Headers
Rabin2's -I
option is the quick, one-shot way to get a summary of a file's binary headers and general properties without fully loading it into radare2. This is especially handy for scripting, triage, or replacing small helper scripts (for example, checksec.sh) because it exposes security-relevant attributes (NX, RELRO, stack canary, PIE/pic, etc.) and other metadata (architecture, bits, interpreter, section layout hints).
The output is intentionally concise and machine-friendly — each property is printed as a key/value pair. Example:
$ rabin2 -I /bin/ls
arch x86
binsz 128456
bintype elf
bits 64
canary true
class ELF64
crypto false
endian little
havecode true
intrp /lib64/ld-linux-x86-64.so.2
lang c
linenum false
lsyms false
machine AMD x86-64 architecture
maxopsz 16
minopsz 1
nx true
os linux
pcalign 0
pic true
relocs false
relro partial
rpath NONE
static false
stripped true
subsys linux
va true
What each important field means
- arch / asm.arch: CPU architecture family (x86, arm, mips, etc.).
- bits / asm.bits: Operand width / target word size (32 / 64).
- bintype / file.type: Binary container format (elf / pe / mach0 / coredump / raw).
- class: More specific layout (e.g. ELF64 / ELF32).
- endian: Endianness (little / big).
- machine: Human-readable CPU model.
- intrp: Program interpreter (dynamic loader), e.g. /lib64/ld-linux-x86-64.so.2.
- binsz: Total size of the file in bytes.
- havecode: Whether executable code sections have been detected.
- nx: NX / DEP enabled (true when the binary's segments are not executable where they shouldn't be).
- canary: Stack-smashing protector (stack canary) presence (true/false).
- relro: RELocation Read-Only status; typical values: none / partial / full.
- pic / pie: Whether the binary is position-independent (PIC for shared objects, PIE for executables). In rabin2 output
pic
is generally true for shared objects and position-independent executables. - rpath / runpath: RPATH or RUNPATH embedded in the binary (or NONE).
- static: Whether the binary is fully statically linked.
- stripped: Symbols stripped from the binary (true when symbol tables are absent).
- lsyms / linenum: Presence of local symbols or line number info (debug information).
- pcalign: Preferred alignment for program/sections.
- minopsz / maxopsz: Minimum/maximum instruction sizes reported for the architecture.
- va: Whether the binary uses virtual addresses (i.e. mapped with proper virtual addressing).
- crypto: Whether cryptographic features (or crypto sections) were detected — usually false for normal binaries.
Mapping rabin2 fields to checksec output
The popular checksec.sh script reports security hardening flags like RELRO, Canary, NX, PIE, RPATH/RUNPATH. You can get the same information with rabin2 -I:
- RELRO: map to
relro
(none / partial / full) - Stack Canary:
canary
(true/false) - NX / DEP:
nx
(true/false) - PIE:
pic
/asm.bits
+ PIE detection (rabin2 reportspic
/pie
-related properties) - RPATH/RUNPATH:
rpath
(orrunpath
if present)
Because rabin2 reads binary headers directly (using rbin), it can be used as a drop-in replacement for checksec in many cases. Example quick checks:
$ rabin2 -I /path/to/bin | rg -E "relro|canary|nx|pic|rpath|static"
relro partial
canary true
nx true
pic true
rpath NONE
static false
Or produce a JSON-like output suitable for automation (combine with other rabin2 options):
# Get headers + libs + imports in a compact form
$ rabin2 -I -l -i /path/to/bin
# Or generate radare2 script-style settings to import into r2 session (-Ir)
$ rabin2 -Ir /path/to/bin
Using the -Ir option
Passing -Ir
to rabin2 emits radare2 config commands (e key=value
) so you can import the detected properties directly into a running radare2 session or into an r2 script. This is what radare2 uses internally when it loads an external header parser. Example:
$ rabin2 -Ir /bin/ls
e cfg.bigendian=false
e asm.bits=64
e asm.dwarf=true
e bin.lang=c
e file.type=elf
e asm.os=linux
e asm.arch=x86
e asm.pcalign=0
These e
assignments help radare2 set its environment (architecture, endianness, bits, file type, and assembler options) automatically.
Relating rabin2 to radare2 interactive info commands (iH / ih)
Inside a radare2 session there are a family of i
(info) commands that provide quick access to the same metadata you get from rabin2. The most relevant to headers are the header/info variants — typically invoked as iH
(capital H) and ih
in the radare2 command set. They expose the binary header metadata, interpreter, section/segment hints, security flags, and other attributes discovered by the rbin subsystem.
iH
/ih
: show headers and high-level metadata when working interactively. They allow you to inspect the same security flags (NX, RELRO, canary, PIE) and interpreter/settings without leaving an r2 session.i?
family: there are many otheri*
commands (imports, exports, libraries, sections, strings) that correlate directly to rabin2's-i
,-E
,-l
,-S
,-z
, etc.
Note: rabin2 is essentially a command-line wrapper around the rbin API — the same code radare2 uses internally — so the information is consistent between both tools. Use rabin2 for quick external inspection and iH
/ih
when you are already inside an r2 analysis session.
Examples and practical tips
- Quick security triage of a binary (checksec replacement):
# single-line human friendly output (tailor with awk/rg/jq)
$ rabin2 -I /bin/ls
# script-friendly (radare2 commands):
$ rabin2 -Ir /bin/ls
# combine with other rabin2 flags for more info
$ rabin2 -I -S -l -i -z /bin/ls
- Automating checks (example shell snippet):
#!/usr/bin/env bash
file=${1:-/bin/ls}
info=$(rabin2 -I "$file")
relro=$(echo "$info" | awk '/^relro/{print $2}')
canary=$(echo "$info" | awk '/^canary/{print $2}')
nx=$(echo "$info" | awk '/^nx/{print $2}')
pic=$(echo "$info" | awk '/^pic/{print $2}')
printf "RELRO=%s\nCANARY=%s\nNX=%s\nPIC=%s\n" "$relro" "$canary" "$nx" "$pic"
- When you want r2 to automatically adopt the environment detected by rabin2 (arch/endianness/bits), pipe
rabin2 -Ir
output into radare2 or include it in your r2 session scripts.
Summary
Rabin2 -I
is a fast, scriptable way to extract header metadata and security-relevant flags from binaries. It maps cleanly to the properties reported by tools such as checksec.sh and the interactive radare2 iH
/ih
info commands. Use -Ir
when you want to import settings into radare2 automatically.