1
0
Fork
You've already forked cleave
0
forked from atomdrift/cleave
Atomic-level static analysis across binaries and source.
  • Rust 94.2%
  • Shell 2.3%
  • YARA 1.4%
  • Python 1%
  • Go 0.8%
  • Other 0.3%
2026年06月17日 22:19:48 -04:00
.cargo unpin filefacts, stng 2026年06月12日 12:44:47 -04:00
.config more performance tuning 2026年02月23日 21:52:24 -05:00
.githooks bug/testing fixit 2026年03月03日 14:48:45 -05:00
.tuna Comlete filefacts extraction 2026年05月23日 20:32:41 -04:00
benches rust 2024 cleanup, deps update 2026年05月26日 11:14:33 -04:00
cleave-macros metrics overhaul, especially PE 2026年05月06日 14:21:05 -04:00
crates v7 JSON output: more readability, less terse 2026年06月09日 18:24:40 -04:00
docs v7 JSON output: more readability, less terse 2026年06月09日 18:24:40 -04:00
hacks mkdir -p 2026年03月01日 20:44:15 -05:00
media add new screenshots 2026年05月08日 21:21:28 -04:00
packaging/wolfi use thin lto profile by default for faster linking 2026年05月25日 16:16:30 -04:00
scripts validate: recursive suppression limits 2026年06月17日 18:29:43 -04:00
src validate: recursive suppression limits 2026年06月17日 22:19:48 -04:00
testdata add testdata for encrypted 7z 2026年03月05日 20:35:50 -05:00
tests broken tests, broken lint 2026年06月17日 15:09:06 -04:00
tools validate: recursive suppression limits 2026年06月17日 18:29:43 -04:00
.gitignore add tools for manifest generation 2026年06月02日 15:46:41 -04:00
.woodpecker.yml bug/testing fixit 2026年03月03日 14:48:45 -05:00
Cargo.lock upgrade filefacts dep 2026年06月17日 15:10:32 -04:00
Cargo.toml update deps 2026年06月17日 15:10:05 -04:00
clippy.toml we're doing it live 2026年02月24日 16:29:56 -05:00
CONTRIBUTING.md Add cached-AST rule analysis 2026年05月25日 10:45:33 -04:00
FILE_FORMATS.md Add file format reference 2026年04月28日 09:05:52 -04:00
LICENSE Add license, delete dead code 2026年03月10日 19:12:54 -04:00
Makefile validate: recursive suppression limits 2026年06月17日 18:29:43 -04:00
README.md add docs 2026年05月14日 20:05:32 -04:00

cleave

cleave answers one question — what can this program do? It extracts capabilities from binaries, source, and archives, scoring each against 60,000+ behavior rules aligned to MBC and ATT&CK. Apache-2.0, no telemetry.

  • Interactive supply-chain & malware triage. Run on a release, a suspicious sample, or a directory of dropped files. cleave diff old/ new/ highlights new capabilities, tampered headers, and provenance anomalies between versions.
  • Feature extraction for ML/AI pipelines. Stable JSON schema, deterministic output, SHA256-keyed cache. litmus is the reference downstream classifier.

Screenshots

analyze (recent ELF malware sample, but cleave also supports source code)

cleave analyze — capabilities of a single sample

diff (the infamous xzutils case)

cleave diff — what changed between two releases

What cleave analyzes

  • Binaries: Mach-O, ELF, PE, MSI, CHM, PyInstaller, Java .class, Python .pyc, Python pickle, compiled AppleScript
  • Source (~22 langs, tree-sitter): Python, JS/TS, Go, Rust, C/C++, Java, Kotlin, C#, Swift, ObjC, Ruby, PHP, Perl, Lua, Shell, PowerShell, Groovy, Scala, Zig, Elixir, Batch, VBScript, Makefile
  • Archives (recursive): zip, tar (gz/bz2/xz/zst), 7z, rar, cab, jar/war, deb, rpm, pkg, apk, gem, crate, whl, nupkg, phar, vsix, xpi, crx, ipa, epub
  • Documents & data: PDF, RTF, LNK, Office (OLE2 + OOXML), OpenDocument, plist, HTML, XML, Markdown, PNG/JPEG, package manifests, GitHub Actions, systemd units, XDG .desktop

See FILE_FORMATS.md for more info.

Quick Start

make install # via cargo
brew install atomdrift/tap/cleave # macOS / Linux
cleave suspect.bin # single sample
cleave /tmp/box-o-malware # recursive, unpacks archives
cleave diff v1.2.0/ v1.3.0/ # release-to-release diff
cleave --format jsonl --min-crit suspicious # streaming JSON for pipelines

Optional: rizin for disassembly, upx for runtime unpacking.

Platforms

Known to run awesomely on illumos, OpenBSD, FreeBSD, Linux, and macOS.

Design

  • Capabilities, not verdicts. Findings ranked baselinehostile, organized roughly based on [MalwareBehaviorCatalog](https://github.com/MBCProject/mbc-markdown
  • Layered unpacking. UPX, embedded binaries, base64/hex/AES/XOR via stng.
  • Deep header inspection. PE manifests/signing, Mach-O codesign/entitlements, DWARF, Go build info, embedded plists.
  • Automated RE. rizin-driven disassembly and xrefs on ELF/Mach-O/PE.
  • Deterministic. JSONL streaming, SHA256-keyed cache, AST via tree-sitter, YAML & YARA-X for signatures.

Docs

Rules

  • malcontent (predecessor, ×ばつ less coverage)
  • capa (original inspiration, slow, limited filetypes, but thorough)