89 dépôts
Advanced frameworks for automated binary code analysis and symbolic execution.
Explore 89 awesome GitHub repositories matching part of an awesome list · Binary Analysis. Refine with filters or upvote what's useful.
ImHex is a professional-grade hex editor and binary data analysis platform designed for inspecting, modifying, and reverse engineering raw file contents. It functions as a schema-driven engine that interprets complex binary structures by applying custom definitions to map and visualize byte-level data. The platform distinguishes itself through a dedicated domain-specific language that allows users to define structural schemas for automated file parsing. This capability is supported by a dynamic plugin architecture and an event-driven registry, which enable the integration of external modules
Provides a hex editor tailored for reverse engineering.
dnSpy is a specialized toolset for the reverse engineering, analysis, and modification of compiled .NET binaries. It functions as a decompiler that converts assemblies back into readable high-level source code, an assembly editor for modifying bytecode and metadata, and a debugger for inspecting compiled binaries. The project integrates a hex editor specifically for inspecting and modifying raw bytes and Common Intermediate Language structures. It allows for the direct modification of binary contents to change application behavior without requiring the original project source files. The tool
Inspects assembly metadata tables to resolve class hierarchies, method signatures, and cross-references within the binary.
ILSpy is a .NET decompiler and binary analyzer designed to convert compiled .NET assemblies back into readable C# source code. It functions as a metadata explorer and a common intermediate language viewer, enabling the analysis of compiled code and the execution of reverse engineering workflows. The project distinguishes itself through specialized translation capabilities, such as converting compiled binary XML (BAML) back into human-readable XAML for user interface analysis. It also provides tools for inspecting native machine code and extracting metadata from program database (PDB) files.
Converts raw metadata entries into readable source code to understand the underlying structure of compiled elements.
radare2 is a reverse engineering framework and binary analysis toolset. It functions as a multi-architecture disassembler, low-level binary debugger, and hexadecimal editor for inspecting executable structures and interpreting machine code when original source files are unavailable. The framework provides capabilities for decompiling machine instructions, performing symbolic analysis, and diffing binary files to identify structural changes across versions. It also includes a digital forensic analyzer and disk analyzer for browsing filesystem formats in userland. The toolset supports binary p
Processes raw bytes through successive stages of format parsing, disassembly, and high-level structural analysis.
Pics is a comprehensive reference library providing visual documentation for binary file structures, character encodings, processor instruction sets, and hardware architecture maps. It serves as a centralized resource for the dissection and analysis of diverse binary formats, including executables, images, and archives. The project specializes in mapping complex specifications into visual layouts. This includes the creation of schematic diagrams to explain the physical and logical organization of hardware components and the maintenance of a catalog for processor opcodes across multiple hardwa
Visualizes the internal layout and structural dissections of binary files such as images and archives.
fq is a command-line binary data processor used for decoding, transforming, and analyzing raw byte streams and bit-level data into structured formats. It functions as a functional binary query engine that allows for filtering and mapping binary structures, as well as a converter that translates complex binary blobs and proprietary file formats into standard JSON, YAML, or XML. The tool distinguishes itself as a low-level bit manipulator capable of performing bit-level slicing, bitwise operations, and cryptographic hashing on raw files. It also serves as a network protocol analyzer with the ab
Inspects and decodes binary data formats.
pwndbg is a GDB plugin and binary analysis framework designed for reverse engineering, exploit development, and low-level program analysis. It extends the core functionality of the debugger to provide advanced memory inspection and automation tools. The project distinguishes itself with specialized capabilities for heap analysis across glibc, jemalloc, and musl, as well as a comprehensive kernel debugging toolkit for inspecting Linux kernel tasks and slab allocators. It includes an integrated ROP gadget searcher for constructing exploit chains and an LLM-powered debugging assistant that provi
Extracts detailed information about heap memory groups through metadata analysis.
Angr is a binary analysis framework and static analysis tool used for reverse engineering compiled binaries. It serves as a binary decompiler and a lifting platform that translates machine code into a common intermediate representation to enable cross-architecture analysis. The framework integrates a symbolic execution engine and constraint solvers to determine the inputs required to reach specific program states. It also employs untrusted code sandboxing to isolate guest code from the host environment during analysis. Its capabilities cover control flow and data flow analysis, including the
Framework for binary analysis and symbolic execution.
Retdec is an LLVM-based machine code decompiler and static binary analysis tool designed for binary reverse engineering. It translates binary executable code into high-level representations to facilitate the reconstruction of program logic from compiled machine code. The system utilizes a retargetable frontend architecture and a multi-stage lifting pipeline to convert raw bytes into a common intermediate language. It differentiates custom program logic from known library code through signature-based identification and provides utilities for binary symbol demangling to restore human-readable n
Decompiles machine code into C-like output using LLVM.
LOLBAS is a curated database and knowledge base of signed Windows binaries that can be misused to bypass security restrictions and execute unauthorized code. It serves as a technical registry that maps trusted system files to their functional capabilities and the offensive tactics they enable. The project distinguishes itself by providing a capability-driven indexing system and a tactics registry that relates legitimate binary functionality to known security evasion techniques. It includes an association layer that links specific system binaries to attack patterns and tactical objectives, pro
Provides detection rules to identify when signed binaries are used for security evasion.
