r2inspect 2.0.0__tar.gz

r2inspect-2.0.0/Dockerfile

@@ -0,0 +1,163 @@
+# Unified Dockerfile for r2inspect malware analysis tool
+# Supports both development and production builds via build args
+
+# Build arguments
+ARG BUILD_TYPE=production
+ARG BASE_IMAGE=python:3.11-slim
+ARG RADARE2_VERSION=master
+
+# Multi-stage build
+FROM ${BASE_IMAGE} AS base
+
+# Build argument available in all stages
+ARG BUILD_TYPE
+ARG RADARE2_VERSION
+
+# Install system dependencies based on build type
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    # Core dependencies (always needed)
+    gcc \
+    g++ \
+    make \
+    git \
+    wget \
+    curl \
+    pkg-config \
+    libssl-dev \
+    libmagic-dev \
+    file \
+    patch \
+    libfuzzy-dev \
+    python3-dev \
+    ssdeep \
+    # Development tools (only for dev builds)
+    $(if [ "$BUILD_TYPE" = "development" ]; then echo "\
+        vim \
+        nano \
+        less \
+        gdb \
+        strace \
+        ltrace \
+        procps \
+        net-tools \
+        iputils-ping \
+        tree \
+        htop"; fi) \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install radare2 using proper make install method
+RUN echo "Installing radare2 (${RADARE2_VERSION})..." && \
+    git clone --depth 1 --branch ${RADARE2_VERSION} https://github.com/radareorg/radare2.git /tmp/radare2 && \
+    cd /tmp/radare2 && \
+    # Configure and build radare2 properly
+    ./configure --prefix=/usr/local --with-rpath && \
+    make -j$(nproc) && \
+    make install && \
+    # Update library path
+    echo "/usr/local/lib" > /etc/ld.so.conf.d/radare2.conf && \
+    ldconfig && \
+    # Create additional symlinks for broader accessibility
+    ln -sf /usr/local/bin/r2 /usr/bin/r2 && \
+    ln -sf /usr/local/bin/radare2 /usr/bin/radare2 && \
+    ln -sf /usr/local/bin/r2 /bin/r2 && \
+    ln -sf /usr/local/bin/radare2 /bin/radare2 && \
+    # Clean up source
+    rm -rf /tmp/radare2 && \
+    # Verify installation works
+    echo "=== Radare2 Installation Verification ===" && \
+    r2 -version && \
+    which r2 && \
+    ls -la /usr/local/bin/r2*
+
+# Note: TLSH will be installed via Python package (python-tlsh)
+
+# Create virtual environment
+RUN python -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+
+# Install Python packages based on build type
+COPY requirements-docker.txt /tmp/
+RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \
+    pip install --no-cache-dir -r /tmp/requirements-docker.txt && \
+    # Try to install optional packages (may fail, that's OK)
+    pip install --no-cache-dir python-tlsh>=4.5.0 || echo "python-tlsh installation failed, will use fallback" && \
+    pip install --no-cache-dir ssdeep>=3.4 || echo "ssdeep installation failed, will use system binary" && \
+    # Development packages (only for dev builds)
+    if [ "$BUILD_TYPE" = "development" ]; then \
+        pip install --no-cache-dir \
+            ipython \
+            ipdb \
+            pytest \
+            pytest-cov \
+            black \
+            ruff \
+            bandit \
+            mypy \
+            pre-commit \
+            jupyterlab; \
+    fi
+
+# Create non-root user for security
