r2inspect 2.1.0

Advanced malware analysis tool using radare2 and r2pipe

r2inspect

Advanced malware analysis tool powered by radare2 and r2pipe

---

Overview

r2inspect is a professional malware analysis framework that automates deep static inspection for PE, ELF, and Mach-O binaries using the radare2 ecosystem. It combines format parsing, detection heuristics, and rich reporting to support reverse engineers, incident responders, and threat analysts.

Key Features

Feature	Description
Multi-format Support	PE, ELF, Mach-O format detection and analysis
String Analysis	ASCII/Unicode extraction with filtering and decoding
Packer Detection	Evidence-based scoring with entropy and signature checks
Crypto Detection	API and constant analysis with confidence scoring
Anti-Analysis	Anti-debug/VM/sandbox indicators with evidence
Hashing Suite	MD5/SHA, SSDeep, TLSH, MACHOC, RichPE, Telfhash, SimHash
Metadata Analysis	Sections, imports, exports, resources, overlays
YARA Integration	Built-in and custom rule scanning
Rich Output	Console tables, JSON, and CSV exports

Supported Formats

Windows  PE32 / PE32+ / DLL
Linux    ELF32 / ELF64
macOS    Mach-O / Universal

---

Installation

From PyPI (Recommended)

pip install r2inspect

From Source

git clone https://github.com/seifreed/r2inspect.git
cd r2inspect
python -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -e .

Requirements

• Python 3.13+
• radare2 installed and in PATH
• libmagic (for file type detection)

---

Quick Start

# Basic analysis with rich console output
r2inspect samples/fixtures/hello_pe.exe

# JSON output
r2inspect -j samples/fixtures/hello_pe.exe

# CSV output
r2inspect -c samples/fixtures/hello_pe.exe

---

Usage

Command Line Interface

# Full analysis
r2inspect malware.exe

# Save output to file
r2inspect -j malware.exe -o analysis.json

# Analyze a directory (batch mode)
r2inspect --batch ./samples -j -o ./out

# Custom YARA rules
r2inspect --yara /path/to/rules malware.exe

Available Options

Option	Description
-i, --interactive	Interactive analysis shell
-j, --json	Output in JSON format
-c, --csv	Output in CSV format
-o, --output	Output file or directory
--batch	Batch mode for directories
--extensions	Filter batch by extensions
--yara	Custom YARA rules directory
-x, --xor	XOR search string
-v, --verbose	Verbose output
--quiet	Suppress non-critical output
--threads	Parallel threads for batch mode

---

Python Library

from r2inspect import create_inspector
from r2inspect.config import Config

config = Config()
with create_inspector("malware.exe", config=config) as inspector:
    results = inspector.analyze()
    pe_info = inspector.get_pe_info()
    imports = inspector.get_imports()

Architecture (high level)

Use create_inspector to build a ready-to-run inspector with adapter, registry, and pipeline wiring. The core depends on interfaces; adapters provide r2pipe-backed data access, while analyzers focus on analysis and domain helpers.

CLI -> create_inspector -> R2Inspector -> AnalysisPipeline -> analyzers
                                      -> Adapter (r2pipe) -> radare2

See docs/architecture.md for a short overview of the layers and extension points.

---

Examples

Analyze Multiple Samples

r2inspect --batch ./samples --extensions "exe,dll" -j -o ./out

Interactive Mode

r2inspect> analyze
r2inspect> strings
r2inspect> imports
r2inspect> quit

---

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

1. Fork the repository
2. Create your feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

---

Support the Project

If you find r2inspect useful, consider supporting its development:

---

License

GNU General Public License v3.0

Attribution Required:

• Author: Marc Rivero | @seifreed
• Repository: github.com/seifreed/r2inspect

---

_{Made with dedication for the reverse engineering and threat intelligence community}