-
-
Notifications
You must be signed in to change notification settings - Fork 0
query
disrobe query and disrobe capabilities turn a stripped binary into something you can interrogate. Both run over the same symbol-independent IR the native disassembler builds (disrobe-query and disrobe-capabilities), and both accept a raw binary or a .dr envelope.
disrobe query app.exe functions # discovered functions, complexity, exports
disrobe query app.exe calls-to malloc # call sites to a target
disrobe query app.exe xrefs-to sekret # references to a symbol or address
disrobe query app.exe string-decoders # decoder-shaped functions (loops + byte arith)
disrobe query app.exe complexity-over 20 # functions over a cyclomatic threshold
disrobe query app.exe capability network # instructions tied to a capabilityThe query layer is built on the same function discovery the disassembler uses (call-target and prologue scanning), so it works without a symbol table. The six verbs are:
| Verb | Returns |
|---|---|
functions |
Every discovered function with its address, size, cyclomatic complexity, and any export name. |
calls-to <target> |
Call sites that reach a named import or address. |
xrefs-to <symbol> |
All references to a symbol or address, code and data. |
string-decoders |
Functions shaped like a string decoder: a loop plus byte arithmetic over a buffer. |
complexity-over <n> |
Functions whose cyclomatic complexity exceeds a threshold, to triage the dense routines first. |
capability <name> |
Instructions tied to a capability category (network, filesystem, process, crypto, and so on). |
Every query honors the global --json flag, so the output drops straight into a script.
disrobe capabilities app.exe
disrobe capabilities app.exe --jsondisrobe capabilities runs a rule engine over the same IR and reports the behaviors it matched, each mapped to MITRE ATT&CK techniques and Malware Behavior Catalog (MBC) IDs. Every match carries the instruction offsets that triggered it as per-rule evidence, so a finding can be traced to the exact bytes rather than taken on faith.
The report names the detected format, the match count, and the per-rule evidence. It is the same engine surfaced through the MCP server and the --llm sidecar, so an agent gets the capability surface without re-deriving it.
The native disassembler (an in-tree iced-x86 decoder, detailed in the native guide) discovers functions, partitions them into basic blocks, and records each instruction's register, memory, and rflags effects. The query and capability layers read that structure rather than the original symbols, which is why a stripped binary answers the same questions a symbol-rich one does. Pointing either tool at a .dr envelope reuses a cached disassembly instead of re-decoding the bytes.
This wiki is generated from docs/src in the disrobe repository by scripts/wiki_sync.py. Edit the docs there, not the wiki pages here.
Getting started
Architecture
- Overview
- The five-rung IR ladder
- Passes and the capability model
- The chain runner
- The .dr envelope
- LLM sidecar and provenance
Reverse-engineering toolkit
Language and format guides
- Python
- JavaScript / TypeScript
- WebAssembly
- JVM and Android
- .NET / CIL
- Native (PE / ELF / Mach-O)
- Go
- Lua
- PHP
- Ruby
- BEAM (Erlang / Elixir)
- Swift / Objective-C
- ActionScript 3 / Flash
- Mobile (Hermes / Flutter)
- Python pickle
- Shell / PowerShell
- Containers and archives
Reference
- CLI overview
- Global flags
- Command reference
- Project configuration
- Batch directory processing
- Run reports
- Analysis-depth commands
- Diff and guard tooling
- The daemon: HTTP, gRPC, LSP, MCP
- Use it as a library
- Python bindings
- The browser playground
- Forensics and malware-safety posture
- Threat model
Integrations
Project