+RUN useradd -m -u 1000 -s /bin/bash analyst && \
+    mkdir -p /app /samples /output /config /workspace && \
+    chown -R analyst:analyst /app /samples /output /config /workspace
+
+# Set working directory
+WORKDIR /app
+
+# Copy application code
+COPY --chown=analyst:analyst . /app/
+
+# Install r2inspect package
+# Use editable install for development, regular install for production
+RUN if [ "$BUILD_TYPE" = "development" ]; then \
+        pip install -e .; \
+    else \
+        pip install .; \
+    fi
+
+# Switch to non-root user
+USER analyst
+
+# Create user directories
+RUN mkdir -p /home/analyst/{samples,output,config,workspace,.r2}
+
+# Set environment variables for radare2 and r2pipe
+ENV PYTHONUNBUFFERED=1
+ENV R2_NOPLUGINS=1
+ENV R2PIPE_SPAWN=1
+ENV PATH="/usr/local/bin:/usr/bin:/bin:$PATH"
+ENV LD_LIBRARY_PATH="/usr/local/lib:/usr/lib"
+ENV R2_HOME="/usr/local"
+ENV RADARE2_RCFILE=""
+
+# Development-specific environment
+RUN if [ "$BUILD_TYPE" = "development" ]; then \
+        echo 'export PYTHONDONTWRITEBYTECODE=1' >> /home/analyst/.bashrc && \
+        echo 'export PS1="[r2inspect-dev] \u@\h:\w$ "' >> /home/analyst/.bashrc && \
+        echo 'alias ll="ls -la"' >> /home/analyst/.bashrc && \
+        echo 'alias r2="r2 -A"' >> /home/analyst/.bashrc; \
+    fi && \
+    # Add radare2 environment to bashrc for all builds
+    echo 'export PATH="/usr/local/bin:/usr/bin:/bin:$PATH"' >> /home/analyst/.bashrc && \
+    echo 'export LD_LIBRARY_PATH="/usr/local/lib:/usr/lib:$LD_LIBRARY_PATH"' >> /home/analyst/.bashrc && \
+    echo 'export R2_HOME="/usr/local"' >> /home/analyst/.bashrc && \
+    echo 'export RADARE2_RCFILE=""' >> /home/analyst/.bashrc
+
+# Expose port for development web interface (if needed in future)
+EXPOSE 5000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD r2 -v && python -c "import r2pipe; print('OK')" || exit 1
+
+# Set entrypoint and command based on build type
+RUN if [ "$BUILD_TYPE" = "development" ]; then \
+        echo '#!/bin/bash\nexport PATH="/usr/local/bin:/usr/bin:/bin:$PATH"\nexport LD_LIBRARY_PATH="/usr/local/lib:/usr/lib:$LD_LIBRARY_PATH"\nexport R2_HOME="/usr/local"\nexport RADARE2_RCFILE=""\nif [ "$#" -eq 0 ]; then exec /bin/bash; else exec r2inspect "$@"; fi' > /home/analyst/entrypoint.sh; \
+    else \
+        echo '#!/bin/bash\nexport PATH="/usr/local/bin:/usr/bin:/bin:$PATH"\nexport LD_LIBRARY_PATH="/usr/local/lib:/usr/lib:$LD_LIBRARY_PATH"\nexport R2_HOME="/usr/local"\nexport RADARE2_RCFILE=""\nexec r2inspect "$@"' > /home/analyst/entrypoint.sh; \
+    fi && \
+    chmod +x /home/analyst/entrypoint.sh
+
+ENTRYPOINT ["/home/analyst/entrypoint.sh"]
+CMD ["--help"]

r2inspect-2.0.0/LICENSE

@@ -0,0 +1,30 @@
+GNU GENERAL PUBLIC LICENSE
+Version 3, 29 June 2007
+
+Copyright (C) 2024 Marc Rivero <mriverolopez@gmail.com>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+--------------------------------------------------------------------------------
+
+r2inspect - Advanced Malware Analysis Tool using radare2 and r2pipe
+
+Copyright (C) 2024 Marc Rivero (@seifreed)
+
+This program comes with ABSOLUTELY NO WARRANTY.
+This is free software, and you are welcome to redistribute it
+under certain conditions; see LICENSE file for details.
