Metadata-Version: 2.4
Name: r2inspect
Version: 2.0.0
Summary: Advanced malware analysis tool using radare2 and r2pipe
Home-page: https://github.com/seifreed/r2inspect
Author: Marc Rivero
Author-email: Marc Rivero <mriverolopez@gmail.com>
Maintainer-email: Marc Rivero <mriverolopez@gmail.com>
License: GPL-3.0
Project-URL: Homepage, https://github.com/seifreed/r2inspect
Project-URL: Documentation, https://github.com/seifreed/r2inspect/blob/main/README.md
Project-URL: Repository, https://github.com/seifreed/r2inspect
Project-URL: Issues, https://github.com/seifreed/r2inspect/issues
Project-URL: Changelog, https://github.com/seifreed/r2inspect/releases
Keywords: malware,analysis,radare2,r2pipe,reverse-engineering,security,forensics
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: Science/Research
Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: Utilities
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: r2pipe>=1.8.0
Requires-Dist: click>=8.0.0
Requires-Dist: rich>=13.0.0
Requires-Dist: colorlog>=6.8.0
Requires-Dist: pefile>=2023.2.7
Requires-Dist: yara-python>=4.5.0
Requires-Dist: python-magic>=0.4.27
Requires-Dist: pycryptodome>=3.19.0
Requires-Dist: cryptography>=41.0.0
Requires-Dist: psutil>=5.9.0
Requires-Dist: pydantic>=2.5.0
Requires-Dist: pybloom-live>=4.0.0
Requires-Dist: simhash>=2.1.0
Requires-Dist: colorama>=0.4.6
Requires-Dist: tabulate>=0.9.0
Requires-Dist: pyfiglet>=0.8.post1
Requires-Dist: pandas>=1.3.0; python_version < "3.9"
Requires-Dist: pandas>=1.5.0; python_version >= "3.9" and python_version < "3.11"
Requires-Dist: pandas>=2.0.0; python_version >= "3.11"
Requires-Dist: requests>=2.31.0
Provides-Extra: dev
Requires-Dist: black>=23.0.0; extra == "dev"
Requires-Dist: ruff>=0.1.0; extra == "dev"
Requires-Dist: mypy>=1.0.0; extra == "dev"
Requires-Dist: pytest>=7.0.0; extra == "dev"
Requires-Dist: pytest-cov>=4.0.0; extra == "dev"
Requires-Dist: pre-commit>=3.0.0; extra == "dev"
Requires-Dist: bandit>=1.7.0; extra == "dev"
Requires-Dist: mutmut>=2.4.0; extra == "dev"
Provides-Extra: docker
Requires-Dist: pycparser>=2.21; extra == "docker"
Requires-Dist: pyimpfuzzy>=0.1.1; extra == "docker"
Requires-Dist: python-tlsh>=4.5.0; extra == "docker"
Requires-Dist: ssdeep>=3.4; extra == "docker"
Dynamic: author
Dynamic: home-page
Dynamic: license-file
Dynamic: requires-python

<p align="center">
  <img src="https://img.shields.io/badge/r2inspect-Malware%20Analysis-blue?style=for-the-badge" alt="r2inspect">
</p>

<h1 align="center">r2inspect</h1>

<p align="center">
  <strong>Advanced malware analysis tool powered by radare2 and r2pipe</strong>
</p>

<p align="center">
  <a href="https://pypi.org/project/r2inspect/"><img src="https://img.shields.io/pypi/v/r2inspect?style=flat-square&logo=pypi&logoColor=white" alt="PyPI Version"></a>
  <a href="https://pypi.org/project/r2inspect/"><img src="https://img.shields.io/pypi/pyversions/r2inspect?style=flat-square&logo=python&logoColor=white" alt="Python Versions"></a>
  <a href="https://github.com/seifreed/r2inspect/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-GPL--3.0-green?style=flat-square" alt="License"></a>
  <a href="https://github.com/seifreed/r2inspect/actions"><img src="https://img.shields.io/github/actions/workflow/status/seifreed/r2inspect/test.yml?style=flat-square&logo=github&label=CI" alt="CI Status"></a>
  <a href="https://codecov.io/gh/seifreed/r2inspect"><img src="https://img.shields.io/codecov/c/github/seifreed/r2inspect?style=flat-square" alt="Coverage"></a>
</p>

