36 repositorios
Libraries and utilities for inspecting, disassembling, and extracting information from compiled binary files.
Distinguishing note: This category focuses on low-level binary inspection and code extraction, distinct from general-purpose system administration or security auditing.
Explore 36 awesome GitHub repositories matching operating systems & systems programming · Binary Analysis Tools. Refine with filters or upvote what's useful.
Jadx is a comprehensive Java decompilation suite designed to transform compiled binary application files into readable source code. It functions as a static analysis workbench, providing a graphical interface for navigating, searching, and inspecting the internal logic of complex software packages. By utilizing a bytecode-to-Java pipeline, the project reconstructs high-level logical structures from low-level binary instructions, making it a primary tool for Android application reverse engineering. The project distinguishes itself through a sophisticated control flow reconstruction engine and
Provides core components for embedding automated binary-to-source extraction into custom software.
This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory
Provides a comprehensive environment for reverse engineering by monitoring memory and registers.
This project is a comprehensive technical knowledge base designed to support developers in mastering systems programming and preparing for technical assessments. It provides a structured collection of fundamental computer science concepts, mapping high-level language constructs to low-level hardware memory layouts, runtime object lifecycles, and system-level operations. The repository distinguishes itself through a hierarchical approach that bridges the gap between theoretical principles and practical implementation. It offers detailed guidance on C++ language mechanisms, standard library usa
Documents cross-language interoperability and library linking mechanisms to ensure consistent communication between compiled modules.
RevokeMsgPatcher is a binary patching utility designed to modify the execution logic of desktop messaging applications. By applying low-level changes to compiled executable files and libraries, the tool enables functionality not natively supported by the original software, specifically focusing on message persistence and process management. The utility distinguishes itself through targeted binary instrumentation and control flow redirection. It identifies specific function patterns and memory offsets within proprietary software to inject custom assembly instructions. These modifications allow
Identifies specific memory offsets and function patterns within software to locate target code blocks.
dnSpy is a specialized toolset for the reverse engineering, analysis, and modification of compiled .NET binaries. It functions as a decompiler that converts assemblies back into readable high-level source code, an assembly editor for modifying bytecode and metadata, and a debugger for inspecting compiled binaries. The project integrates a hex editor specifically for inspecting and modifying raw bytes and Common Intermediate Language structures. It allows for the direct modification of binary contents to change application behavior without requiring the original project source files. The tool
Inspects compiled binaries to understand application logic and execution flow when original source code is missing.
dnSpy is a desktop application designed for the analysis, debugging, and modification of compiled .NET assemblies. It functions as an assembly analysis suite and decompiler, translating binary instruction streams back into readable source code to facilitate reverse engineering when original source files are unavailable. The tool distinguishes itself through an integrated binary patching engine and metadata editor, which allow for the direct modification of executable logic and internal metadata tables. It supports in-process debugging instrumentation, enabling users to inject runtime hooks, s
Provides a comprehensive toolkit for exploring internal organization of compiled software.
radare2 is a reverse engineering framework and binary analysis toolset. It functions as a multi-architecture disassembler, low-level binary debugger, and hexadecimal editor for inspecting executable structures and interpreting machine code when original source files are unavailable. The framework provides capabilities for decompiling machine instructions, performing symbolic analysis, and diffing binary files to identify structural changes across versions. It also includes a digital forensic analyzer and disk analyzer for browsing filesystem formats in userland. The toolset supports binary p
Ships a comprehensive toolset for inspecting, disassembling, and extracting information from compiled binary files.
Radare2 is a comprehensive framework for reverse engineering and analyzing compiled software. It provides a command-line environment designed for disassembling, debugging, and patching binary executables across a wide range of processor architectures and operating systems. The system distinguishes itself through a modular, plugin-based architecture that supports cross-platform analysis and automated workflows. It utilizes memory-mapped file access to enable efficient structural inspection and modification of binaries without requiring full file loads. By lifting machine instructions into a un
Examines file formats to identify symbols, strings, and function entry points for mapping internal binary layouts.
BCC is an eBPF development toolkit and tracing framework used for monitoring and analyzing the Linux kernel. It functions as a performance analysis tool and debugging utility to capture system events, measure kernel latency, and provide network observability. The project distinguishes itself by providing a build system that integrates with LLVM to compile C-like code into BPF bytecode at runtime. It utilizes BPF Type Format data for relocations to maintain cross-kernel compatibility and extracts kernel headers to ensure the generated programs match the specific kernel version. The toolkit co
Implements runtime relocation logic using BPF Type Format data to ensure cross-kernel compatibility.
Frida is a dynamic binary instrumentation toolkit that provides a framework for deep process introspection and live application state manipulation. It enables the injection of custom scripts into running processes to trace function calls, modify memory, and analyze application behavior in real-time across diverse operating systems and processor architectures. The project distinguishes itself by embedding a high-performance JavaScript engine directly within the target process, allowing for the execution of user-defined logic for real-time inspection. It utilizes instruction-level hooking to re
Provides mechanisms for dynamically adjusting memory addresses and registers to ensure stability during cross-architecture binary injection.
