Detects banned/insecure functions in binary files using radare2 decompilers.
Project description
BannedFuncDetector
Detect banned/insecure functions in binary files using radare2 decompilers
Overview
BannedFuncDetector is a Python tool that scans binary files to detect banned or insecure functions. It supports traditional radare2 decompilers and AI-assisted decompilation to provide readable output and highlight risky calls.
Key Features
| Feature | Description |
|---|---|
| Binary Analysis | Analyze PE/ELF/Mach-O binaries for banned functions |
| Multiple Decompilers | r2ghidra, r2dec, default, and decai (AI assistant) |
| Directory Scans | Analyze one file or whole directories |
| Parallel Processing | Speed up directory scans |
| JSON Reports | Results saved per target with structured output |
| Library Mode | Use via CLI or import as a Python package |
Supported Decompilers
Default (pdc) r2ghidra (pdg) r2dec (pdd) decai (AI assistant)
Installation
From PyPI (Recommended)
pip install bannedfuncdetector
From Source
git clone https://github.com/seifreed/BannedFuncDetector.git
cd BannedFuncDetector
python3 -m venv venv
source venv/bin/activate # Windows: venv\Scripts\activate
pip install -e .
Quick Start
# Analyze a single binary
bannedfunc -f /path/to/binary
# Analyze a directory
bannedfunc -d /path/to/binaries --parallel
# Use r2dec
bannedfunc -f /path/to/binary --decompiler r2dec
Usage
Command Line Interface
# Basic analysis
bannedfunc -f /path/to/binary
# Analyze a directory with parallel workers
bannedfunc -d /path/to/binaries --parallel
# Save output to a custom directory
bannedfunc -f /path/to/binary -o output
# Force a decompiler
bannedfunc -f /path/to/binary --decompiler r2ghidra --force-decompiler
# Skip decompilation analysis (names only)
bannedfunc -f /path/to/binary --skip-analysis
Available Options
| Option | Description |
|---|---|
-f, --file |
Executable file to analyze |
-d, --directory |
Directory with executables to analyze |
-o, --output |
Output directory for results |
--decompiler |
Decompiler to use (default, r2ghidra, r2dec, decai) |
--force-decompiler |
Force the specified decompiler |
--parallel |
Process files in parallel (directory only) |
--skip-banned |
Skip banned function name checks |
--skip-analysis |
Skip decompilation analysis |
--check-requirements |
Check system requirements before running |
-v, --verbose |
Show detailed information |
AI decompilation (decai)
The decai decompiler uses an AI backend through the radare2 decai plugin.
The backend is driven entirely by the decompiler.options.decai section of
config.json, so you can switch providers without touching code.
Default backend: OpenCode Zen — free big-pickle model. Zen exposes free
models (big-pickle, deepseek-v4-flash-free, …) over an OpenAI-compatible
endpoint, so decai reaches them with api=openai. The models are free of
charge but Zen still requires a free key (there is no anonymous access):
# 1. Sign up and copy your key at https://opencode.ai/auth
# 2. Store it in decai's "openai" slot (Zen is OpenAI-compatible):
r2 -qc 'decai -K' /bin/ls # add a line: openai=<your-zen-key>
# or export it: export OPENAI_API_KEY=<your-zen-key>
⚠️ Privacy note for malware analysis. Any cloud backend uploads the disassembly of the analyzed sample to a third party. For sensitive or classified samples, use the local Ollama backend (below) so nothing leaves the host — it is the only key-free, fully private option.
Switch backend by editing config.json → decompiler.options.decai:
// Local / offline (private, no key) — requires Ollama + a local model:
"decai": { "api": "ollama", "model": "qwen2.5-coder:7b",
"host": "http://localhost", "port": 11434 }
// OpenCode Zen (default) — free models, free key:
"decai": { "api": "openai", "model": "big-pickle", "host": "https://opencode.ai/zen" }
api, model and the host(+port)-derived base URL are applied to the
plugin automatically when --decompiler decai runs (decai builds the request
URL as host + /v1/chat/completions). Providers supported by decai:
openai (incl. OpenCode Zen), ollama, ollamacloud, gemini, anthropic,
claude, mistral, xai, deepseek, lmstudio.
