π BinSleuth
A fast, zero-dependency CLI tool for static binary security analysis. Inspect ELF & PE binaries for hardening flags and detect packed/encrypted sections β in milliseconds.
Language / θ¨θͺ / θ―θ¨: English Β· ζ₯ζ¬θͺ Β· δΈζ
What is BinSleuth?
BinSleuth is a security-focused static binary analyzer written in Rust. It acts as a quick health-check for compiled executables β answering:
- "Does this binary have modern security protections enabled?"
- "Could this section be packed or encrypted malware?"
- "Does this binary import dangerous OS-level functions?"
It is designed for security engineers, malware researchers, and developers who need instant answers without launching a full reverse-engineering suite.
Features
1. Security Hardening Checks
| Flag | Description | ELF | PE |
|---|---|---|---|
| NX | Non-executable stack/data β prevents code injection | PT_GNU_STACK |
NX_COMPAT |
| PIE | Position-Independent Executable β enables ASLR | ET_DYN |
DYNAMIC_BASE |
| RELRO | Read-Only Relocations β prevents GOT overwrite | PT_GNU_RELRO + BIND_NOW |
N/A |
| Stack Canary | Buffer-overflow tripwire symbol present | __stack_chk_fail |
__security_cookie |
| FORTIFY_SOURCE | Fortified libc wrappers (__*_chk) β compile-time bounds checks on unsafe string/memory calls |
__memcpy_chk, β¦ |
__memcpy_chk, β¦ |
| No RPATH/RUNPATH | Absence of embedded library search paths β prevents library-injection via writable/relative RPATH | DT_RPATH / DT_RUNPATH |
N/A |
| Stripped | Debug symbols / DWARF info absent β limits reverse-engineering | .debug_* sections |
Debug directory |
Each check reports one of: Enabled / Partial / Disabled / N/A
2. Section Entropy Analysis
BinSleuth computes the Shannon entropy of every section:
H = -Ξ£ P(x) Β· logβ(P(x)) range: [0.0 β 8.0]
| Entropy Range | Interpretation |
|---|---|
| 0.0 β 4.0 | Normal code / data |
| 4.0 β 7.0 | Compressed resources (normal) |
| > 7.0 | β Packed / Encrypted β investigate |
3. Dangerous Symbol Detection
BinSleuth flags symbols that commonly appear in malicious or insecure binaries:
| Category | Examples |
|---|---|
| Code execution | system, execve, popen, WinExec, CreateProcess |
| Network | connect, socket, gethostbyname, WinHttpOpen |
| Memory manipulation | mprotect, mmap, VirtualAlloc, VirtualProtect |
Installation
From crates.io (recommended)
From source
# Binary output: ./target/release/binsleuth
Requirements
- Rust 1.85 or later
- No system libraries required β pure Rust
Usage
binsleuth [OPTIONS] <FILE>
Arguments:
<FILE> Path to the ELF or PE binary to analyze
Options:
-v, --verbose Show all sections, even those with normal entropy
--json Output results as JSON instead of the colored terminal report
--strict Exit with code 2 if any hardening protection is missing or
dangerous symbols are found (useful in CI pipelines)
-h, --help Print help
-V, --version Print version
Basic analysis
Show all sections (including low-entropy ones)
JSON output (for scripting / CI integration)
|
CI pipeline β fail if hardening issues are found
&& ||
# Exit 0 = all good, Exit 2 = hardening issues found, Exit 1 = parse error
Example output β hardened binary
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β BinSleuth β Binary Analyzer β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
File: /usr/bin/ls
Format: ELF
Arch: X86_64
ββ Security Hardening ββββββββββββββββββββββββββββββββββ
[ ENABLED ] NX (Non-Executable Stack)
[ ENABLED ] PIE (ASLR-compatible)
[ ENABLED ] RELRO (Read-Only Relocations)
[ ENABLED ] Stack Canary
[ ENABLED ] FORTIFY_SOURCE
[ ENABLED ] No RPATH/RUNPATH
[ ENABLED ] Debug Symbols Stripped
ββ Section Entropy βββββββββββββββββββββββββββββββββββββ
Section Size (B) Entropy Status
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
All sections within normal entropy range.
(run with --verbose to show all sections)
ββ Dangerous Symbol Usage ββββββββββββββββββββββββββββββ
No dangerous symbols detected.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Analysis complete.