Cutter is a binary analysis platform and graphical user interface for the Rizin reverse engineering framework. It provides an environment for analyzing the internal logic and data structures of compiled binaries through integrated disassembly and visualization. The platform supports a containerized deployment model to provide isolated environments for binary analysis, which is used to examine suspicious binaries without risking the host system. It is an extensible security tool that allows for the addition of custom analysis capabilities and visualizers via native plugins and scripts. The to
Runs analysis tools inside containers with mapped files to ensure consistent and secure execution.
Mold is a high-performance linker designed to replace standard system tools for the creation of executable binaries and shared libraries. It functions as a drop-in replacement for existing linkers, focusing on accelerating the final build phase of large software projects to improve developer productivity. The tool achieves its performance by utilizing multi-threaded processing to distribute the linking of object files across multiple CPU cores. It supports cross-architecture binary linking, allowing it to process compiled files for diverse platforms efficiently. By intercepting standard linke
Processes compiled object files into executable binaries efficiently across multiple CPU architectures to speed up development cycles.
Pwntools is a Python-based framework designed for rapid prototyping and automation in binary exploitation, reverse engineering, and security research. It serves as a comprehensive toolkit for interacting with local and remote processes, providing the primitives necessary to manage complex exploit workflows and streamline security analysis tasks. The framework distinguishes itself through its specialized capabilities for binary manipulation and automated exploit construction. It includes dedicated utilities for parsing executable file formats, assembling and disassembling machine code, and gen
Offers a suite of tools for parsing, inspecting, and extracting information from compiled binary files.
Detect-It-Easy is a binary file identifier and analysis toolkit designed to determine file formats, compilers, and packers. It functions as a binary file identifier that utilizes signature matching and heuristic analysis to identify executable and archive formats. The project includes a custom file signature engine and a scriptable rule system for defining and applying detection logic to identify specific binary patterns. It features specialized detectors for Android packages, such as APK and DEX files, and a malware packer detector to identify protections, obfuscators, and virus families. T
Offers a comprehensive set of utilities for opcode calculation, debug symbol extraction, and system structure inspection.
YARA is a pattern matching engine and binary analysis tool used to identify and classify malware samples. It functions as a malware research framework that allows for the definition of file descriptions and detection rules to find indicators of compromise within binaries. The system enables the creation of custom detection rules using strings, wildcards, and regular expressions. These rules use boolean logic to match textual or binary patterns, allowing for the classification of files into specific malware families and the automation of threat intelligence. The engine utilizes Aho-Corasick s
Provides a utility for inspecting the contents of binaries to find indicators of compromise.
Capstone is a multi-architecture disassembly framework and binary analysis engine. It translates raw machine code from various CPU architectures, such as x86, ARM, and RISC-V, into human-readable assembly instructions. The engine distinguishes itself by providing instruction semantic decomposition, which lists implicit registers read and written, and the ability to customize instruction mnemonics to meet specific technical analysis standards. It also features resilient stream disassembly, allowing the process to resynchronize and continue after encountering invalid instructions or embedded da
Decomposes machine instructions into granular semantics and extracts detailed operand and register access information.
Capstone is a multi-architecture disassembly framework and binary translation system. It converts binary machine code into human-readable assembly instructions for a wide variety of hardware instruction set architectures and virtual machines. The framework supports a diverse range of targets, including x86, ARM, RISC-V, and MIPS, as well as virtual machine environments like WebAssembly and the Ethereum Virtual Machine. It functions as an instruction analysis tool capable of extracting granular decomposition data and semantic information from disassembled code. The engine is designed for low-
Provides a lightweight binary analysis engine designed for use in firmware or operating system kernels.
GEF is a Python-based extension for GDB that serves as a framework for binary analysis, exploit development, and low-level debugging. It functions as a dynamic analysis extension designed to assist in reverse engineering workflows and malware analysis by enhancing the debugger's ability to inspect process state and memory. The project is distinguished by its specialized heap analysis tools, which allow for the inspection of glibc heap arenas, bins, and chunks to detect memory corruption. It also provides a dedicated toolkit for exploit development, including cyclic pattern generation for offs
Executes analysis tasks across various CPU architectures using a unified and extensible interface.
N64Recomp is a static recompiler and binary-to-C translator designed to convert Nintendo 64 machine code and MIPS architecture binaries into C source code. This system functions as a game console decompiler that enables the native execution of legacy binaries on modern platforms by eliminating the need for runtime interpreters. The project distinguishes itself by translating specialized RSP microcode into executable source code to replace traditional microcode emulation. It employs a system of relocation macros and lookup tables to resolve relocatable memory overlays and dynamic program secti
Uses relocation macros and lookup tables to resolve dynamic memory addresses for relocatable program overlays.
Android Classyshark is a binary analysis toolset designed to extract structural data from Android executable files. It functions as a bytecode viewer and binary XML parser to analyze compiled Java and Android binaries. The project converts binary XML files into readable formats for the inspection of application manifests, layouts, and resource files. It also provides the ability to analyze class interfaces, members, and dependency counts without requiring access to the original source code. The toolset supports static analysis and the export of binary information into plain text formats for
Provides a suite for extracting structural data from Android executable files for external tools and CI pipelines.