+
+For the complete GPL-3.0 license text, visit:
+https://www.gnu.org/licenses/gpl-3.0.html

r2inspect-2.0.0/MANIFEST.in

@@ -0,0 +1,33 @@
+include README.md
+include LICENSE
+include requirements.txt
+include requirements-docker.txt
+include pyproject.toml
+
+# Include all YARA rules
+recursive-include r2inspect/rules *.yar *.yara
+
+# Include Docker files for reference
+include Dockerfile
+include docker-compose.yml
+include DOCKER.md
+include docker-run.sh
+include docker-run.bat
+include test-docker.sh
+
+# Include Makefile
+include Makefile
+
+# Exclude unnecessary files
+global-exclude *.pyc
+global-exclude *.pyo
+global-exclude *.swp
+global-exclude .DS_Store
+global-exclude __pycache__
+recursive-exclude tests *
+recursive-exclude venv *
+recursive-exclude .git *
+recursive-exclude .qlty *
+recursive-exclude samples *
+recursive-exclude output *
+recursive-exclude config *

r2inspect-2.0.0/Makefile

@@ -0,0 +1,172 @@
+# Makefile for r2inspect Docker operations
+.PHONY: help build run shell batch clean push pull test dev prod
+
+# Variables
+IMAGE_NAME := r2inspect
+IMAGE_TAG := latest
+FULL_IMAGE := $(IMAGE_NAME):$(IMAGE_TAG)
+CONTAINER_NAME := r2inspect-analysis
+REGISTRY := docker.io
+REGISTRY_USER := your-username
+
+# Directories
+SAMPLES_DIR := ./samples
+OUTPUT_DIR := ./output
+CONFIG_DIR := ./config
+
+# Colors for output
+RED := \033[0;31m
+GREEN := \033[0;32m
+YELLOW := \033[1;33m
+NC := \033[0m
+
+help: ## Show this help message
+	@echo "$(GREEN)r2inspect Docker Management$(NC)"
+	@echo ""
+	@echo "Available targets:"
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "  $(YELLOW)%-15s$(NC) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "Examples:"
+	@echo "  make build          # Build Docker image"
+	@echo "  make run FILE=malware.exe  # Analyze a file"
+	@echo "  make batch          # Batch analyze samples directory"
+	@echo "  make shell          # Start interactive shell"
+
+build: ## Build production Docker image
+	@echo "$(YELLOW)Building production Docker image $(FULL_IMAGE)...$(NC)"
+	@docker build --build-arg BUILD_TYPE=production -t $(FULL_IMAGE) .
+	@echo "$(GREEN)Production build complete!$(NC)"
+
+build-dev: ## Build development Docker image
+	@echo "$(YELLOW)Building development Docker image $(IMAGE_NAME):dev...$(NC)"
+	@docker build --build-arg BUILD_TYPE=development -t $(IMAGE_NAME):dev .
+	@echo "$(GREEN)Development build complete!$(NC)"
+
+build-nocache: ## Build Docker image without cache
+	@echo "$(YELLOW)Building Docker image $(FULL_IMAGE) without cache...$(NC)"
+	@docker build --no-cache --build-arg BUILD_TYPE=production -t $(FULL_IMAGE) .
+	@echo "$(GREEN)Build complete!$(NC)"
+
+build-dev-nocache: ## Build development Docker image without cache
+	@echo "$(YELLOW)Building development Docker image $(IMAGE_NAME):dev without cache...$(NC)"
+	@docker build --no-cache --build-arg BUILD_TYPE=development -t $(IMAGE_NAME):dev .
