Static parsing
static_view reads PE, ELF, and Mach-O metadata through goblin. Use it for fast format facts when you do not need a backend session.
- Supported modes include format info, sections, imports, exports, relocations, libraries, and entry points.
- Universal/fat Mach-O files are projected through a selected architecture slice, so
static_viewcan inspect real sections, imports, libraries, and entry points without preprocessing. export_hash_resolveresolves API or export hashes against local PE/DLL export corpora and optional candidates.
| Mode | Returns | Use when | Next step |
|---|---|---|---|
info | Format, arch, bits, entry, and flags. | You need the file shape fast. | sections or imports. |
sections | Section layout and metadata. | Checking packing, permissions, or weird layout. | entropy_profile. |
imports | Static imports. | Looking for obvious behavior APIs. | r2_imports_grouped or Ghidra calls. |
exports | Exported symbols. | DLL triage or plugin behavior. | dll_export_profile. |
relocations | Relocation entries. | Loader behavior or raw blob checks. | Ghidra import with loader hints. |
libraries | Linked libraries. | Quick dependency read. | imports. |
entry_points | Entry addresses. | Finding where execution starts. | r2_function_view. |
all | Every static view in one object. | You need one cheap static snapshot. | Narrow to a specific mode after. |
{
"tool": "static_view",
"arguments": {
"binary_path": "/samples/payload.exe",
"mode": "all"
}
}{
"tool": "export_hash_resolve",
"arguments": {
"binary_paths": ["/windows/System32/kernel32.dll"],
"target_hashes": "0x727d636c 0x37294ff2",
"algorithm": "fnv1a32",
"name_variants": ["as_is", "nt_to_zw", "zw_to_nt"],
"encodings": ["ascii"]
}
}Rust-native static analysis
These tools stay in the static path. Use them after static_view when you need call structure, hardening, behavior families, fuzzing-interest candidates, or component evidence before opening r2 or Ghidra.
binary_security_propertiesreports loader and hardening posture for PE, ELF, and Mach-O.static_callgraphbuilds a bounded x86/x64 call graph from executable sections and static seeds.binary_capabilitiesranks behavior families from imports, symbols, and static-callgraph external calls.fuzzable_functionssuggests parser, decoder, unpacking, and input-handling functions. Treat results as triage hints, not vulnerability claims.binary_component_profilesplits high-confidence components from imported libraries and low-confidence runtime/package hints.
| Tool | Key params | Returns | Use when |
|---|---|---|---|
binary_security_properties | binary_path, max_evidence_per_property. | Present, absent, or unknown hardening properties with bounded evidence. | Checking NX/DEP, PIE/ASLR, RELRO, CFG, SafeSEH, signatures, RPATH/RUNPATH, or executable stack. |
static_callgraph | binary_path, node_offset, max_nodes, edge_offset, max_edges. | Paged nodes, edges, direct calls, tailcalls, external fanout, top connected functions, and edge confidence. | Choosing a function before r2 or Ghidra. Import thunks and stubs are resolved when static evidence is available. |
binary_capabilities | binary_path, evidence/function caps, internal callgraph caps. | Ranked network, file I/O, process, registry, crypto, compression, anti-debug, dynamic loading, and memory-protection families. | Pivoting from behavior family to source functions. |
fuzzable_functions | binary_path, max_candidates, internal callgraph caps. | Ranked fuzzing-interest candidates with evidence, penalties, and suggested follow-up calls. | Finding parser, decoder, unpacking, or input-handling functions to inspect before harness work. |
binary_component_profile | binary_path, component/library/hint caps. | Go build info, Rust cargo-auditable .dep-v0, imported libraries, and .NET runtime hints. | Collecting component evidence without external scanners. |
{
"tool": "binary_security_properties",
"arguments": {
"binary_path": "/samples/payload.exe",
"max_evidence_per_property": 3
}
}
{
"tool": "static_callgraph",
"arguments": {
"binary_path": "/samples/payload.exe",
"max_nodes": 100,
"max_edges": 200
}
}{
"tool": "binary_capabilities",
"arguments": {
"binary_path": "/samples/payload.exe",
"max_evidence_per_capability": 12,
"max_functions_per_capability": 12
}
}
{
"tool": "fuzzable_functions",
"arguments": {
"binary_path": "/samples/payload.exe",
"max_candidates": 20
}
}Native wrappers
These tools expose common local binaries with structured limits and output guardrails.
file_identifywrapsfile(1)for file type and MIME output.strings_extractwrapsstrings(1)with limits and offsets.objdump_viewexposes headers, disassembly, section dumps, and archive-member views.objdump_search_disasmsearches objdump disassembly with surrounding context.binary_diffwrapsradiff2for code, graph, and byte-oriented diffs.binwalk_scanuses the Rustbinwalkcrate for embedded signature scans.
| Tool | Key params | Returns | Use when |
|---|---|---|---|
strings_extract | min_length, encoding, offset_format, max_strings. | Strings with offsets and truncation flag. | Looking for IOCs or decoded names. |
objdump_view | mode=headers|disassemble|section_dump|archive_members. | Raw objdump output. | You need compiler/linker-level output. |
objdump_search_disasm | query, optional function_filter, syntax, max_hits. | Instruction hits with function context. | You know an operand fragment. |
binary_diff | binary_a, binary_b, mode=code|graph|bytes. | Function, graph, or byte diff. | Comparing versions or patched samples. |
binwalk_scan | binary_path. | Embedded signature offsets and confidence. | Packed or staged payload checks. |
{
"tool": "strings_extract",
"arguments": {
"binary_path": "/samples/payload.exe",
"min_length": 6,
"encoding": "all",
"offset_format": "hex",
"max_strings": 2000
}
}{
"tool": "objdump_search_disasm",
"arguments": {
"binary_path": "/samples/payload.exe",
"query": "[esi + 0xc4]",
"syntax": "intel",
"max_hits": 100
}
}