RECLI is a powerful, modular command-line toolkit designed for professional reverse engineering tasks. It provides a comprehensive set of tools for analyzing binaries, extracting information, and performing advanced static and dynamic analysis.
- Multi-format Support: Analyze PE, ELF, Mach-O binaries
- Comprehensive Analysis:
- String extraction (ASCII, Unicode, obfuscated)
- API call detection and analysis
- Offset and reference scanning
- Control flow graph generation
- Advanced Capabilities:
- Ghidra integration for decompilation
- YARA rule scanning
- Binary patching
- Memory analysis and dumping
- Professional Output:
- Multiple output formats (Text, JSON, Markdown)
- Customizable reporting
- Scriptable interface
- Linux (recommended) or Windows (WSL)
- CMake 3.15+
- C++17 compatible compiler
- Python 3.6+ (for some modules)
# Clone the repository git clone https://github.com/odaysec/recli.git cd recli # Install dependencies ./scripts/setup_dependencies.sh # Build and install mkdir build cd build cmake .. make -j$(nproc) sudo make install
docker build -t recli . docker run -it --rm -v $(pwd):/data recli [COMMAND] [OPTIONS]
recli [GLOBAL_OPTIONS] <COMMAND> [COMMAND_OPTIONS] <INPUT_FILE>
| Option | Description |
|---|---|
-v, --verbose |
Enable verbose output |
-f, --format |
Output format (text/json/md) |
-o, --output |
Output file path |
--version |
Show version information |
--help |
Show help message |
# Extract strings recli strings [--min-length=4] [--unicode] target.exe # Show binary headers recli headers target.so # List sections recli sections --perms target.dll
# Disassemble code recli disasm --section=.text target.bin # Generate control flow graph recli cfg --function=main --format=dot target.elf # Scan with YARA rules recli scan --rules=malware_rules.yara suspicious.exe
# Patch binary recli patch --offset=0x1234 --bytes="90 90 90" target.exe # Dump memory region recli dump --address=0x401000 --size=256 process.dmp
# Analyze a Windows executable recli analyze malware.exe -f json -o report.json # View results jq '.' report.json
# 1. Extract interesting strings recli strings --min-length=8 --unicode malware.bin > strings.txt # 2. Find API calls recli api --format=md malware.bin > api_calls.md # 3. Decompile interesting functions recli decompile --function=encrypt_data malware.bin -o decryptor.c # 4. Patch the binary recli patch --offset=0x4012a0 --bytes="31 C0" malware.bin -o malware_patched.bin
RECLI is organized into several specialized modules:
- String Analysis: Extract various string types from binaries
- Binary Parser: Handle file formats and headers
- Disassembler: Capstone-based code analysis
- Decompiler: Ghidra integration for pseudo-code
- Memory Analysis: Runtime memory inspection
- Pattern Scanner: YARA and signature scanning
- Patching: Binary modification tools
For detailed module documentation, see API Reference.