Analyze. Understand. Exploit binaries || seg,Β A CLI tool that gives you actionable binary intelligence in one command. Point it at any ELF binary and get a full recon report β protections, dangerous functions, symbols with PLT/GOT addresses, disassembly highlights, libc resolution, and a suggested exploit strategy. Built for CTF players, pentesters, and AI agents.
No more running 7 tools and cross-referencing output manually. One command. Full picture. π¦
- One command recon: Run
seg analyze ./binaryand get everything β protections, symbols, strings, disassembly, exploit strategy. - Dual output:
--markdownfor humans,--jsonfor AI agents and automation pipelines. - Dangerous function detection: Flags
gets,strcpy,system,printfand 17 more risky functions with call-site locations. - Exploit strategy: Automatically suggests ret2libc, ret2win, format string, shellcode, ROP, or heap exploitation based on what it finds.
- Libc resolution: Extracts local libc from
lddand queries libc.rip for remote libc matching with useful offsets (system,str_bin_sh, etc.). - Disassembly highlights: Pulls out
main,_start, and suspiciously named functions (vuln,win,backdoor,shell, etc.). - String categorization: Separates shell commands, format strings, file paths, URLs, and suspicious strings.
- Function invocation: Call exported functions from shared libraries at runtime using
dlopen/dlsym/libffi, or call functions by address usingptrace. - Function hooking: Hook libc/imported functions using
LD_PRELOAD(Linux) orDYLD_INSERT_LIBRARIES(macOS) with auto-generated C hooks. - Portable: Written in Rust. Wraps standard Linux tools you already have.
-
seg invoke: call exported functions from shared libraries usingdlopen,dlsym, andlibffi. -
seg invoke --addr: call functions inside ELF binaries by address using debugger-assisted execution. -
seg hook: hook libc/imported functions usingLD_PRELOAD. -
seg hook --frida: runtime hooks using Frida later.References: https://youtu.be/0o8Ex8mXigU?si=Qq60LRr5jUB_nnwR
πΌ Source
Β
git clone --depth=1 https://github.com/pwnwriter/seg --branch=main
cd seg
cargo build --releaseBinary will be at target/release/seg. Move it to your $PATH.
π Cargo
Β
cargo install segβοΈ Nix
Β
nix run github:pwnwriter/segseg wraps these standard Linux tools (most are pre-installed):
| Tool | Package | Purpose |
|---|---|---|
file |
coreutils | Binary type detection |
stat |
coreutils | File metadata |
strings |
binutils | String extraction |
readelf |
binutils | ELF headers, sections, segments, symbols |
objdump |
binutils | Disassembly, PLT/GOT resolution |
ldd |
glibc | Linked library detection |
checksec |
checksec | Security protections |
cc |
gcc/clang | Compiling hook libraries (seg hook) |
libffi |
libffi-dev | FFI calling convention (seg invoke) |
Missing tools won't crash seg β they degrade gracefully and report what couldn't be gathered.
βββββββββ
βββββββ β
βββββββββ v0.1.0
Analyze. Understand. Exploit binaries
@pwnwriter/seg
-
ΒMarkdown report to stdoutseg analyze ./vuln --markdown
-
ΒMarkdown report to fileseg analyze ./vuln --markdown report.md
-
ΒJSON report to stdoutseg analyze ./vuln --json
-
ΒJSON report to fileseg analyze ./vuln --json report.json
-
ΒBoth formats at onceseg analyze ./vuln --markdown report.md --json report.json
-
ΒShort aliasesseg ana ./vuln --json seg analy ./vuln --markdown
-
ΒPipe JSON to jqseg analyze ./vuln --json | jq '.strategy' seg analyze ./vuln --json | jq '.dangerous_functions' seg analyze ./vuln --json | jq '.exploitation_hints'
-
ΒCall a function from a shared libraryseg invoke ./libmath.so add --ret i32 -- i32:2 i32:3
-
ΒCall a function that returns a stringseg invoke ./libgreet.so greet --ret string
-
ΒCall a function by address (Linux, ptrace)seg invoke ./vuln --addr 0x401234 --ret i32 -- i32:42
-
ΒLog calls to a functionseg hook ./vuln puts --action log
-
ΒReplace a function with your ownseg hook ./vuln rand --action replace --replace-lib ./fake_rand.so
-
ΒPass arguments to the target binaryseg hook ./vuln gets --action log -- AAAAAAAAAA
π View Report Sections
Β
| # | Section | Description |
|---|---|---|
| 1 | Summary | Binary path, type, arch, bits, endianness |
| 2 | Security Protections | PIE, NX, Canary, RELRO, Fortify |
| 3 | File Metadata | Size, permissions, owner, SHA256 |
| 4 | ELF Headers | Entry point, machine, ABI |
| 5 | Program Segments | LOAD, INTERP, etc. with permissions |
| 6 | Sections | .text, .plt, .got, .bss, etc. |
| 7 | Linked Libraries | Shared libraries from ldd |
| 8 | Dynamic Entries | NEEDED, INIT, FINI, etc. |
| 9 | Imported Functions | Name, library, PLT address, GOT address |
| 10 | Exported Symbols | Name, address, type |
| 11 | Interesting Strings | Shell, format strings, paths, URLs, suspicious |
| 12 | Disassembly Highlights | Entry point, main, suspicious functions |
| 13 | Dangerous Functions | gets, strcpy, system, printf, etc. with risk + location |
| 14 | Exploitation Hints | Buffer overflow, format string, ret2libc, ROP |
| 15 | Libc Information | Local libc + libc.rip matching |
| 16 | Suggested Strategy | Most likely exploit path with step-by-step |
| 17 | AI Agent Summary | One-line summary for automation |
| 18 | Raw Tool Outputs | Unprocessed output from all tools |
seg is a wrapper and analyzer β it runs standard binary analysis tools, parses their output, cross-references the results, and generates structured intelligence:
Binary βββ file, stat, readelf, objdump, strings, ldd, checksec
β
βΌ
Parse & Cross-reference
β
βΌ
Dangerous functions + Exploitation hints + Strategy
β
βΌ
Markdown (human) / JSON (machine)
The JSON output is designed to be consumed directly by AI agents, exploit scripts, or automation pipelines. Every address, every symbol, every protection status is structured and queryable.
Contributions are welcome! You can suggest features, report bugs, fix issues via issues or pull requests. Help with code, documentation, and spreading the word about seg is appreciated!
# Compile sample vulnerable binaries for testing
./tests/compile.sh
# Run seg against them
seg analyze ./tests/bins/bof_basic --markdown
seg analyze ./tests/bins/fmt_string --json
seg analyze ./tests/bins/ret2libc --json | jq '.strategy'
seg analyze ./tests/bins/heap_uaf --json | jq '.dangerous_functions'I am a student currently attending university. I like working for Open Source in my free time. If you find my tool or work beneficial, please consider supporting me via KO-FI by leaving a star; I'll appreciate your action :)
Haylxon:- A blazingly fast tool to grab screenshots of webpages from terminalKanha:- A web-app pentesting suite written in Rustchecksec:- Bash script to check binary security propertiespwntools:- CTF framework and exploit development librarybinsider:- Analyze ELF binaries like a boss πΌπ΅οΈββοΈ
Licensed under the MIT LICENSE
Copyright Β© 2026 - present pwnwriter me