Brovan Usage

Commands and General Usage

This page focuses on the command-line interface and the interactive shell exposed by the current build. The exact command set can vary slightly between builds, so the help command is the safest way to discover what is available in your copy, as this page might not be updated every time a new command is changed/added.

Basic syntax

Brovan [options] <path-to-binary> [program arguments...]

Everything before the binary path is treated as a Brovan option. Everything after the binary path is passed to the emulated program as-is.

CLI options

Option	Meaning
-q, --quick	Run in quick mode. this is recommended for large binaries and smaller memory usage, currently always enabled.
-h, --help	Show the built-in help text.
-s, --silent	Only show standard output coming from the emulated program.
-c, --command	Run commands directly, separated by ;.
--net=<mode>	Set host networking policy: none, loopback (default), or full.
--net-allow=<ip>	Allow a specific IPv4 or IPv6 address in addition to the selected policy.
--no-hooks	Run without hooks except for some essential ones. Useful when you want maximum performance.

Examples

Brovan sample.exe
Brovan --quick sample.exe
Brovan --quick -c "start;showinstrs;run" sample.exe
Brovan --net=none sample.elf
Brovan --silent sample.exe

Interactive shell overview

After the emulator starts, Brovan exposes an interactive command shell. A practical workflow is:

1. start to initialize the emulator.
2. modules, regions, or bininfo to inspect the loaded program.
3. hexdump, disasm, or findstr to inspect memory.
4. bp and watch to control execution.
5. step, stepover, run, and continue to drive execution.
6. dumpregs, threads, handles, syscall, and calltrace to inspect runtime state.

Core shell commands (not all)

Command	Aliases	What it does
help [command]	?, commands	Show available commands or details for one command.
start		Initialize the emulator instance.
run		Run the current thread using the scheduler.
continue	c, cont	Resume emulation from the current instruction pointer.
step		Execute a single instruction.
stepover		Step over a call instruction.
clear	cls	Clear the console output.
exit	quit	Exit the emulator.
showinstrs [module_name|start-end]		Enable instruction tracing, optionally filtered.
hideinstrs		Disable instruction tracing.
dumpconsole		Dump the current console output.
dumpregs		Print register state.
debug		Toggle debug mode.
set <register> <value>		Set a register value.
get <register>		Read a register value.
modules		List loaded modules.
regions		List mapped memory regions.
hexdump <address> <size>		Dump memory as hex and ASCII.
disasm <address> <size>		Disassemble memory at the given address.
findstr <text> [ascii|utf16] [max-results]		Find ASCII/UTF-16 strings in mapped memory.
map <address> <size>		Map memory at an address. Use 0 for auto.
memwrite <addr> <hex-bytes|file_path>		Write bytes or assembled instruction bytes.
gpatch <addr> <hex-bytes|file_path>		Apply a ghost patch.
parse_struct <address> <struct_name>		Parse and display a Windows structure.
write_struct [address] <struct_name> <field=value&...>		Write a Windows structure to memory.
bininfo [summary|functions|exports|imports|sections|dotnet]	binaryinfo	Show parsed binary metadata.
checkprot <address>		Show memory protection for an address.
ldrplog <address>|off|once		Decode internal ntdll loader log calls.
snap		Take an emulator snapshot.
restore		Restore the last snapshot.
funcmon <address|symbol> [cc] [arg_types...]		Monitor function enter/leave with parameters.
pcap <on|off|status> [path]	netdump, capture	Dump emulated network traffic to a pcap file.

Command families

Breakpoints

bp <add|del|list|clear>

Common forms:

bp add <address> [condition]
bp del <address>
bp list
bp clear

Alias: break

Watchpoints

watch <add|del|list|clear>

Common forms:

watch add <read|write|fetch|access> <address> [size]
watch del <id>
watch list
watch clear

Alias: wp

Threads

threads <list|info|switch|suspend|resume|kill|priority|rename|regs>

Alias: thread, t

Common forms:

threads info <tid|current>
threads regs <tid|current>
threads switch <tid>
threads suspend <tid|current|all>
threads resume <tid|current|all>
threads kill <tid|current|all> [exit_code]
threads priority <tid|current> <0-31>
threads rename <tid|current> <name>

Handles and file descriptors

handles <list|info|refs|inspect|close|flags|access|target|dup|set|setraw>

Aliases: handle, fds, fd

Common forms:

handles info <handle|fd>
handles refs <handle|fd>
handles inspect <handle|fd>
handles close <handle|fd> [force]
handles flags <handle|fd> <inherit|protect|cloexec|nonblock> <on|off>
handles access <windows_handle> <mask|AccessMaskName[|...]>
handles target <target_handle|fd> <source_handle|fd> [copyattrs]
handles dup <source_handle|fd> [minimum_fd] [copyattrs]
handles path <handle|fd> <new_path>
handles offset <handle|fd> <offset>
handles setraw <handle|fd> <field_or_property> <value>
handles set <handle|fd> <field> <value>

Syscalls

syscall <list|last|failed|tid|name|contains|export|clear|trace|rule|rules>

Alias: syscalls

Common forms:

syscall trace [on|off]
syscall tid <id> [count]
syscall name <text> [count]
syscall number <nr> [count]
syscall rip <address> [count]
syscall contains <text> [count]
syscall info <sequence>
syscall export <path> [json|csv|txt]
syscall rule add <name|number> <allow|deny|modify> [options]
syscall rule remove <id|name>

Call tracing and stack inspection

calltrace <on|off|clear|list|depth>
callstack [thread_id] [max_frames]

Aliases: calltrace → ct, callstack → bt

Function monitoring

funcmon <address|symbol> [cc] [arg_types...]

Useful companion forms:

funcmon del <address|symbol>
funcmon clear
funcmon help

Pcap capture

pcap <on|off|status> [path]

Examples:

pcap on out.pcap
pcap status
pcap off

Address and symbol syntax

Brovan uses the same address parser across most commands that accept addresses, breakpoints, watches, function monitors, memory tools, and similar actions.

Numeric input

• 123456 → parsed as decimal
• 0x1E240 → parsed as hexadecimal

Bare hex without the 0x prefix is not treated as hex, so use 0x when you want to enter an address in hex.

Symbol and module syntax

Brovan can also resolve several symbol-style forms:

• module!export
  Resolves an exported function inside a loaded PE module.
• module!export+0x20
  Resolves an export and adds an offset.
• module+0x1234
  Resolves a module base plus an offset.
• module#Sections!.text
  Resolves the virtual address of a section.
• module#OptionalHeader!ImageBase
  Resolves a field inside the module’s optional header.
• module#DataDirectory!Import
  Resolves a data directory entry by name.
• module#DataDirectory!12
  Resolves a data directory entry by index.

Symbol lookups are case-insensitive.

Built-in base names

These names can also be used as address bases:

• PEB / _PEB
• TEB / _TEB
• ProcessParams / RTL_USER_PROCESS_PARAMETERS / _RTL_USER_PROCESS_PARAMETERS
• KUSER_SHARED_DATA / KUSER

Examples:

hexdump PEB 0x100
disasm ntdll.dll!RtlAllocateHeap 0x80
bp add kernel32.dll!CreateFileW
funcmon ntdll.dll!NtOpenFile
watch add write 0x401000 0x10

Notes

• Use help first when you are unsure about a command.
• Brovan options must come before the target binary path.
• Everything after the binary path is passed to the emulated program unchanged.
• Network behavior is controlled by policy. --net=none is the safest choice for unknown samples.
• --command/-c is useful for scripting repeatable sessions, especially when you want to combine startup, tracing, and execution into one run.