+	@echo "$(GREEN)Development build complete!$(NC)"
+
+run: ## Run r2inspect on a file (use FILE=path/to/file)
+	@if [ -z "$(FILE)" ]; then \
+		echo "$(RED)Error: Please specify FILE=path/to/file$(NC)"; \
+		exit 1; \
+	fi
+	@echo "$(YELLOW)Analyzing $(FILE)...$(NC)"
+	@docker run --rm \
+		-v "$(shell pwd)/$(FILE):/tmp/analysis/$(notdir $(FILE)):ro" \
+		-v "$(shell pwd)/$(OUTPUT_DIR)":/home/analyst/output:rw \
+		--cap-drop=ALL \
+		--cap-add=SYS_PTRACE \
+		--cap-add=DAC_READ_SEARCH \
+		--security-opt=no-new-privileges:true \
+		--memory=2g \
+		--cpus=2 \
+		$(FULL_IMAGE) /tmp/analysis/$(notdir $(FILE)) $(ARGS)
+
+shell: ## Start interactive shell in container
+	@echo "$(YELLOW)Starting interactive shell...$(NC)"
+	@mkdir -p $(SAMPLES_DIR) $(OUTPUT_DIR) $(CONFIG_DIR)
+	@docker run --rm -it \
+		--name $(CONTAINER_NAME) \
+		-v "$(shell pwd)/$(SAMPLES_DIR)":/home/analyst/samples:ro \
+		-v "$(shell pwd)/$(OUTPUT_DIR)":/home/analyst/output:rw \
+		-v "$(shell pwd)/$(CONFIG_DIR)":/home/analyst/config:ro \
+		--cap-drop=ALL \
+		--cap-add=SYS_PTRACE \
+		--cap-add=DAC_READ_SEARCH \
+		--security-opt=no-new-privileges:true \
+		--memory=2g \
+		--cpus=2 \
+		--entrypoint /bin/bash \
+		$(FULL_IMAGE)
+
+batch: ## Run batch analysis on samples directory
+	@echo "$(YELLOW)Running batch analysis on $(SAMPLES_DIR)...$(NC)"
+	@mkdir -p $(SAMPLES_DIR) $(OUTPUT_DIR) $(CONFIG_DIR)
+	@docker run --rm \
+		--name $(CONTAINER_NAME) \
+		-v "$(shell pwd)/$(SAMPLES_DIR)":/home/analyst/samples:ro \
+		-v "$(shell pwd)/$(OUTPUT_DIR)":/home/analyst/output:rw \
+		-v "$(shell pwd)/$(CONFIG_DIR)":/home/analyst/config:ro \
+		--cap-drop=ALL \
+		--cap-add=SYS_PTRACE \
+		--cap-add=DAC_READ_SEARCH \
+		--security-opt=no-new-privileges:true \
+		--memory=2g \
+		--cpus=2 \
+		$(FULL_IMAGE) --batch /home/analyst/samples -o /home/analyst/output/batch_results.csv $(ARGS)
+
+compose-up: ## Start services with docker-compose
+	@echo "$(YELLOW)Starting r2inspect services...$(NC)"
+	@docker-compose up -d
+	@echo "$(GREEN)Services started!$(NC)"
+
+compose-down: ## Stop services with docker-compose
+	@echo "$(YELLOW)Stopping r2inspect services...$(NC)"
+	@docker-compose down
+	@echo "$(GREEN)Services stopped!$(NC)"
+
+compose-logs: ## Show docker-compose logs
+	@docker-compose logs -f
+
+clean: ## Clean up Docker resources
+	@echo "$(YELLOW)Cleaning up Docker resources...$(NC)"
+	@docker stop $(CONTAINER_NAME) 2>/dev/null || true
+	@docker rm $(CONTAINER_NAME) 2>/dev/null || true
+	@docker rmi $(FULL_IMAGE) 2>/dev/null || true
+	@echo "$(GREEN)Cleanup complete!$(NC)"
+
+push: ## Push image to registry
+	@echo "$(YELLOW)Pushing image to $(REGISTRY)/$(REGISTRY_USER)/$(FULL_IMAGE)...$(NC)"
+	@docker tag $(FULL_IMAGE) $(REGISTRY)/$(REGISTRY_USER)/$(FULL_IMAGE)
+	@docker push $(REGISTRY)/$(REGISTRY_USER)/$(FULL_IMAGE)
+	@echo "$(GREEN)Push complete!$(NC)"
+
+pull: ## Pull image from registry
+	@echo "$(YELLOW)Pulling image from $(REGISTRY)/$(REGISTRY_USER)/$(FULL_IMAGE)...$(NC)"
+	@docker pull $(REGISTRY)/$(REGISTRY_USER)/$(FULL_IMAGE)
