Retract

Retract is a tool for examining executable files, such as programs or malware samples, without running them. It is aimed at security analysts, researchers, and anyone who needs to understand what a binary file does or whether it poses a risk. The README describes it as a workbench for defensive reverse engineering, malware triage, and vulnerability review.

You give it an executable file and it produces a detailed set of reports covering what it found. It supports the three main executable formats used across Windows (PE), Linux (ELF), and macOS (Mach-O). For each file it extracts the internal structure, lists the functions and libraries the program calls, pulls out text strings embedded in the binary, calculates how random-looking different sections of the file are (high randomness often signals packed or encrypted code), and disassembles the machine code into a human-readable form. It also generates a control-flow graph, which is a map of the paths execution can take through the program.

Beyond basic parsing, the tool performs automated analysis looking for signs of concern: missing security protections, calls to functions known for causing memory vulnerabilities, patterns associated with malware persistence, crypto-related code, and anti-analysis techniques. The output is organized into several report types, from a short executive summary to a full technical report, and can be exported in formats compatible with other reverse engineering tools like Ghidra, IDA Pro, and Radare2.

The tool can also launch a local web interface that presents all the analysis results in a browser, which the README shows in a screenshot. Outputs can be written as JSON, Markdown, CSV, and other formats depending on the use case.

Building it requires Go 1.22 or newer and Node.js for the web frontend. The README is clear that Retract only performs static analysis and never runs the files it examines, which matters when handling potentially malicious software.