binsleuth 0.1.0

ELF/PE binary security hardening checker and section-level entropy analyzer
binsleuth-0.1.0 is not a library.
Visit the last successful build: binsleuth-0.4.0

πŸ” BinSleuth

A fast, zero-dependency CLI tool for static binary security analysis. Inspect ELF & PE binaries for hardening flags and detect packed/encrypted sections β€” in milliseconds.

Crates.io docs.rs CI Release License: MIT MSRV Tests

Language / 言θͺž / 语言: English Β· ζ—₯本θͺž Β· δΈ­ζ–‡

What is BinSleuth?

BinSleuth is a security-focused static binary analyzer written in Rust. It acts as a quick health-check for compiled executables β€” answering:

  • "Does this binary have modern security protections enabled?"
  • "Could this section be packed or encrypted malware?"
  • "Does this binary import dangerous OS-level functions?"

It is designed for security engineers, malware researchers, and developers who need instant answers without launching a full reverse-engineering suite.

Features

1. Security Hardening Checks

Flag Description ELF PE
NX Non-executable stack/data β€” prevents code injection PT_GNU_STACK NX_COMPAT
PIE Position-Independent Executable β€” enables ASLR ET_DYN DYNAMIC_BASE
RELRO Read-Only Relocations β€” prevents GOT overwrite PT_GNU_RELRO + BIND_NOW N/A
Stack Canary Buffer-overflow tripwire symbol present __stack_chk_fail __security_cookie

Each check reports one of: Enabled / Partial / Disabled / N/A

2. Section Entropy Analysis

BinSleuth computes the Shannon entropy of every section:

H = -Ξ£ P(x) Β· logβ‚‚(P(x))       range: [0.0 – 8.0]
Entropy Range Interpretation
0.0 – 4.0 Normal code / data
4.0 – 7.0 Compressed resources (normal)
> 7.0 ⚠ Packed / Encrypted β€” investigate

3. Dangerous Symbol Detection

BinSleuth flags symbols that commonly appear in malicious or insecure binaries:

Category Examples
Code execution system, execve, popen, WinExec, CreateProcess
Network connect, socket, gethostbyname, WinHttpOpen
Memory manipulation mprotect, mmap, VirtualAlloc, VirtualProtect

Installation

From crates.io (recommended)

cargo install binsleuth

From source

git clone https://github.com/long-910/BinSleuth.git
cd BinSleuth
cargo build --release
# Binary output: ./target/release/binsleuth

Requirements

  • Rust 1.85 or later
  • No system libraries required β€” pure Rust

Usage

binsleuth [OPTIONS] <FILE>

Arguments:
  <FILE>  Path to the ELF or PE binary to analyze

Options:
  -v, --verbose  Show all sections, even those with normal entropy
  -h, --help     Print help
  -V, --version  Print version

Basic analysis

binsleuth /usr/bin/ls
binsleuth ./myapp.exe
binsleuth ./suspicious_binary

Show all sections (including low-entropy ones)

binsleuth --verbose /usr/bin/python3

Example output β€” hardened binary

╔══════════════════════════════════════════════════════╗
β•‘              BinSleuth β€” Binary Analyzer             β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

  File:    /usr/bin/ls
  Format:  ELF
  Arch:    X86_64

  ── Security Hardening ──────────────────────────────────

  [ ENABLED  ]  NX (Non-Executable Stack)
  [ ENABLED  ]  PIE (ASLR-compatible)
  [ ENABLED  ]  RELRO (Read-Only Relocations)
  [ ENABLED  ]  Stack Canary

  ── Section Entropy ─────────────────────────────────────

  Section                      Size (B)     Entropy  Status
  ──────────────────────────────────────────────────────────────────────
  All sections within normal entropy range.
  (run with --verbose to show all sections)

  ── Dangerous Symbol Usage ──────────────────────────────

  No dangerous symbols detected.

  ────────────────────────────────────────────────────────
  Analysis complete.

Example output β€” suspicious / packed binary

  ── Section Entropy ─────────────────────────────────────

  Section                      Size (B)     Entropy  Status
  ──────────────────────────────────────────────────────────────────────
  UPX0                           491520       7.9981  ⚠  Packed/Encrypted suspected
  UPX1                            32768       7.9912  ⚠  Packed/Encrypted suspected

  2 section(s) with entropy > 7.0 detected!

  ── Dangerous Symbol Usage ──────────────────────────────

  3 dangerous symbol(s) found:
    β–Ά  execve
    β–Ά  mprotect
    β–Ά  socket

Project Structure

BinSleuth/
β”œβ”€β”€ Cargo.toml
β”œβ”€β”€ README.md           ← English (default)
β”œβ”€β”€ README.ja.md        ← Japanese
β”œβ”€β”€ README.zh.md        ← Chinese (Simplified)
β”œβ”€β”€ LICENSE
└── src/
    β”œβ”€β”€ main.rs                  # CLI entry point (clap)
    β”œβ”€β”€ analyzer/
    β”‚   β”œβ”€β”€ mod.rs
    β”‚   β”œβ”€β”€ entropy.rs           # Shannon entropy + SectionEntropy
    β”‚   └── hardening.rs         # NX / PIE / RELRO / Canary / symbols
    └── report/
        β”œβ”€β”€ mod.rs
        └── terminal.rs          # Colored terminal renderer

Key types

Type Location Role
HardeningInfo analyzer/hardening.rs Aggregated hardening check results
CheckResult analyzer/hardening.rs Enabled / Partial(msg) / Disabled / N/A
SectionEntropy analyzer/entropy.rs Section name + entropy value + byte size
TerminalReporter report/terminal.rs Colored terminal output renderer

Supported Formats

Format Architectures NX PIE RELRO Canary
ELF 32-bit x86, ARM, MIPS, … βœ… βœ… βœ… βœ…
ELF 64-bit x86-64, AArch64, … βœ… βœ… βœ… βœ…
PE 32-bit (PE32) x86 βœ… βœ… N/A βœ…
PE 64-bit (PE32+) x86-64 βœ… βœ… N/A βœ…

Exit Codes

Code Meaning
0 Analysis completed successfully
1 File not found, parse error, or unsupported format

Testing

# All tests (unit + integration)
cargo test

# Unit tests only
cargo test --lib

# Integration tests only (requires compiled binary)
cargo test --test cli

# Lint
cargo clippy -- -D warnings

# Format check
cargo fmt --check

The test suite includes 22 unit tests and 10 integration tests:

Module Tests Coverage
analyzer::entropy 9 Shannon formula, edge cases, monotonicity
analyzer::hardening 13 PE header parsing, RELRO states, ELF self-analysis
tests::cli 10 CLI flags, error handling, self-analysis, verbose mode

Contributing

Contributions are welcome!

  1. Fork the repository
  2. Create a feature branch: git checkout -b feat/your-feature
  3. Write tests where applicable
  4. Run cargo test && cargo clippy -- -D warnings before submitting
  5. Open a Pull Request

Please see CONTRIBUTING.md for details (coming soon).

Roadmap

  • JSON / SARIF output mode (--output json)
  • macOS Mach-O support
  • Import table diff between two binaries (binsleuth diff a.out b.out)
  • DWARF / PDB debug-info presence detection
  • Yara-rule-style byte-pattern matching
  • GitHub Actions CI badge & automated crates.io release

License

This project is licensed under the MIT License β€” see LICENSE for details.

Acknowledgements

  • object β€” cross-platform binary parsing
  • clap β€” CLI argument parsing
  • anyhow β€” ergonomic error handling
  • colored β€” terminal color output