+	@docker tag $(REGISTRY)/$(REGISTRY_USER)/$(FULL_IMAGE) $(FULL_IMAGE)
+	@echo "$(GREEN)Pull complete!$(NC)"
+
+test: ## Test Docker image
+	@echo "$(YELLOW)Testing Docker image...$(NC)"
+	@docker run --rm $(FULL_IMAGE) --version
+	@docker run --rm $(FULL_IMAGE) --help
+	@echo "$(GREEN)Tests passed!$(NC)"
+
+shell-dev: ## Start interactive shell in development container
+	@echo "$(YELLOW)Starting development shell...$(NC)"
+	@mkdir -p $(SAMPLES_DIR) $(OUTPUT_DIR) $(CONFIG_DIR)
+	@docker run --rm -it \
+		--name $(CONTAINER_NAME)-dev \
+		-v "$(shell pwd)/$(SAMPLES_DIR)":/home/analyst/samples:ro \
+		-v "$(shell pwd)/$(OUTPUT_DIR)":/home/analyst/output:rw \
+		-v "$(shell pwd)/$(CONFIG_DIR)":/home/analyst/config:ro \
+		-v "$(shell pwd)/r2inspect":/app/r2inspect:rw \
+		--cap-drop=ALL \
+		--cap-add=SYS_PTRACE \
+		--cap-add=DAC_READ_SEARCH \
+		--security-opt=no-new-privileges:true \
+		--memory=4g \
+		--cpus=4 \
+		$(IMAGE_NAME):dev
+
+stats: ## Show container stats
+	@docker stats --no-stream $(CONTAINER_NAME)
+
+inspect: ## Inspect the Docker image
+	@docker inspect $(FULL_IMAGE)
+
+size: ## Show image size
+	@echo "$(YELLOW)Image size:$(NC)"
+	@docker images $(FULL_IMAGE) --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}"
+
+dirs: ## Create required directories
+	@mkdir -p $(SAMPLES_DIR) $(OUTPUT_DIR) $(CONFIG_DIR)
+	@echo "$(GREEN)Directories created: $(SAMPLES_DIR), $(OUTPUT_DIR), $(CONFIG_DIR)$(NC)"

r2inspect-2.0.0/PKG-INFO

@@ -0,0 +1,272 @@
+Metadata-Version: 2.4
+Name: r2inspect
+Version: 2.0.0
+Summary: Advanced malware analysis tool using radare2 and r2pipe
+Home-page: https://github.com/seifreed/r2inspect
+Author: Marc Rivero
+Author-email: Marc Rivero <mriverolopez@gmail.com>
+Maintainer-email: Marc Rivero <mriverolopez@gmail.com>
+License: GPL-3.0
+Project-URL: Homepage, https://github.com/seifreed/r2inspect
+Project-URL: Documentation, https://github.com/seifreed/r2inspect/blob/main/README.md
+Project-URL: Repository, https://github.com/seifreed/r2inspect
+Project-URL: Issues, https://github.com/seifreed/r2inspect/issues
+Project-URL: Changelog, https://github.com/seifreed/r2inspect/releases
+Keywords: malware,analysis,radare2,r2pipe,reverse-engineering,security,forensics
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: Intended Audience :: Science/Research
+Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Topic :: System :: Systems Administration
+Classifier: Topic :: Utilities
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: r2pipe>=1.8.0
+Requires-Dist: click>=8.0.0
+Requires-Dist: rich>=13.0.0
+Requires-Dist: colorlog>=6.8.0
+Requires-Dist: pefile>=2023.2.7
+Requires-Dist: yara-python>=4.5.0
+Requires-Dist: python-magic>=0.4.27
+Requires-Dist: pycryptodome>=3.19.0
+Requires-Dist: cryptography>=41.0.0
+Requires-Dist: psutil>=5.9.0
+Requires-Dist: pydantic>=2.5.0
+Requires-Dist: pybloom-live>=4.0.0
+Requires-Dist: simhash>=2.1.0
+Requires-Dist: colorama>=0.4.6
+Requires-Dist: tabulate>=0.9.0
+Requires-Dist: pyfiglet>=0.8.post1
