Rogue Binary

Rust-native graph and posture

Run these before r2 or Ghidra when you need bounded evidence from static parsing. They do not replace decompiler work; they help choose where to spend it.

binary_security_properties reports loader and hardening posture for PE, ELF, and Mach-O.
static_callgraph builds a bounded x86/x64 call graph from executable sections and static seeds.
binary_capabilities ranks behavior families from imports, symbols, and static-callgraph external calls.
fuzzable_functions suggests parser, decoder, unpacking, and input-handling functions. Treat results as triage hints, not vulnerability claims.
binary_component_profile splits high-confidence components from imported libraries and low-confidence runtime/package hints.

Tool	Looks for	Output signal	Use next
`binary_security_properties`	Loader and hardening properties for PE, ELF, and Mach-O.	Evidence for NX/DEP, PIE/ASLR, RELRO, CFG, SafeSEH, signatures, and related properties.	`static_callgraph` or packer checks.
`static_callgraph`	Direct calls, tailcalls, import/API fanout, top connected functions, and edge confidence.	Paged nodes and edges with call targets. Static import thunks and stubs are resolved when evidence is available.	`binary_capabilities`, then `r2_function_view` on a selected address.
`binary_capabilities`	Behavior families from imports, symbols, and external calls.	Ranked families with evidence and source functions.	`ghidra_callsite_facts` for exact arguments.
`fuzzable_functions`	Parser, decoder, unpacking, and input-handling candidates.	Candidate ranking, evidence, penalties, and suggested r2/Ghidra calls.	`r2_function_view` before writing a harness.
`binary_component_profile`	Go build info, Rust cargo-auditable `.dep-v0`, imported libraries, and .NET runtime hints.	High-confidence components split from imported libraries and low-confidence hints.	`strings_extract` only when weak hints need manual confirmation.

Static posture and call graph

{
  "tool": "binary_security_properties",
  "arguments": {
    "binary_path": "/samples/payload.exe",
    "max_evidence_per_property": 3
  }
}

{
  "tool": "static_callgraph",
  "arguments": {
    "binary_path": "/samples/payload.exe",
    "max_nodes": 100,
    "max_edges": 200
  }
}

Capabilities and fuzzing-interest candidates

{
  "tool": "binary_capabilities",
  "arguments": {
    "binary_path": "/samples/payload.exe",
    "max_evidence_per_capability": 12,
    "max_functions_per_capability": 12
  }
}

{
  "tool": "fuzzable_functions",
  "arguments": {
    "binary_path": "/samples/payload.exe",
    "max_candidates": 20
  }
}

Component inventory

{
  "tool": "binary_component_profile",
  "arguments": {
    "binary_path": "/samples/payload.exe",
    "max_identified_components": 100,
    "max_imported_libraries": 100,
    "max_low_confidence_hints": 50
  }
}

Binary heuristics

These tools are useful when a first-pass triage result points toward packing, staging, plugin behavior, or crypto material.

entropy_profile scores section entropy and packer likelihood.
compiler_packer_detect identifies compiler, runtime, packer, and protector hints.
crypto_detect scans bytes for common crypto constants.
dll_export_profile analyzes exports, dispatch shape, lifecycle hints, and plugin or host indicators.

Tool	Looks for	Output signal	Use next
`entropy_profile`	Section entropy and distribution.	Packed, encrypted, compressed, code, or data classifications.	`binwalk_scan` and section review.
`compiler_packer_detect`	Compiler, runtime, protector, packer hints.	Ranked findings with evidence.	`static_view sections` or unpacking workflow.
`crypto_detect`	Known crypto constants.	Offsets, lengths, matched algorithms.	`r2_function_view constants` or Ghidra path work.
`dll_export_profile`	DLL exports, dispatch model, lifecycle hints.	COM, service, plugin, command, callback, entry model guesses.	`ghidra_inventory exports` or call analysis.

Packer and crypto check

{
  "tool": "entropy_profile",
  "arguments": {
    "binary_path": "/samples/payload.exe"
  }
}

{
  "tool": "crypto_detect",
  "arguments": {
    "binary_path": "/samples/payload.exe"
  }
}

Packed or staged flow

Use the cheap heuristics first, then pivot into path digest or dispatch-table views.

binary_security_properties
static_callgraph
binary_capabilities
entropy_profile
binwalk_scan
compiler_packer_detect
r2_path_digest or ghidra_path_digest
ghidra_dynamic_dispatch_table when a hash or API dispatcher is suspected.

Signal	Use	What to capture	Next
Missing hardening or executable stack	`binary_security_properties`.	Property status and evidence row.	`static_callgraph` to choose code targets.
High external API fanout	`static_callgraph` then `binary_capabilities`.	Source function, imported API family, and edge confidence.	`r2_function_view` or `ghidra_decompiler_calls`.
High entropy at entry section	`entropy_profile`.	Section name, entropy, permissions, size.	`r2_metadata mode=entry_points`.
Embedded payload signature	`binwalk_scan`.	Offset, size, confidence.	`r2_get_bytes` or extraction outside MCP.
Resolver loop or hash constants	`ghidra_dynamic_dispatch_table`.	Table shape, inserts, lookups, unresolved hashes.	`export_hash_resolve`.
Computed jumps or staged handoff	`ghidra_path_digest`.	Flow blocks, computed jumps, stop address.	`ghidra_indirect_jump_slices`.
Input-facing parser or decoder names	`fuzzable_functions`.	Candidate score, evidence, and penalties.	`r2_function_view` before treating it as harness material.

Dispatcher recovery pass

{
  "tool": "ghidra_dynamic_dispatch_table",
  "arguments": {
    "binary_name": "payload.exe",
    "builder_start": "0x401000",
    "builder_end": "0x401380",
    "hash_function": "0x401900",
    "lookup_hashes": "0x727d636c 0x37294ff2"
  }
}