If you see
ABI mismatchwarnings forr2ai.dylib, rebuild the backend plugin for your radare2 version:r2pm -ci r2ai.
Python Library
Both helpers return a Result: Ok(outcome) on success or Err(failure) on
error — check with .is_ok() and read the value with .unwrap().
Basic Usage
from bannedfuncdetector.bannedfunc import analyze_file
result = analyze_file(
"/path/to/binary",
decompiler_type="r2ghidra",
output_dir="output",
)
if result.is_ok():
outcome = result.unwrap()
for finding in outcome.report.detected_functions:
print(finding.name, finding.banned_calls)
else:
print("Analysis failed:", result.error)
Directory Analysis
from bannedfuncdetector.bannedfunc import analyze_directory
result = analyze_directory(
"/path/to/binaries",
output_dir="output",
decompiler_type="r2dec",
parallel=True,
)
if result.is_ok():
summary = result.unwrap().summary
print(f"{summary.analyzed_files}/{summary.total_files} files analyzed")
Requirements
- Python 3.13+ (tested on 3.13 y 3.14)
- radare2 (required)
- r2ghidra/r2dec (optional decompilers)
- decai plugin (optional, for AI-assisted decompilation — see "AI decompilation" above)
- See
pyproject.tomlfor Python dependencies
Support the Project
If you find BannedFuncDetector useful, consider supporting its development:
Made with dedication for the reverse engineering community
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file bannedfuncdetector-3.1.0.tar.gz.
File metadata
- Download URL: bannedfuncdetector-3.1.0.tar.gz
- Upload date:
- Size: 234.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
675bc640efd582440634035f4b826d514a0f8631a134b7745e01c1a0bf114103
|
|
| MD5 |
b0c3f5b7fc551d49a64af3e00f800bd1
|
|
| BLAKE2b-256 |
6b0df8b3c79a6e9862983219a45ac6dc83ce9ccf45952d8f348ea92deef41f3a
|
Provenance
The following attestation bundles were made for bannedfuncdetector-3.1.0.tar.gz:
Publisher:
release.yml on seifreed/BannedFuncDetector
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
bannedfuncdetector-3.1.0.tar.gz -
Subject digest:
675bc640efd582440634035f4b826d514a0f8631a134b7745e01c1a0bf114103 - Sigstore transparency entry: 2018661587
- Sigstore integration time:
-
Permalink:
seifreed/BannedFuncDetector@f61294231af7fc256aeab1cc4817116aeed226d9 -
Branch / Tag:
refs/tags/v3.1.0 - Owner: https://github.com/seifreed
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@f61294231af7fc256aeab1cc4817116aeed226d9 -
Trigger Event:
push
-
Statement type:
File details
Details for the file bannedfuncdetector-3.1.0-py3-none-any.whl.
File metadata
- Download URL: bannedfuncdetector-3.1.0-py3-none-any.whl
- Upload date:
- Size: 125.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
54ceaedb8d774fa7e600a2485452ed3b523aedad3b81075671b854ac564f9a96
|
|
| MD5 |
3142bdf71a47005c0bd90963c1f13bfa
|
|
| BLAKE2b-256 |
a3d0d494d0e46a092031b4dd06c00b4a04f1ae45603a65d1f1a8f649923e31bf
|
Provenance
The following attestation bundles were made for bannedfuncdetector-3.1.0-py3-none-any.whl:
Publisher:
release.yml on seifreed/BannedFuncDetector
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
bannedfuncdetector-3.1.0-py3-none-any.whl -
Subject digest:
54ceaedb8d774fa7e600a2485452ed3b523aedad3b81075671b854ac564f9a96 - Sigstore transparency entry: 2018661695
- Sigstore integration time:
-
Permalink:
seifreed/BannedFuncDetector@f61294231af7fc256aeab1cc4817116aeed226d9 -
Branch / Tag:
refs/tags/v3.1.0 - Owner: https://github.com/seifreed
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@f61294231af7fc256aeab1cc4817116aeed226d9 -
Trigger Event:
push
-
Statement type: