Skip to main content

Detects banned/insecure functions in binary files using radare2 decompilers.

Project description

BannedFuncDetector

BannedFuncDetector

Detect banned/insecure functions in binary files using radare2 decompilers

PyPI Version Python Versions License CI Status Coverage

GitHub Stars GitHub Issues Buy Me a Coffee


Overview

BannedFuncDetector is a Python tool that scans binary files to detect banned or insecure functions. It supports traditional radare2 decompilers and AI-assisted decompilation to provide readable output and highlight risky calls.

Key Features

Feature Description
Binary Analysis Analyze PE/ELF/Mach-O binaries for banned functions
Multiple Decompilers r2ghidra, r2dec, default, and decai (AI assistant)
Directory Scans Analyze one file or whole directories
Parallel Processing Speed up directory scans
JSON Reports Results saved per target with structured output
Library Mode Use via CLI or import as a Python package

Supported Decompilers

Default (pdc)  r2ghidra (pdg)  r2dec (pdd)  decai (AI assistant)

Installation

From PyPI (Recommended)

pip install bannedfuncdetector

From Source

git clone https://github.com/seifreed/BannedFuncDetector.git
cd BannedFuncDetector
python3 -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -e .

Quick Start

# Analyze a single binary
bannedfunc -f /path/to/binary

# Analyze a directory
bannedfunc -d /path/to/binaries --parallel

# Use r2dec
bannedfunc -f /path/to/binary --decompiler r2dec

Usage

Command Line Interface

# Basic analysis
bannedfunc -f /path/to/binary

# Analyze a directory with parallel workers
bannedfunc -d /path/to/binaries --parallel

# Save output to a custom directory
bannedfunc -f /path/to/binary -o output

# Force a decompiler
bannedfunc -f /path/to/binary --decompiler r2ghidra --force-decompiler

# Skip decompilation analysis (names only)
bannedfunc -f /path/to/binary --skip-analysis

Available Options

Option Description
-f, --file Executable file to analyze
-d, --directory Directory with executables to analyze
-o, --output Output directory for results
--decompiler Decompiler to use (default, r2ghidra, r2dec, decai)
--force-decompiler Force the specified decompiler
--parallel Process files in parallel (directory only)
--skip-banned Skip banned function name checks
--skip-analysis Skip decompilation analysis
--check-requirements Check system requirements before running
-v, --verbose Show detailed information

AI decompilation (decai)

The decai decompiler uses an AI backend through the radare2 decai plugin. The backend is driven entirely by the decompiler.options.decai section of config.json, so you can switch providers without touching code.

Default backend: OpenCode Zen — free big-pickle model. Zen exposes free models (big-pickle, deepseek-v4-flash-free, …) over an OpenAI-compatible endpoint, so decai reaches them with api=openai. The models are free of charge but Zen still requires a free key (there is no anonymous access):

# 1. Sign up and copy your key at https://opencode.ai/auth
# 2. Store it in decai's "openai" slot (Zen is OpenAI-compatible):
r2 -qc 'decai -K' /bin/ls        # add a line:  openai=<your-zen-key>
#    or export it:  export OPENAI_API_KEY=<your-zen-key>

⚠️ Privacy note for malware analysis. Any cloud backend uploads the disassembly of the analyzed sample to a third party. For sensitive or classified samples, use the local Ollama backend (below) so nothing leaves the host — it is the only key-free, fully private option.

Switch backend by editing config.jsondecompiler.options.decai:

// Local / offline (private, no key) — requires Ollama + a local model:
"decai": { "api": "ollama", "model": "qwen2.5-coder:7b",
           "host": "http://localhost", "port": 11434 }

// OpenCode Zen (default) — free models, free key:
"decai": { "api": "openai", "model": "big-pickle", "host": "https://opencode.ai/zen" }

api, model and the host(+port)-derived base URL are applied to the plugin automatically when --decompiler decai runs (decai builds the request URL as host + /v1/chat/completions). Providers supported by decai: openai (incl. OpenCode Zen), ollama, ollamacloud, gemini, anthropic, claude, mistral, xai, deepseek, lmstudio.

If you see ABI mismatch warnings for r2ai.dylib, rebuild the backend plugin for your radare2 version: r2pm -ci r2ai.


Python Library

Both helpers return a Result: Ok(outcome) on success or Err(failure) on error — check with .is_ok() and read the value with .unwrap().

Basic Usage

from bannedfuncdetector.bannedfunc import analyze_file

result = analyze_file(
    "/path/to/binary",
    decompiler_type="r2ghidra",
    output_dir="output",
)

if result.is_ok():
    outcome = result.unwrap()
    for finding in outcome.report.detected_functions:
        print(finding.name, finding.banned_calls)
else:
    print("Analysis failed:", result.error)

Directory Analysis

from bannedfuncdetector.bannedfunc import analyze_directory

result = analyze_directory(
    "/path/to/binaries",
    output_dir="output",
    decompiler_type="r2dec",
    parallel=True,
)

if result.is_ok():
    summary = result.unwrap().summary
    print(f"{summary.analyzed_files}/{summary.total_files} files analyzed")

Requirements

  • Python 3.13+ (tested on 3.13 y 3.14)
  • radare2 (required)
  • r2ghidra/r2dec (optional decompilers)
  • decai plugin (optional, for AI-assisted decompilation — see "AI decompilation" above)
  • See pyproject.toml for Python dependencies

Support the Project

If you find BannedFuncDetector useful, consider supporting its development:

Buy Me A Coffee

Made with dedication for the reverse engineering community

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bannedfuncdetector-3.1.0.tar.gz (234.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

bannedfuncdetector-3.1.0-py3-none-any.whl (125.8 kB view details)

Uploaded Python 3

File details

Details for the file bannedfuncdetector-3.1.0.tar.gz.

File metadata

  • Download URL: bannedfuncdetector-3.1.0.tar.gz
  • Upload date:
  • Size: 234.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for bannedfuncdetector-3.1.0.tar.gz
Algorithm Hash digest
SHA256 675bc640efd582440634035f4b826d514a0f8631a134b7745e01c1a0bf114103
MD5 b0c3f5b7fc551d49a64af3e00f800bd1
BLAKE2b-256 6b0df8b3c79a6e9862983219a45ac6dc83ce9ccf45952d8f348ea92deef41f3a

See more details on using hashes here.

Provenance

The following attestation bundles were made for bannedfuncdetector-3.1.0.tar.gz:

Publisher: release.yml on seifreed/BannedFuncDetector

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file bannedfuncdetector-3.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for bannedfuncdetector-3.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 54ceaedb8d774fa7e600a2485452ed3b523aedad3b81075671b854ac564f9a96
MD5 3142bdf71a47005c0bd90963c1f13bfa
BLAKE2b-256 a3d0d494d0e46a092031b4dd06c00b4a04f1ae45603a65d1f1a8f649923e31bf

See more details on using hashes here.

Provenance

The following attestation bundles were made for bannedfuncdetector-3.1.0-py3-none-any.whl:

Publisher: release.yml on seifreed/BannedFuncDetector

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page