Documentation Index
Fetch the complete documentation index at: https://docs.kong.fyi/llms.txt
Use this file to discover all available pages before exploring further.
Reading analysis.json
Kong’s JSON output has three top-level sections:binary — metadata
stats — aggregate results
- renamed — functions where Kong chose a new name (the interesting ones)
- confirmed — functions where Kong agreed the existing name was already correct
- signature_matches — functions identified by signature matching without LLM analysis
- skipped — functions too small (trivial/thunk) to analyze
functions — per-function results
Each function in the array includes:
Confidence tiers
Kong reports confidence as a percentage (0-100) per function, then aggregates into three tiers:| Tier | Range | Meaning |
|---|---|---|
| High | 80%+ | Kong is confident in the name and type. Usually means it recognized a clear pattern, algorithm, or strong string/API evidence. |
| Medium | 50-79% | Reasonable inference but multiple interpretations possible. The name captures the general purpose but may not be precise. |
| Low | Under 50% | Educated guess. Limited evidence — the function may be too generic or too small for confident naming. |
These thresholds are provisional and may be recalibrated in future versions.
Classification categories
LLM-assigned classifications
During analysis, the LLM classifies each function by purpose:| Category | Description |
|---|---|
crypto | Cryptographic operations (AES, SHA, RSA, etc.) |
networking | Network protocols (TCP, HTTP, DNS, etc.) |
io | File I/O, device I/O, stream operations |
memory | Allocation, deallocation, copying |
string | String manipulation, parsing, encoding |
math | Mathematical operations, sorting, searching |
init | Initialization, setup, configuration |
cleanup | Deinitialization, teardown, resource release |
handler | Signal handlers, callbacks, event handlers |
parser | Parsing, deserialization, format decoding |
utility | General utility functions |
unknown | Function purpose unclear |
Triage size classifications
Separately, during triage, functions are classified by size:| Classification | Description |
|---|---|
imported | External library functions (linked dynamically) — skipped |
thunk | Single-instruction wrappers — skipped |
trivial | ≤16 bytes — usually skipped |
small | ≤64 bytes |
medium | ≤256 bytes |
large | >256 bytes |
kong info output; the LLM classification appears in the analysis results.
Source export
The source format groups functions by classification and annotates each with a JSDoc-style comment including name, description, confidence, classification, and address. This is designed to be readable as a standalone document — you can skim the annotated source to understand the binary’s functionality without loading it in Ghidra.Obfuscation indicators
If a function was deobfuscated, theobfuscation_techniques field lists what was detected (e.g., ["cff", "bogus_cf"]), and deobfuscation_tool_calls shows how many tool invocations the LLM used during the agentic deobfuscation loop.
Variable renames and struct proposals
In the full analysis output, each function may also include:- variables — a list of renamed local variables (
local_10→buffer,param_1→request) - struct_proposals — proposed struct definitions inferred from pointer access patterns, which feed into type recovery
Further reading
- Output Formats — details on source, JSON, and Ghidra formats
- XZ Backdoor — see these concepts in a real analysis
- Evaluating Results — score output against ground truth