atomdrift Open-source supply chain forensics
Codeberg Lab
Home Projects News

cleave stable

Deep static analysis engine. Combines AST-aware inspection with automated binary reverse engineering to extract capabilities and behaviors from software. Designed as an input to other analysis tools — it detects neutral micro-behaviors aligned with the Malware Behavior Catalog.

Capabilities

  • 20+ languages — Python, JavaScript, TypeScript, Go, Rust, C/C++, Java, C#, Swift, Ruby, PHP, Perl, Lua, Shell, PowerShell, and more
  • Binary formats — ELF, PE (Windows), Mach-O (macOS)
  • Archive formats — ZIP, TAR (gz/bz2/xz/zst), 7z, RAR, plus package formats (JAR, deb, rpm, apk, gem, crate, wheel)
  • Document & data formats — RTF, LNK, PNG steganography, PDF, plist, VBScript, Batch, manifests, GitHub Actions workflows
  • AST traversal via Tree-sitter for source-level analysis
  • Binary reverse engineering via Radare2/Rizin
  • Signature matching via YARA-X
  • String extraction via stng for payload decoding

Install

$ cargo install --git https://codeberg.org/atomdrift/cleave

Usage

$ cleave suspicious.elf
$ cleave /tmp/box-o-malware/
$ cleave package.tar.gz

Links

Contributing

Project Info

Version
0.3.0
License
Apache 2.0
Language
Rust

Related

  • stng — string extraction
  • litmus — ML classification
© 2026 The Atomdrift Project Source · Security