Return LIEF version, supported formats, and a green/yellow status.

Returns a JSON-serializable dict suitable for scripts/check_deps.py.

Auto-detect the format of path and return a normalized header dict.

Returns hashes, format name, architecture, entrypoint, and format-specific fields (imphash for PE, PIE/NX/RELRO for ELF, code signature for MachO, etc.).

Return section list with permissions, virtual vs raw size, and entropy.

Works for PE (.text/.rdata/.data/.rsrc), ELF (.text/.rodata/.data), and MachO (__TEXT/__DATA/__LINKEDIT).

Return symbol-level import and export tables for path.

Args: path: PE / ELF / MachO to analyze. max_imports: cap the returned imports list to this many entries. 0 = no cap (the v2.9.0 default). max_exports: same cap for the exports list. library_filter: optional substring filter against the library name (pipe-separated for OR). e.g. "kernel32|user32" to keep only those two.

Added in v2.9.1+ to fix Gap 27 (the response-size ceiling on the 4 large VM-protected targets). The response includes a truncated flag + original_count / returned_count when the caps fire. The v2.9.0 callers (no kwargs) are unaffected.

Return the PE import hash (imphash) for path.

Imphash is the MD5 of the normalized import table — used for malware variant identification. Returns an empty string for non-PE formats.

Return appended data after the last section (PE overlay).

Return Authenticode signature details for PE binaries.

Return the PE debug directory entries (incl. IMAGE_DEBUG_TYPE_POGO).

The POGO entry (type 10) is the third-party-ATD layer's trigger-arming metadata (per ANTI-TAMPER-TAXONOMY.md Pattern A-DW). Surfaced with kind: "POGO" in the response dict. The CODEVIEW entry (type 2) is the PDB pointer; the canonical vendor-tag signal lives in the RSDS CodeView stream (resolved by re-pdb parse_pdb rather than this read-path).

The skill-side fallback references/pogo_debug_check.py in skills/re-drm-fingerprint/ mirrors this same shape for hosts that don't have the new MCP tool installed.

See See the RE-AI output directory per-target/p3r/stage5-pogo-debug-check.md for the canonical Pattern A-DW detection pattern.

List all classes in a Dalvik DEX file.

Returns FQN, access flags, and method/field counts.

List all methods of a DEX class identified by FQN (e.g. Lcom/foo/Bar;).

List all methods in an OAT/ART Android runtime file.

Disassemble size bytes of section section_name starting at offset.

Returns a JSON list of instructions (address, mnemonic, operands, bytes). Truncates to max_insns (default 500) — call again with a different offset to see more.

Extract printable ASCII and UTF-16LE strings from path.

Returns {"ascii": [...], "utf16le": [...], "totals": {...}, "truncated": bool}. Each string has string, offset, and section fields.

.. note:: This is the v2.4 shape, kept stable for backward compatibility. New code should call categorize_strings (below), which returns the same ascii / utf16le arrays plus a keyword-bucketed by_category block.

Extract strings from path and bucket them into semantic categories.

The categorization vocabulary is loaded from data/drm-indicators.yaml::string_categories at MCP-server load time. Two categories (anti_debug, hwid) inherit their keyword lists from the existing catalog sections via a seed_from pointer; the rest have inline keyword lists. When a future agent adds a new HWID API to hwid_apis.high_signal, the hwid category picks it up on next MCP-server reload with zero Python change.

The return shape is a strict superset of extract_strings:

::

{
  "path": "...",
  "min_length": 5,
  "totals":   {"ascii_extracted": N, "utf16le_extracted": N,
               "deduplicated": N, "categorized": N},
  "truncated": {"input": bool, "per_category": bool,
                "per_encoding": bool},
  "by_category": {
    "anti_debug": {"count": N, "samples": [{"string":..., "section":...}, ...]},
    "hwid":       {"count": N, "samples": [...]},
    "crypto":     {"count": N, "samples": [...]},
    "network":    {"count": N, "samples": [...]},
    "registry":   {"count": N, "samples": [...]},
    "process":    {"count": N, "samples": [...]},
    "file":       {"count": N, "samples": [...]},
    "fingerprint": {"count": N, "samples": [...]},
    "activation":  {"count": N, "samples": [...]},
    "obfuscation": {"count": N, "samples": [...]},
    "misc":        {"count": N, "samples": [...]}
  },
  "ascii_capped": [...],          # backward-compat with extract_strings
  "utf16le_capped": [...],
  "uncategorized_sample": [...]   # 50 misc strings (helps spot missing categories)
}

On large binaries (e.g. a 500+ MB Unity IL2CPP GameAssembly.dll wrapped by an encrypted-VM bytecode interpreter), pass skip_sections=[".idata", ".xtls", ".xpdata", ".udata", ".xdata", ".didata", ".ecode", ".00cfg"] to skip the encrypted-VM bytecode regions. Those sections contain no readable strings; the categorization result is the same and the memory footprint drops dramatically.

Categories are descriptive — they describe observable string content, not specific commercial products.

Return a structural snapshot suitable for diffing two binaries.

Strips variable-length fields (hashes, timestamps) and keeps the parts that should match between two builds of the same source.

Scan a binary for anti-analysis primitives (defender side).

Walks the string table + the IAT + (best-effort) the section table and matches the content against the vendored data/anti-analysis-catalog.json. Returns category-only labels (anti_debug, anti_vm, anti_emulator, anti_sandbox, process_introspection, memory_integrity, code_integrity). Never names a specific commercial product.

The byte-sequence evidence (RDTSC = 0F 31, INT 2D = CD 2D, INT 3 = CC, CPUID = 0F A2) is not checked here — that requires a disasm pass via re-rizin.search_bytes. re-anti-analysis is the cross-tool orchestrator that does both the string-table pass and the disasm pass.

Args: path: file to scan max_per_category: per-category cap (default 100)

Returns::

{
  "path": "...",
  "matches": [{"primitive": "...", "category": "...",
               "evidence_kind": "...", "offset": N,
               "section": "..."}, ...],
  "by_category": {"anti_debug": 4, "anti_vm": 2, ...},
  "truncated": bool
}

Classify a native binary's protection class (category-only).

Combines get_sections + get_imports_exports + the vendored native_packer_signatures regex catalog

• entropy heuristics to label a binary's likely protection class. Returns one of:

• "plain-pe" — no protection observed.

• "packer-stub-wrapped" — UPX / ASPack / MPRESS / Petite / kkrunchy style (single non-standard section name).

• "vm-bytecoded-pe" — single .vmp0 / .vmp1 style section set.

• "encrypted-vm-bytecode-interpreter" — the proprietary-engine section family (.arch / .xcode / .xtext / .sbss / .link / .xtls / .xpdata).

• "il2cpp-runtime" — large .idata + tiny .text + GameAssembly.dll sibling.

• "anti-debug-wrapped" — bare anti-debug surface but no packer.

• "unpacked-debug-pe" — debug build (PDB section + lots of stdio / conio / assert symbols).

Args: path: file to classify

Returns::

{
  "path": "...",
  "protection_class": "...",
  "evidence": [{"category": "...", "indicator": "...",
                "section": "..."}, ...]
}