Example output β suspicious / packed binary
ββ Section Entropy βββββββββββββββββββββββββββββββββββββ
Section Size (B) Entropy Status
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
UPX0 491520 7.9981 β Packed/Encrypted suspected
UPX1 32768 7.9912 β Packed/Encrypted suspected
2 section(s) with entropy > 7.0 detected!
ββ Dangerous Symbol Usage ββββββββββββββββββββββββββββββ
3 dangerous symbol(s) found:
βΆ execve
βΆ mprotect
βΆ socket
Library Usage
binsleuth can be used as a Rust library crate in addition to the CLI.
Add to your Cargo.toml:
[]
= "0.3"
Then use the public API:
use HardeningInfo;
use SectionEntropy;
let data = read?;
let hardening = analyze?;
println!;
let entropies = analyze?;
for sec in &entropies
See the API documentation on docs.rs and examples/basic.rs for a complete runnable example.
Project Structure
BinSleuth/
βββ Cargo.toml
βββ README.md β English (default)
βββ README.ja.md β Japanese
βββ README.zh.md β Chinese (Simplified)
βββ CHANGELOG.md
βββ LICENSE
βββ examples/
β βββ basic.rs # Library usage example
βββ src/
βββ lib.rs # Library crate root (public API)
βββ main.rs # CLI entry point (clap)
βββ analyzer/
β βββ mod.rs
β βββ entropy.rs # Shannon entropy + SectionEntropy
β βββ hardening.rs # NX / PIE / RELRO / Canary / symbols
βββ report/
βββ mod.rs
βββ terminal.rs # Colored terminal renderer
βββ json.rs # JSON output serializer
Key types
| Type | Location | Role |
|---|---|---|
HardeningInfo |
analyzer/hardening.rs |
Aggregated hardening check results |
CheckResult |
analyzer/hardening.rs |
Enabled / Partial(msg) / Disabled / N/A |
SectionEntropy |
analyzer/entropy.rs |
Section name + entropy value + byte size |
TerminalReporter |
report/terminal.rs |
Colored terminal output renderer |
Supported Formats
| Format | Architectures | NX | PIE | RELRO | Canary | FORTIFY | RPATH |
|---|---|---|---|---|---|---|---|
| ELF 32-bit | x86, ARM, MIPS, β¦ | β | β | β | β | β | β |
| ELF 64-bit | x86-64, AArch64, β¦ | β | β | β | β | β | β |
| PE 32-bit (PE32) | x86 | β | β | N/A | β | β | N/A |
| PE 64-bit (PE32+) | x86-64 | β | β | N/A | β | β | N/A |
Exit Codes
| Code | Meaning |
|---|---|
0 |
Analysis completed successfully |
1 |
File not found, parse error, or unsupported format |
2 |
--strict mode: analysis succeeded but hardening issues were found |
Testing
# All tests (unit + integration)
# Unit tests only
# Integration tests only (requires compiled binary)
# Lint
# Format check
The test suite includes 24 unit tests, 20 integration tests, and 1 doc test:
| Module | Tests | Coverage |
|---|---|---|
analyzer::entropy |
9 | Shannon formula, edge cases, monotonicity |
analyzer::hardening |
15 | PE header parsing, RELRO states, FORTIFY_SOURCE, RPATH, ELF self-analysis |
tests::cli |
20 | CLI flags, JSON output, strict mode, stripped detection, error handling |
lib.rs (doc test) |
1 | Library API smoke test |
Contributing
Contributions are welcome!
- Fork the repository
- Create a feature branch:
git checkout -b feat/your-feature - Write tests where applicable
- Run
cargo test && cargo clippy -- -D warningsbefore submitting - Open a Pull Request
Please see CONTRIBUTING.md for details (coming soon).
Roadmap
- JSON output mode (
--json) - DWARF / PDB debug-info / stripped detection
- Strict mode for CI pipelines (
--strict, exit code 2) - FORTIFY_SOURCE detection (
__*_chksymbol scan) - RPATH/RUNPATH detection (library-injection risk)
- SARIF output format
- macOS Mach-O support
- Import table diff between two binaries (
binsleuth diff a.out b.out) - Yara-rule-style byte-pattern matching
License
This project is licensed under the MIT License β see LICENSE for details.
Acknowledgements
- object β cross-platform binary parsing
- clap β CLI argument parsing
- anyhow β ergonomic error handling
- colored β terminal color output