+Requires-Dist: pandas>=1.3.0; python_version < "3.9"
+Requires-Dist: pandas>=1.5.0; python_version >= "3.9" and python_version < "3.11"
+Requires-Dist: pandas>=2.0.0; python_version >= "3.11"
+Requires-Dist: requests>=2.31.0
+Provides-Extra: dev
+Requires-Dist: black>=23.0.0; extra == "dev"
+Requires-Dist: ruff>=0.1.0; extra == "dev"
+Requires-Dist: mypy>=1.0.0; extra == "dev"
+Requires-Dist: pytest>=7.0.0; extra == "dev"
+Requires-Dist: pytest-cov>=4.0.0; extra == "dev"
+Requires-Dist: pre-commit>=3.0.0; extra == "dev"
+Requires-Dist: bandit>=1.7.0; extra == "dev"
+Requires-Dist: mutmut>=2.4.0; extra == "dev"
+Provides-Extra: docker
+Requires-Dist: pycparser>=2.21; extra == "docker"
+Requires-Dist: pyimpfuzzy>=0.1.1; extra == "docker"
+Requires-Dist: python-tlsh>=4.5.0; extra == "docker"
+Requires-Dist: ssdeep>=3.4; extra == "docker"
+Dynamic: author
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-python
+
+<p align="center">
+  <img src="https://img.shields.io/badge/r2inspect-Malware%20Analysis-blue?style=for-the-badge" alt="r2inspect">
+</p>
+
+<h1 align="center">r2inspect</h1>
+
+<p align="center">
+  <strong>Advanced malware analysis tool powered by radare2 and r2pipe</strong>
+</p>
+
+<p align="center">
+  <a href="https://pypi.org/project/r2inspect/"><img src="https://img.shields.io/pypi/v/r2inspect?style=flat-square&logo=pypi&logoColor=white" alt="PyPI Version"></a>
+  <a href="https://pypi.org/project/r2inspect/"><img src="https://img.shields.io/pypi/pyversions/r2inspect?style=flat-square&logo=python&logoColor=white" alt="Python Versions"></a>
+  <a href="https://github.com/seifreed/r2inspect/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-GPL--3.0-green?style=flat-square" alt="License"></a>
+  <a href="https://github.com/seifreed/r2inspect/actions"><img src="https://img.shields.io/github/actions/workflow/status/seifreed/r2inspect/test.yml?style=flat-square&logo=github&label=CI" alt="CI Status"></a>
+  <a href="https://codecov.io/gh/seifreed/r2inspect"><img src="https://img.shields.io/codecov/c/github/seifreed/r2inspect?style=flat-square" alt="Coverage"></a>
+</p>
+
+<p align="center">
+  <a href="https://github.com/seifreed/r2inspect/stargazers"><img src="https://img.shields.io/github/stars/seifreed/r2inspect?style=flat-square" alt="GitHub Stars"></a>
+  <a href="https://github.com/seifreed/r2inspect/issues"><img src="https://img.shields.io/github/issues/seifreed/r2inspect?style=flat-square" alt="GitHub Issues"></a>
+  <a href="https://buymeacoffee.com/seifreed"><img src="https://img.shields.io/badge/Buy%20Me%20a%20Coffee-support-yellow?style=flat-square&logo=buy-me-a-coffee&logoColor=white" alt="Buy Me a Coffee"></a>
+</p>
+
+---
+
+## Overview
+
+**r2inspect** is a professional malware analysis framework that automates deep static inspection for PE, ELF, and Mach-O binaries using the radare2 ecosystem. It combines format parsing, detection heuristics, and rich reporting to support reverse engineers, incident responders, and threat analysts.
