rbat 0.2.0

A terminal-native binary analysis tool for security researchers and reverse engineers.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

//! # RBAT Core
//!
//! `rbat-core` is the core library backend for the Rust Binary Analysis Tool (RBAT).
//! It provides a platform-independent interfaces and high-performance heuristics for static
//! binary analysis of ELF, PE, and Mach-O files.
//!
//! ## Key Features
//! - **Multi-Format Parsing**: Transparently parses ELF, PE, and Mach-O formats utilizing the `goblin` crate.
//! - **Parallel Heuristic Evaluation**: Runs static analysis modules concurrently using `rayon` thread pools.
//! - **High-Performance Memory Scanning**: Uses compiled YARA rules for memory scans, cached section mappings, and zero disk I/O.
//! - **Static Disassembly & inons analysis**: Disassembly via `capstone` to detect NOP sleds, zero-entropy padding, and anti-analysis instructions without early exit evasions.
//! - **Scoring & Reporting**: Automated risk-score classification (Safe, Suspicious, Malicious) and automated CSV/JSON/PDF generation.
//!
//! ## Architectural Overview
//! The analysis pipeline consists of three main stages:
//! 1. **Parsing and Range Caching**: The binary buffer is read and parsed into a `goblin::Object`. Section boundaries are precomputed and cached in `SectionRange` elements for $O(1)$ virtual memory offset mapping.
//! 2. **Context and Plugin Dispatch**: An `AnalysisContext` borrows all read-only binary structures. A registry of `HeuristicPlugin` trait objects executes concurrently via a Rayon thread scope.
//! 3. **Aggregation and Assessment**: Results are aggregated into an `AnalysisResult` and evaluated by a scoring engine to produce a `RiskAssessment` containing findings and recommendations.
//!
//! ## Code Example
//!
//! The following example demonstrates how to perform a batch static analysis on a binary using the crate's entry points:
//!
//! ```rust,no_run
//! use std::path::Path;
//! use rbat::core::analyzer::analyze_batch;
//!
//! fn main() -> Result<(), Box<dyn std::error::Error>> {
//!     let binary_path = Path::new("path/to/my_binary");
//!     let buffer = std::fs::read(binary_path)?;
//!     
//!     // Perform batch analysis to retrieve findings and risk score
//!     let (result, assessment) = analyze_batch(&buffer)?;
//!     
//!     println!("Binary Architecture: {}", result.metadata.architecture);
//!     println!("Calculated Risk Score: {}", assessment.score);
//!     println!("Threat Severity: {}", assessment.severity);
//!     
//!     for finding in &assessment.findings {
//!         println!("[-] Indicator: {} - {}", finding.indicator, finding.description);
//!     }
//!     
//!     Ok(())
//! }
//! ```

pub mod core;
pub mod utils;