A comprehensive binary analysis tool built in C# (.NET 7) capable of analyzing, converting, and disassembling binary data with a command-line interface.
- Binary-to-text/ASCII conversion - Complete binary parsing and text extraction
- File signature detection - Automatic file type recognition via magic numbers
- x86/x64 disassembly - Integrated disassembly capabilities using Capstone.NET
- Entropy calculation - Shannon entropy analysis for data classification
- Format decoding - Support for Base64, Hex, and other common encodings
- CLI interface - Full command-line interface with multiple analysis modes
- Hash calculation (MD5, SHA256)
- String extraction with encoding detection
- Byte frequency analysis
- Heuristic classification (text, executable, compressed)
- PE file analysis for Windows executables
- Pattern searching and data analysis
- Metadata extraction from various file types
- Images: PNG, JPEG, GIF, BMP, TIFF
- Documents: PDF, RTF
- Archives: ZIP, RAR, 7Z, TAR, GZIP
- Executables: PE (Windows), ELF (Linux), Mach-O (macOS)
- Audio/Video: MP3, MP4, AVI, WAV
- Raw data: Entropy analysis and hex dump
- .NET 7.0 SDK or higher
- Visual Studio Code with C# extension (recommended)
- Windows/Linux/macOS
git clone https://github.com/arhadnane/Binary-analysis-tool.git
cd "Binary analysis tool"
cd BinaryAnalyzer
dotnet restore
dotnet build# Quick analysis (default)
dotnet run -- <file_path>
# Quick analysis mode
dotnet run -- <file_path> --quick
# Detailed analysis report
dotnet run -- <file_path> --detailed
# Hexadecimal dump view
dotnet run -- <file_path> --hexdump# Analyze a Windows executable
dotnet run -- C:\Windows\System32\notepad.exe --detailed
# Quick analysis of an image
dotnet run -- image.png --quick
# Hex dump of a binary file
dotnet run -- data.bin --hexdump
# Analyze a PDF document
dotnet run -- document.pdf --detailedπ File: example.exe (2048 bytes)
π Type: PE Executable
π Entropy: 6.2341
π MD5: a1b2c3d4e5f6...
π Content: Likely executable
π» Disassembly available
π‘ Use --detailed for complete report
=== BINARY ANALYSIS REPORT ===
Size: 2048 bytes
Type: PE Executable
Entropy: 6.2341
MD5: a1b2c3d4e5f6...
SHA256: f1e2d3c4b5a6...
=== HEURISTICS ===
Likely text: NO
Likely executable: YES
Likely compressed: NO
=== PE ANALYSIS ===
Architecture: x64
Sections: .text, .data, .rdata
Entry Point: 0x1400
Imports: kernel32.dll, user32.dll
=== BYTE FREQUENCY (Top 10) ===
0x00: 150 (7.3%)
0xFF: 89 (4.3%)
...
For detailed architecture documentation with visual diagrams, see ARCHITECTURE.md.
BinaryAnalyzer/
βββ Core/ # Core business logic
β βββ BinaryParser.cs # Binary β format conversion
β βββ FileAnalyzer.cs # File signature detection
β βββ Disassembler.cs # Capstone.NET integration
β βββ PEAnalyzer.cs # PE file analysis
β βββ MetadataAnalyzer.cs # Metadata extraction
βββ Utils/ # Utilities
β βββ Entropy.cs # Shannon entropy calculation
β βββ Extensions.cs # Extension methods
βββ Program.cs # CLI entry point
βββ BinaryAnalyzer.csproj # Project configuration
BinaryAnalyzer.Tests/ # Test suite
βββ Core/ # Core module tests
βββ Utils/ # Utility tests
βββ Integration/ # Integration tests
Handles binary-to-text conversion, encoding detection, and format transformations.
Provides file type detection using magic number signatures and heuristic analysis.
Integrates with Capstone.NET for x86/x64 disassembly capabilities.
Specialized analysis for Windows PE (Portable Executable) files.
Extracts and analyzes file metadata and generates comprehensive reports.
The project includes comprehensive test coverage with 67 unit and integration tests.
# Run all tests
dotnet test
# Run specific test category
dotnet test --filter Category=Core
dotnet test --filter Category=Integration- β Core modules (BinaryParser, FileAnalyzer, Disassembler, PEAnalyzer, MetadataAnalyzer)
- β Utility functions (Entropy, Extensions)
- β Integration tests (CLI and report generation)
- β Edge cases and error handling
Extend the MagicNumbers dictionary in FileAnalyzer.cs:
{ "NEW_TYPE", new byte[] { 0x???, 0x???, ... } }The Disassembler.cs module uses Capstone.NET. Refer to the documentation to add support for other architectures (ARM, MIPS, etc.).
- Files of various sizes (1 KB to 100+ MB)
- Corrupted or partial files
- Highly compressed vs. random data
- Executables with different architectures
"File not found"
- Verify the absolute file path
- Check file permissions
"Disassembly error"
- File may not contain valid machine code
- Architecture may not be supported
Memory exceptions
- Very large files (>1GB) may cause issues
- Consider processing in chunks for large files
- Disassembly limited to first instructions
- No support for exotic file formats
- Basic CLI interface (no GUI)
- Graphical interface: WPF or Avalonia UI
- Malware analysis: Suspicious pattern detection
- Report export: JSON, XML, HTML formats
- Network analysis: Packet inspection
- Database integration: Store previous analyses
- VirusTotal API: Hash verification
- YARA rules: Signature detection
- Hex editor: Interactive visualization
- Plugin system: Modular extensions
- .NET 7.0: Core framework
- Capstone.NET: Disassembly engine (optional)
- xUnit: Testing framework
- System.Security.Cryptography: Hash calculations
This project is licensed under the MIT License - see the LICENSE file for details.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
For questions, bug reports, or feature requests, please open an issue on the repository.
- Capstone Engine Documentation
- File Signatures Database
- .NET Binary Data Processing
- PE Format Specification
Last updated: July 5, 2025
Built with β€οΈ using C# and .NET