git404hub

what is retract fr?

kernelstub/retract — explained in plain English

Analysis updated 2026-05-18

18GoAudience · developerComplexity · 3/5Setup · moderate

tl;dr

A static analysis workbench for executable files that disassembles code, flags malware indicators, and exports reports compatible with Ghidra and IDA Pro, all without ever running the file being examined.

vibe map

mindmap
  root((retract))
    Supported formats
      PE Windows
      ELF Linux
      Mach-O macOS
    Analysis features
      Strings extraction
      Disassembly
      Entropy scoring
      Control flow graph
    Security checks
      Missing protections
      Dangerous functions
      Malware patterns
      Anti-analysis techniques
    Output formats
      JSON and Markdown
      Ghidra IDA export
      Web UI browser

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Triage a suspicious executable for packed code, dangerous function calls, and malware persistence patterns without running it.

VIBE 2

Export disassembly and control-flow graphs in Ghidra, IDA Pro, or Radare2-compatible formats for deeper reverse engineering.

VIBE 3

Generate an executive summary or full technical report on an unknown binary to hand off during a security review or incident response.

what's the stack?

GoNode.js

how it stacks up fr

kernelstub/retractgacjie/agent_flowh0i5/ipl
Stars181818
LanguageGoGoGo
Setup difficultymoderateeasyeasy
Complexity3/53/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · moderate time til it works · 30min

Requires Go 1.22 or newer plus Node.js to build the web frontend component.

No license information is provided in this repository.

in plain english

Retract is a tool for examining executable files, such as programs or malware samples, without running them. It is aimed at security analysts, researchers, and anyone who needs to understand what a binary file does or whether it poses a risk. The README describes it as a workbench for defensive reverse engineering, malware triage, and vulnerability review. You give it an executable file and it produces a detailed set of reports covering what it found. It supports the three main executable formats used across Windows (PE), Linux (ELF), and macOS (Mach-O). For each file it extracts the internal structure, lists the functions and libraries the program calls, pulls out text strings embedded in the binary, calculates how random-looking different sections of the file are (high randomness often signals packed or encrypted code), and disassembles the machine code into a human-readable form. It also generates a control-flow graph, which is a map of the paths execution can take through the program. Beyond basic parsing, the tool performs automated analysis looking for signs of concern: missing security protections, calls to functions known for causing memory vulnerabilities, patterns associated with malware persistence, crypto-related code, and anti-analysis techniques. The output is organized into several report types, from a short executive summary to a full technical report, and can be exported in formats compatible with other reverse engineering tools like Ghidra, IDA Pro, and Radare2. The tool can also launch a local web interface that presents all the analysis results in a browser, which the README shows in a screenshot. Outputs can be written as JSON, Markdown, CSV, and other formats depending on the use case. Building it requires Go 1.22 or newer and Node.js for the web frontend. The README is clear that Retract only performs static analysis and never runs the files it examines, which matters when handling potentially malicious software.

prompts (copy fr)

prompt 1
I have a suspicious Windows PE binary that I cannot run. How do I use kernelstub/retract to check it for missing security protections, calls to dangerous memory functions, and signs of packing?
prompt 2
I ran retract on a Linux ELF binary and the entropy report flagged one section as very high randomness. What does that typically indicate and how do I see which part of the file it corresponds to?
prompt 3
I want to use retract's web UI to walk through the control-flow graph of a Mach-O binary. How do I launch the local web interface and what does the graph show me that the command-line report does not?
prompt 4
I need to import retract's analysis of a binary into Ghidra for deeper review. Which output format do I use and how do I load it into Ghidra?

Frequently asked questions

what is retract fr?

A static analysis workbench for executable files that disassembles code, flags malware indicators, and exports reports compatible with Ghidra and IDA Pro, all without ever running the file being examined.

What language is retract written in?

Mainly Go. The stack also includes Go, Node.js.

What license does retract use?

No license information is provided in this repository.

How hard is retract to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is retract for?

Mainly developer.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.