+
+### Key Features
+
+| Feature | Description |
+|---------|-------------|
+| **Multi-format Support** | PE, ELF, Mach-O format detection and analysis |
+| **String Analysis** | ASCII/Unicode extraction with filtering and decoding |
+| **Packer Detection** | Evidence-based scoring with entropy and signature checks |
+| **Crypto Detection** | API and constant analysis with confidence scoring |
+| **Anti-Analysis** | Anti-debug/VM/sandbox indicators with evidence |
+| **Hashing Suite** | MD5/SHA, SSDeep, TLSH, MACHOC, RichPE, Telfhash, SimHash |
+| **Metadata Analysis** | Sections, imports, exports, resources, overlays |
+| **YARA Integration** | Built-in and custom rule scanning |
+| **Rich Output** | Console tables, JSON, and CSV exports |
+
+### Supported Formats
+
+```
+Windows  PE32 / PE32+ / DLL
+Linux    ELF32 / ELF64
+macOS    Mach-O / Universal
+```
+
+---
+
+## Installation
+
+### From PyPI (Recommended)
+
+```bash
+pip install r2inspect
+```
+
+### From Source
+
+```bash
+git clone https://github.com/seifreed/r2inspect.git
+cd r2inspect
+python -m venv venv
+source venv/bin/activate  # Windows: venv\Scripts\activate
+pip install -e .
+```
+
+### Requirements
+
+- Python 3.8+
+- radare2 installed and in PATH
+- libmagic (for file type detection)
+
+---
+
+## Quick Start
+
+```bash
+# Basic analysis with rich console output
+r2inspect samples/fixtures/hello_pe.exe
+
+# JSON output
+r2inspect -j samples/fixtures/hello_pe.exe
+
+# CSV output
+r2inspect -c samples/fixtures/hello_pe.exe
+```
+
+---
+
+## Usage
+
+### Command Line Interface
+
+```bash
+# Full analysis
+r2inspect malware.exe
+
+# Save output to file
+r2inspect -j malware.exe -o analysis.json
+
+# Analyze a directory (batch mode)
+r2inspect --batch ./samples -j -o ./out
+
+# Custom YARA rules
+r2inspect --yara /path/to/rules malware.exe
+```
+
+### Available Options
+
+| Option | Description |
+|--------|-------------|
+| `-i, --interactive` | Interactive analysis shell |
+| `-j, --json` | Output in JSON format |
+| `-c, --csv` | Output in CSV format |
+| `-o, --output` | Output file or directory |
+| `--batch` | Batch mode for directories |
+| `--extensions` | Filter batch by extensions |
+| `--yara` | Custom YARA rules directory |
+| `-x, --xor` | XOR search string |
+| `-v, --verbose` | Verbose output |
+| `--quiet` | Suppress non-critical output |
+| `--threads` | Parallel threads for batch mode |
+
+---
+
+## Python Library
+
+```python
+from r2inspect import R2Inspector
+from r2inspect.config import Config
+
+config = Config()
+with R2Inspector("malware.exe", config=config) as inspector:
+    results = inspector.analyze()
+    pe_info = inspector.get_pe_info()
+    imports = inspector.get_imports()
+```
+
+---
+
+## Examples
+
+### Analyze Multiple Samples
+
+```bash
+r2inspect --batch ./samples --extensions "exe,dll" -j -o ./out
+```
+
+### Interactive Mode
+
+```
+r2inspect> analyze
+r2inspect> strings
+r2inspect> imports
+r2inspect> quit
+```
+
+---
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
+
+1. Fork the repository
+2. Create your feature branch (`git checkout -b feature/amazing-feature`)
+3. Commit your changes (`git commit -m 'Add amazing feature'`)
+4. Push to the branch (`git push origin feature/amazing-feature`)
+5. Open a Pull Request
+
+---
+
+## Support the Project
+
+If you find r2inspect useful, consider supporting its development:
+
+<a href="https://buymeacoffee.com/seifreed" target="_blank">
+  <img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" height="50">
+</a>
+
+---
+
+## License
+
+GNU General Public License v3.0
+
+**Attribution Required:**
+- Author: **Marc Rivero** | [@seifreed](https://github.com/seifreed)
+- Repository: [github.com/seifreed/r2inspect](https://github.com/seifreed/r2inspect)
+
+---
+
+<p align="center">
+  <sub>Made with dedication for the reverse engineering and threat intelligence community</sub>
+</p>