Skip to content

seifreed/r2inspect

Repository files navigation

r2inspect

r2inspect

Advanced malware analysis tool powered by radare2 and r2pipe

PyPI Version Python Versions License CI Status Coverage

GitHub Stars GitHub Issues Buy Me a Coffee


Overview

r2inspect is a professional malware analysis framework that automates deep static inspection for PE, ELF, and Mach-O binaries using the radare2 ecosystem. It combines format parsing, detection heuristics, and rich reporting to support reverse engineers, incident responders, and threat analysts.

Key Features

Feature Description
Multi-format Support PE, ELF, Mach-O format detection and analysis
String Analysis ASCII/Unicode extraction with filtering and decoding
Packer Detection Evidence-based scoring with entropy and signature checks
Crypto Detection API and constant analysis with confidence scoring
Anti-Analysis Anti-debug/VM/sandbox indicators with evidence
Hashing Suite MD5/SHA, SSDeep, TLSH, MACHOC, RichPE, Telfhash, SimHash
Metadata Analysis Sections, imports, exports, resources, overlays
YARA Integration Built-in and custom rule scanning
Rich Output Console tables, JSON, and CSV exports

Supported Formats

Windows  PE32 / PE32+ / DLL
Linux    ELF32 / ELF64
macOS    Mach-O / Universal

Installation

From PyPI (Recommended)

pip install r2inspect

From Source

git clone https://github.com/seifreed/r2inspect.git
cd r2inspect
python -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -e .

Requirements

  • Python 3.13+
  • radare2 installed and in PATH
  • libmagic (for file type detection)

Quick Start

# Basic analysis with rich console output
r2inspect samples/fixtures/hello_pe.exe

# JSON output
r2inspect -j samples/fixtures/hello_pe.exe

# CSV output
r2inspect -c samples/fixtures/hello_pe.exe

Usage

Command Line Interface

# Full analysis
r2inspect malware.exe

# Save output to file
r2inspect -j malware.exe -o analysis.json

# Analyze a directory (batch mode)
r2inspect --batch ./samples -j -o ./out

# Custom YARA rules
r2inspect --yara /path/to/rules malware.exe

Available Options

Option Description
-i, --interactive Interactive analysis shell
-j, --json Output in JSON format
-c, --csv Output in CSV format
-o, --output Output file or directory
--batch Batch mode for directories
--extensions Filter batch by extensions
--yara Custom YARA rules directory
-x, --xor XOR search string
-v, --verbose Verbose output
--quiet Suppress non-critical output
--threads Parallel threads for batch mode

Python Library

from r2inspect import create_inspector
from r2inspect.config import Config

config = Config()
with create_inspector("malware.exe", config=config) as inspector:
    results = inspector.analyze()
    pe_info = inspector.get_pe_info()
    imports = inspector.get_imports()

Architecture (high level)

Use create_inspector to build a ready-to-run inspector with adapter, registry, and pipeline wiring. The core depends on interfaces; adapters provide r2pipe-backed data access, while analyzers focus on analysis and domain helpers.

CLI -> create_inspector -> R2Inspector -> AnalysisPipeline -> analyzers
                                      -> Adapter (r2pipe) -> radare2

See docs/architecture.md for a short overview of the layers and extension points.


Examples

Analyze Multiple Samples

r2inspect --batch ./samples --extensions "exe,dll" -j -o ./out

Interactive Mode

r2inspect> analyze
r2inspect> strings
r2inspect> imports
r2inspect> quit

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

Support the Project

If you find r2inspect useful, consider supporting its development:

Buy Me A Coffee

License

GNU General Public License v3.0

Attribution Required:


Made with dedication for the reverse engineering and threat intelligence community

About

r2inspect is a professional malware analysis framework that automates deep static inspection for PE, ELF, and Mach-O binaries using the radare2 ecosystem. It combines format parsing, detection heuristics, and rich reporting to support reverse engineers, incident responders, and threat analysts.

Topics

Resources

License

Stars

51 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages