
Queries VirusTotal and reports engine detections โ€” MD5, SHA-1 or SHA-256 auto-detected
an IP address
Queries VirusTotal and AbuseIPDB in parallel for reputation & abuse reports
a domain / URL
Queries VirusTotal, reports category, reputation and per-engine verdicts
an email
Queries VirusTotal for associated reputation
Under the hood

Real static analysis, not just a hash lookup

๐Ÿงฎ

Hashing

MD5, SHA-1 and SHA-256 computed via Windows BCrypt/CNG โ€” plus a Mandiant-compatible imphash for family pivoting.

๐Ÿงท

PE parser

PE32 / PE32+ headers, sections and imports โ€” every offset and length bounds-checked, so malformed samples are safe to feed it.

๐ŸŒก๏ธ

Entropy & packing

Per-section Shannon entropy flags packed/encrypted regions and known packers (UPX, Themida, VMProtectโ€ฆ).

๐Ÿง 

Capability scoring

~110 Windows APIs mapped to the capabilities they imply โ€” injection, keylogging, persistence, evasion โ€” and the dangerous combinations.

๐Ÿ›ฐ๏ธ

Intel enrichment

VirusTotal v3 + AbuseIPDB v2 over Windows WinHTTP, fanned out in parallel. Extensible IntelSource interface.

๐Ÿงฉ

JSON + exit codes

--json for SIEM/automation; exit code 1 when a target is suspicious or malicious, so it drops straight into pipelines.

The scoring engine

It interprets imports โ€” it doesn't just list them

Common dual-use APIs (LoadLibrary, CreateProcess) are shown but don't move the score alone. Only rare primitives and dangerous combinations do.

Individual capabilities

Process injection+22
Input capture (keylogger)+20
RWX section+18 ea
Known packer name+16
Persistence+14
Privilege escalation+14
High-entropy section (โ‰ฅ7.2)+12 ea
Screen capture ยท defense evasion+12

Combination bonuses โ€” the important part

Injection + dynamic API resolution+15
Keylogger + networking+15
Crypto + networking (ransomware / C2)+12
โ€ฆcombined with VirusTotal consensus for the final verdictโ†’
0 โ€“ 9
CLEAN

Nothing concerning found.

10 โ€“ 29
LOW RISK

Suspicious imports, no strong signals.

30 โ€“ 59
SUSPICIOUS

Multiple concerning capabilities or combos.

60 โ€“ 100
LIKELY MALICIOUS

Strong evidence of malicious intent.

Get started

No install. Download and run.

Download horus.exe from the Releases page
One file. Put it on your PATH, or just run it from any folder.
.\horus.exe suspicious.exe
Full static PE analysis + hashing โ€” works with no API keys at all.
$env:VT_API_KEY = "โ€ฆ" ; $env:ABUSEIPDB_API_KEY = "โ€ฆ"
Optional: free keys unlock live VirusTotal & AbuseIPDB lookups.
horus 185.220.101.5 --json | jq .verdict
Point it at a hash, IP, domain, URL or email โ€” JSON for automation.
Safety & limitations

Read-only by design

It never runs the sample. Horus only reads bytes โ€” it never executes, modifies, or generates anything.
Malformed samples are safe. The PE parser bounds-checks every offset and length before reading.
A triage aid, not a final verdict. Pair the static score with VirusTotal consensus and, for anything that matters, a sandbox detonation.
Static analysis has limits. Heavily obfuscated samples that resolve imports at runtime score low โ€” that's expected; entropy heuristics only partly compensate.