2
9
Fork
You've already forked cleave
2
Atomic-level static analysis across binaries and source.
  • Rust 94.3%
  • Shell 2.4%
  • YARA 1.3%
  • Python 0.9%
  • Go 0.8%
  • Other 0.3%
Thomas Stromberg 539838329d update deps
2026年07月12日 21:25:07 +02:00
.cargo unpin filefacts, stng 2026年06月12日 12:44:47 -04:00
.config more performance tuning 2026年02月23日 21:52:24 -05:00
.githooks bug/testing fixit 2026年03月03日 14:48:45 -05:00
.tuna Comlete filefacts extraction 2026年05月23日 20:32:41 -04:00
benches DMG support, better caching, rizin, strings 2026年06月19日 23:40:03 -04:00
cleave-macros metrics overhaul, especially PE 2026年05月06日 14:21:05 -04:00
crates add 'crit: exception' composites for clearer intent signalling 2026年06月26日 12:53:35 -04:00
docs v2.2.0 2026年07月06日 10:37:38 +02:00
hacks add automated trait publishing 2026年07月07日 13:19:29 -04:00
media add new screenshots 2026年05月08日 21:21:28 -04:00
packaging/wolfi use thin lto profile by default for faster linking 2026年05月25日 16:16:30 -04:00
scripts Fix patch sensitivity of precommit hook 2026年07月12日 20:46:24 +02:00
src improve self-clearing cache 2026年07月12日 20:53:39 +02:00
testdata fix YARA cold bucket deadlock 2026年06月23日 10:06:11 -04:00
tests improve self-clearing cache 2026年07月12日 20:53:39 +02:00
tools improve automated trait publishing 2026年07月07日 13:38:08 -04:00
.gitignore add tools for manifest generation 2026年06月02日 15:46:41 -04:00
.woodpecker.yml bug/testing fixit 2026年03月03日 14:48:45 -05:00
Cargo.lock update deps 2026年07月12日 21:25:07 +02:00
Cargo.toml update deps 2026年07月12日 21:25:07 +02:00
clippy.toml we're doing it live 2026年02月24日 16:29:56 -05:00
CONTRIBUTING.md Add cached-AST rule analysis 2026年05月25日 10:45:33 -04:00
FILE_FORMATS.md v2.2.0 2026年07月06日 10:37:38 +02:00
LICENSE Add license, delete dead code 2026年03月10日 19:12:54 -04:00
Makefile improve automated trait publishing 2026年07月07日 13:51:49 -04:00
README.md v2.2.0 2026年07月06日 10:37:38 +02:00

cleave

cleave answers one question — what can this program do? It extracts capabilities from binaries, source, and archives, scoring each against 80,000+ behavior rules aligned to MBC and ATT&CK. Apache-2.0, no telemetry.

  • Interactive supply-chain & malware triage. Run on a release, a suspicious sample, or a directory of dropped files. cleave diff old/ new/ highlights new capabilities, tampered headers, and provenance anomalies between versions.
  • Feature extraction for ML/AI pipelines. Stable JSON schema, deterministic output, SHA256-keyed cache. litmus is the reference downstream classifier.

Screenshots

analyze (recent ELF malware sample, but cleave also supports source code)

cleave analyze — capabilities of a single sample

diff (the infamous xzutils case)

cleave diff — what changed between two releases

What cleave analyzes

  • Binaries: Mach-O, ELF, PE, WebAssembly, MSI, CHM, PyInstaller, Java .class, Android DEX, Python .pyc, Python pickle, Erlang/Elixir BEAM, compiled AppleScript
  • Source (~24 langs, tree-sitter): Python, JS/TS, Go, Rust, C/C++, Java, Kotlin, C#, Swift, ObjC, Ruby, PHP, Perl, Lua, Shell, PowerShell, Groovy, Scala, Zig, Elixir, Clojure, Batch, VBScript, Makefile, Dockerfile
  • Archives (recursive): zip, tar (gz/bz2/xz/zst), 7z, rar, cab, jar/war, deb, rpm, pkg, apk, gem, crate, whl, nupkg, phar, vsix, xpi, crx, ipa, epub
  • Documents & data: PDF, RTF, LNK, Office (OLE2 + OOXML), OpenDocument, plist, HTML, XML, Markdown, PNG/JPEG, package manifests, GitHub Actions, systemd units, XDG .desktop

See FILE_FORMATS.md for more info.

Quick Start

make install # via cargo
brew install atomdrift/tap/cleave # macOS / Linux
cleave suspect.bin # single sample
cleave /tmp/box-o-malware # recursive, unpacks archives
cleave diff v1.2.0/ v1.3.0/ # release-to-release diff
cleave --format jsonl --min-crit suspicious # streaming JSON for pipelines

Optional: rizin for disassembly, upx for runtime unpacking.

Platforms

Known to run awesomely on illumos, OpenBSD, FreeBSD, Linux, and macOS.

Design

  • Capabilities, not verdicts. Findings ranked baselinehostile, organized roughly based on the Malware Behavior Catalog.
  • Layered unpacking. UPX, embedded binaries, base64/hex/AES/XOR via stng.
  • Deep header inspection. PE manifests/signing, Mach-O codesign/entitlements, DWARF, Go build info, embedded plists.
  • Automated RE. rizin-driven disassembly and xrefs on ELF/Mach-O/PE.
  • Deterministic. JSONL streaming, SHA256-keyed cache, AST via tree-sitter, YAML & YARA-X for signatures.

Docs

Rules

  • malcontent (predecessor, ×ばつ less coverage)
  • capa (original inspiration, slow, limited filetypes, but thorough)