Advanced malware analysis tool powered by radare2 and r2pipe
r2inspect is a professional malware analysis framework that automates deep static inspection for PE, ELF, and Mach-O binaries using the radare2 ecosystem. It combines format parsing, detection heuristics, and rich reporting to support reverse engineers, incident responders, and threat analysts.
| Feature | Description |
|---|---|
| Multi-format Support | PE, ELF, Mach-O format detection and analysis |
| String Analysis | ASCII/Unicode extraction with filtering and decoding |
| Packer Detection | Evidence-based scoring with entropy and signature checks |
| Crypto Detection | API and constant analysis with confidence scoring |
| Anti-Analysis | Anti-debug/VM/sandbox indicators with evidence |
| Hashing Suite | MD5/SHA, SSDeep, TLSH, MACHOC, RichPE, Telfhash, SimHash |
| Metadata Analysis | Sections, imports, exports, resources, overlays |
| YARA Integration | Built-in and custom rule scanning |
| Rich Output | Console tables, JSON, and CSV exports |
Windows PE32 / PE32+ / DLL
Linux ELF32 / ELF64
macOS Mach-O / Universal
pip install r2inspectgit clone https://github.com/seifreed/r2inspect.git
cd r2inspect
python -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -e .- Python 3.13+
- radare2 installed and in PATH
- libmagic (for file type detection)
# Basic analysis with rich console output
r2inspect samples/fixtures/hello_pe.exe
# JSON output
r2inspect -j samples/fixtures/hello_pe.exe
# CSV output
r2inspect -c samples/fixtures/hello_pe.exe# Full analysis
r2inspect malware.exe
# Save output to file
r2inspect -j malware.exe -o analysis.json
# Analyze a directory (batch mode)
r2inspect --batch ./samples -j -o ./out
# Custom YARA rules
r2inspect --yara /path/to/rules malware.exe| Option | Description |
|---|---|
-i, --interactive |
Interactive analysis shell |
-j, --json |
Output in JSON format |
-c, --csv |
Output in CSV format |
-o, --output |
Output file or directory |
--batch |
Batch mode for directories |
--extensions |
Filter batch by extensions |
--yara |
Custom YARA rules directory |
-x, --xor |
XOR search string |
-v, --verbose |
Verbose output |
--quiet |
Suppress non-critical output |
--threads |
Parallel threads for batch mode |
from r2inspect import create_inspector
from r2inspect.config import Config
config = Config()
with create_inspector("malware.exe", config=config) as inspector:
results = inspector.analyze()
pe_info = inspector.get_pe_info()
imports = inspector.get_imports()Use create_inspector to build a ready-to-run inspector with adapter, registry, and pipeline wiring. The core depends on interfaces; adapters provide r2pipe-backed data access, while analyzers focus on analysis and domain helpers.
CLI -> create_inspector -> R2Inspector -> AnalysisPipeline -> analyzers
-> Adapter (r2pipe) -> radare2
See docs/architecture.md for a short overview of the layers and extension points.
r2inspect --batch ./samples --extensions "exe,dll" -j -o ./outr2inspect> analyze
r2inspect> strings
r2inspect> imports
r2inspect> quit
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
If you find r2inspect useful, consider supporting its development:
GNU General Public License v3.0
Attribution Required:
- Author: Marc Rivero | @seifreed
- Repository: github.com/seifreed/r2inspect
Made with dedication for the reverse engineering and threat intelligence community