forked from atomdrift/cleave
Atomic-level static analysis across binaries and source.
- Rust 94.2%
- Shell 2.3%
- YARA 1.4%
- Python 1%
- Go 0.8%
- Other 0.3%
cleave
cleave answers one question — what can this program do? It extracts capabilities from binaries, source, and archives, scoring each against 60,000+ behavior rules aligned to MBC and ATT&CK. Apache-2.0, no telemetry.
- Interactive supply-chain & malware triage. Run on a release, a suspicious sample, or a directory of dropped files.
cleave diff old/ new/highlights new capabilities, tampered headers, and provenance anomalies between versions. - Feature extraction for ML/AI pipelines. Stable JSON schema, deterministic output, SHA256-keyed cache. litmus is the reference downstream classifier.
Screenshots
analyze (recent ELF malware sample, but cleave also supports source code)
cleave analyze — capabilities of a single samplediff (the infamous xzutils case)
cleave diff — what changed between two releasesWhat cleave analyzes
- Binaries: Mach-O, ELF, PE, MSI, CHM, PyInstaller, Java
.class, Python.pyc, Python pickle, compiled AppleScript - Source (~22 langs, tree-sitter): Python, JS/TS, Go, Rust, C/C++, Java, Kotlin, C#, Swift, ObjC, Ruby, PHP, Perl, Lua, Shell, PowerShell, Groovy, Scala, Zig, Elixir, Batch, VBScript, Makefile
- Archives (recursive): zip, tar (gz/bz2/xz/zst), 7z, rar, cab, jar/war, deb, rpm, pkg, apk, gem, crate, whl, nupkg, phar, vsix, xpi, crx, ipa, epub
- Documents & data: PDF, RTF, LNK, Office (OLE2 + OOXML), OpenDocument, plist, HTML, XML, Markdown, PNG/JPEG, package manifests, GitHub Actions, systemd units, XDG
.desktop
See FILE_FORMATS.md for more info.
Quick Start
make install # via cargo
brew install atomdrift/tap/cleave # macOS / Linux
cleave suspect.bin # single sample
cleave /tmp/box-o-malware # recursive, unpacks archives
cleave diff v1.2.0/ v1.3.0/ # release-to-release diff
cleave --format jsonl --min-crit suspicious # streaming JSON for pipelines
Optional: rizin for disassembly, upx for runtime unpacking.
Platforms
Known to run awesomely on illumos, OpenBSD, FreeBSD, Linux, and macOS.
Design
- Capabilities, not verdicts. Findings ranked
baseline→hostile, organized roughly based on [MalwareBehaviorCatalog](https://github.com/MBCProject/mbc-markdown - Layered unpacking. UPX, embedded binaries, base64/hex/AES/XOR via stng.
- Deep header inspection. PE manifests/signing, Mach-O codesign/entitlements, DWARF, Go build info, embedded plists.
- Automated RE. rizin-driven disassembly and xrefs on ELF/Mach-O/PE.
- Deterministic. JSONL streaming, SHA256-keyed cache, AST via tree-sitter, YAML & YARA-X for signatures.
Docs
- docs/INTEGRATION.md — picking a path: CLI, library, or server
- docs/RUST_API.md — Rust library API
- docs/SERVER_API.md —
cleave serveHTTP endpoints - docs/JSON.md — JSON report schema
Rules
Related Projects
- malcontent (predecessor, ×ばつ less coverage)
- capa (original inspiration, slow, limited filetypes, but thorough)