<p align="center">
  <a href="https://github.com/seifreed/r2inspect/stargazers"><img src="https://img.shields.io/github/stars/seifreed/r2inspect?style=flat-square" alt="GitHub Stars"></a>
  <a href="https://github.com/seifreed/r2inspect/issues"><img src="https://img.shields.io/github/issues/seifreed/r2inspect?style=flat-square" alt="GitHub Issues"></a>
  <a href="https://buymeacoffee.com/seifreed"><img src="https://img.shields.io/badge/Buy%20Me%20a%20Coffee-support-yellow?style=flat-square&logo=buy-me-a-coffee&logoColor=white" alt="Buy Me a Coffee"></a>
</p>

---

## Overview

**r2inspect** is a professional malware analysis framework that automates deep static inspection for PE, ELF, and Mach-O binaries using the radare2 ecosystem. It combines format parsing, detection heuristics, and rich reporting to support reverse engineers, incident responders, and threat analysts.

### Key Features

| Feature | Description |
|---------|-------------|
| **Multi-format Support** | PE, ELF, Mach-O format detection and analysis |
| **String Analysis** | ASCII/Unicode extraction with filtering and decoding |
| **Packer Detection** | Evidence-based scoring with entropy and signature checks |
| **Crypto Detection** | API and constant analysis with confidence scoring |
| **Anti-Analysis** | Anti-debug/VM/sandbox indicators with evidence |
| **Hashing Suite** | MD5/SHA, SSDeep, TLSH, MACHOC, RichPE, Telfhash, SimHash |
| **Metadata Analysis** | Sections, imports, exports, resources, overlays |
| **YARA Integration** | Built-in and custom rule scanning |
| **Rich Output** | Console tables, JSON, and CSV exports |

### Supported Formats

```
Windows  PE32 / PE32+ / DLL
Linux    ELF32 / ELF64
macOS    Mach-O / Universal
```

---

## Installation

### From PyPI (Recommended)

```bash
pip install r2inspect
```

### From Source

```bash
git clone https://github.com/seifreed/r2inspect.git
cd r2inspect
python -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -e .
```

### Requirements

- Python 3.8+
- radare2 installed and in PATH
- libmagic (for file type detection)

---

## Quick Start

```bash
# Basic analysis with rich console output
r2inspect samples/fixtures/hello_pe.exe

# JSON output
r2inspect -j samples/fixtures/hello_pe.exe

# CSV output
r2inspect -c samples/fixtures/hello_pe.exe
```

---

## Usage

### Command Line Interface

```bash
# Full analysis
r2inspect malware.exe

# Save output to file
r2inspect -j malware.exe -o analysis.json

# Analyze a directory (batch mode)
r2inspect --batch ./samples -j -o ./out

# Custom YARA rules
r2inspect --yara /path/to/rules malware.exe
```

### Available Options

| Option | Description |
|--------|-------------|
| `-i, --interactive` | Interactive analysis shell |
| `-j, --json` | Output in JSON format |
| `-c, --csv` | Output in CSV format |
| `-o, --output` | Output file or directory |
| `--batch` | Batch mode for directories |
| `--extensions` | Filter batch by extensions |
| `--yara` | Custom YARA rules directory |
| `-x, --xor` | XOR search string |
| `-v, --verbose` | Verbose output |
| `--quiet` | Suppress non-critical output |
| `--threads` | Parallel threads for batch mode |

---

## Python Library

```python
from r2inspect import R2Inspector
from r2inspect.config import Config

config = Config()
with R2Inspector("malware.exe", config=config) as inspector:
    results = inspector.analyze()
    pe_info = inspector.get_pe_info()
    imports = inspector.get_imports()
```

---

## Examples

### Analyze Multiple Samples

```bash
r2inspect --batch ./samples --extensions "exe,dll" -j -o ./out
```

### Interactive Mode

```
r2inspect> analyze
r2inspect> strings
r2inspect> imports
r2inspect> quit
```

---

## Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

1. Fork the repository
2. Create your feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request

---

## Support the Project

If you find r2inspect useful, consider supporting its development:

<a href="https://buymeacoffee.com/seifreed" target="_blank">
  <img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" height="50">
</a>

---

## License

GNU General Public License v3.0

**Attribution Required:**
- Author: **Marc Rivero** | [@seifreed](https://github.com/seifreed)
- Repository: [github.com/seifreed/r2inspect](https://github.com/seifreed/r2inspect)

---

<p align="center">
  <sub>Made with dedication for the reverse engineering and threat intelligence community</sub>
</p>