This project is an Android RPA framework designed for automating user interfaces and system tasks on rooted Android devices using Python and ADB. It provides a suite of tools for rooted device management, allowing for programmatic control of system settings, application lifecycles, and shell command execution via a remote API. The framework distinguishes itself through a combination of dynamic instrumentation and AI integration. It can inject scripts into running processes to hook Java interfaces and modifies application behavior in real time. Additionally, it supports large language model in
Analyzes application behavior and interactions with the operating system to identify security vulnerabilities.
GhidraMCP is a Model Context Protocol server that exposes Ghidra binary analysis and decompilation functions to external intelligence models. It acts as a bridge that connects the Ghidra reverse engineering suite to external tools through a standardized communication protocol, facilitating automated reverse engineering and software auditing. The project enables the extraction of decompiled code and program structural data to populate the context windows of language models. It features a binary symbol management tool capable of dynamic symbol resolution, allowing method and data names to be up
Extracts decompiled code and detailed analysis data from binaries to support automated reverse engineering.
Blink is a JIT-based instruction emulator and x86-64 Linux emulator designed to run Linux binaries and ELF files across different host operating systems and architectures. It functions as a binary execution sandbox and system call simulator, providing a controlled environment for running programs. The project distinguishes itself with a terminal user interface for monitoring execution, managing breakpoints, and visualizing JIT compilation paths. It supports self-modifying code through a cache-invalidating memory model and provides execution environment isolation using restricted directory ove
Traces system calls and logs execution flow to analyze how programs interact with the operating system.
de4dot is a .NET deobfuscator, unpacker, and assembly analysis tool. It is designed to remove obfuscation layers, restore metadata, and simplify bytecode control flow to transform protected binaries back into human-readable code. The project features specialized systems for decrypting strings and constants using both static and dynamic analysis. It identifies specific protection tools through pattern-based detection and strips anti-analysis protections, such as tamper detection and anti-debugging code. The tool provides a suite of reverse engineering capabilities, including binary wrapper un
Fixes verifiable code and preserves assembly metadata to ensure compatibility with decompilers.
Trail of Bits lifts machine code to an intermediate representation and performs dynamic symbolic execution, taint analysis, and constraint solving on native binaries.
capa is a binary capability scanner that identifies high-level behaviors and actions an executable can perform, such as network communication or file manipulation. It functions as a malware behavior analysis tool and a MITRE ATT&CK mapping framework, scanning PE, ELF, .NET, and shellcode files through both static analysis and dynamic sandbox report processing. The tool distinguishes itself through a YAML-based detection rule engine that defines detection logic in human-readable files, with conditions expressed as feature combinations and logical operators. It integrates with IDA Pro, Ghidra,
Compiles system calls, file operations, and network activity from malware execution into structured reports.
capa is a static analysis tool that scans executable files to identify what a program can do, detecting capabilities such as API calls, byte sequences, and structural patterns without executing the code. It supports multiple file formats including PE, ELF, .NET, and shellcode, and can also process runtime behavior traces from sandbox reports generated by CAPE, DRAKVUF, or VMRay. The tool integrates directly with reverse engineering environments through plugins for IDA Pro and Ghidra, allowing analysts to view capability matches and author detection rules within their disassembler of choice. C
Detects capabilities in executable files and shellcode.
A True Instrumentable Binary Emulation Framework
Provides an advanced framework for binary emulation.
Cuckoo is an open-source automated malware analysis system that executes suspicious files inside isolated virtual machines and produces structured behavioral reports. The platform captures system calls, file operations, and network activity during execution, compiling them into comprehensive analysis documents for programmatic consumption. The system operates through a modular analysis pipeline that processes behavioral data, applying YARA signature patterns against captured artifacts to identify known malware families. Each analysis run starts from a clean virtual machine snapshot to ensure
Collects system calls, file operations, and network activity from malware execution into structured reports.
Blackbone est une collection d'outils spécialisés pour le scan mémoire, l'injection de processus et les interfaces de pilotes noyau utilisés pour manipuler l'environnement d'exécution Windows. Il fournit un framework pour exécuter du code distant, mapper des images exécutables portables (PE) et gérer les threads à travers différentes limites de processus. Le projet inclut un pilote de mémoire noyau pour accéder à la mémoire noyau et modifier les droits des handles afin de masquer les allocations à la détection en mode utilisateur. Il dispose également d'une bibliothèque pour intercepter les appels de fonction dans des processus distants en utilisant des interruptions logicielles et des points d'arrêt matériels. La boîte à outils couvre des capacités plus larges en manipulation de mémoire virtuelle, telles que la lecture, l'écriture et l'allocation de mémoire dans des processus locaux ou distants. Elle fournit en outre des utilitaires pour la recherche de motifs mémoire afin de localiser des séquences d'octets spécifiques et la gestion de modules pour injecter ou éjecter des binaires.
Offers a library for Windows memory hacking.