binary-triage

We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to:

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "binary-triage" with this command: npx skills add cyberkaida/reverse-engineering-assistant/cyberkaida-reverse-engineering-assistant-binary-triage

Binary Triage

Instructions

We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to:

  • Identify key components and behaviors

  • Flag suspicious or interesting areas

  • Create a task list of next steps for deeper investigation

Binary triage with ReVa

Follow this systematic workflow using ReVa's MCP tools:

  1. Identify the Program

  • Use get-current-program to see the active program

  • Or use list-project-files to see available programs in the project

  • Note the programPath (e.g., "/Hatchery.exe") for use in subsequent tools

  1. Survey Memory Layout

  • Use get-memory-blocks to understand the binary structure

  • Examine key sections:

  • .text

  • executable code

  • .data

  • initialized data

  • .rodata

  • read-only data (strings, constants)

  • .bss

  • uninitialized data

  • Flag unusual characteristics:

  • Unusually large sections

  • Packed/encrypted sections

  • Executable data sections

  • Writable code sections

  1. Survey Strings

  • Use get-strings-count to see total string count

  • Use get-strings with pagination (100-200 strings at a time)

  • Look for indicators of functionality or malicious behavior:

  • Network: URLs, IP addresses, domain names, API endpoints

  • File System: File paths, registry keys, configuration files

  • APIs: Function names, library references

  • Messages: Error messages, debug strings, log messages

  • Suspicious Keywords: admin, password, credential, token, crypto, encrypt, decrypt, download, execute, inject, shellcode, payload

  1. Survey Symbols and Imports

  • Use get-symbols-count with includeExternal=true to count imports

  • Use get-symbols with includeExternal=true and filterDefaultNames=true

  • Focus on external symbols (imports from libraries)

  • Flag interesting/suspicious imports by category:

  • Network APIs: connect, send, recv, WSAStartup, getaddrinfo, curl_*, socket

  • File I/O: CreateFile, WriteFile, ReadFile, fopen, fwrite, fread

  • Process Manipulation: CreateProcess, exec, fork, system, WinExec, ShellExecute

  • Memory Operations: VirtualAlloc, VirtualProtect, mmap, mprotect

  • Crypto: CryptEncrypt, CryptDecrypt, EVP_, AES_, bcrypt, RC4

  • Anti-Analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, ptrace

  • Registry: RegOpenKey, RegSetValue, RegQueryValue

  • Note the ratio of imports to total symbols (heavy import usage may indicate reliance on libraries)

  1. Survey Functions

  • Use get-function-count with filterDefaultNames=true to count named functions

  • Use get-function-count with filterDefaultNames=false to count all functions

  • Calculate ratio of named vs unnamed functions (high unnamed ratio = stripped binary)

  • Use get-functions with filterDefaultNames=true to list named functions

  • Identify key functions:

  • Entry points: entry , start , _start

  • Main functions: main , WinMain , DllMain , _main

  • Suspicious names: If not stripped, look for revealing function names

  1. Cross-Reference Analysis for Key Findings

  • For interesting strings found in Step 3:

  • Use find-cross-references with direction="to" and includeContext=true

  • Identify which functions reference suspicious strings

  • For suspicious imports found in Step 4:

  • Use find-cross-references with direction="to" and includeContext=true

  • Identify which functions call suspicious APIs

  • This helps prioritize which functions need detailed examination

  1. Selective Initial Decompilation

  • Use get-decompilation on entry point or main function

  • Set limit=30 to get ~30 lines initially

  • Set includeIncomingReferences=true to see callers

  • Set includeReferenceContext=true for context snippets

  • Use get-decompilation on 1-2 suspicious functions identified in Step 6

  • Set limit=20-30 for quick overview

  • Look for high-level patterns:

  • Loops (encryption/decryption routines)

  • Network operations

  • File operations

  • Process creation

  • Suspicious control flow (obfuscation indicators)

  • Do not do deep analysis yet - this is just to understand general behavior

  1. Document Findings and Create Task List

  • Use the TodoWrite tool to create an actionable task list with items like:

  • "Investigate string 'http://malicious-c2.com' (referenced at 0x00401234)"

  • "Decompile function sub_401000 (calls VirtualAlloc + memcpy + CreateThread)"

  • "Analyze crypto usage in function encrypt_payload (uses CryptEncrypt)"

  • "Trace anti-debugging checks (IsDebuggerPresent at 0x00402000)"

  • "Examine packed section .UPX0 for unpacking routine"

  • Each todo should be:

  • Specific (include addresses, function names, strings)

  • Actionable (what needs to be investigated)

  • Prioritized (most suspicious first)

Output Format

Present triage findings to the user in this structured format:

Program Overview

  • Name: [Program name from programPath]

  • Type: [Executable type - PE, ELF, Mach-O, etc.]

  • Platform: [Windows, Linux, macOS, etc.]

Memory Layout

  • Total Size: [Size in bytes/KB/MB]

  • Key Sections: [List main sections with sizes and permissions]

  • Unusual Characteristics: [Any packed/encrypted/suspicious sections]

String Analysis

  • Total Strings: [Count from get-strings-count]

  • Notable Findings: [Bullet list of interesting strings with context]

  • Suspicious Indicators: [URLs, IPs, suspicious keywords found]

Import Analysis

  • Total Symbols: [Count from get-symbols-count]

  • External Imports: [Count of external symbols]

  • Key Libraries: [Main libraries imported]

  • Suspicious APIs: [Categorized list of concerning imports]

Function Analysis

  • Total Functions: [Count with filterDefaultNames=false]

  • Named Functions: [Count with filterDefaultNames=true]

  • Stripped Status: [Yes/No based on ratio]

  • Entry Point: [Address and name]

  • Main Function: [Address and name]

  • Key Functions: [List of important functions identified]

Suspicious Indicators

[Bulleted list of red flags discovered, prioritized by severity]

Recommended Next Steps

[Present the task list created in Step 8]

  • Each item should be specific and actionable

  • Prioritize by severity/importance

  • Include addresses, function names, and context

Important Notes

  • Speed over depth: This is triage, not full analysis. Move quickly through steps.

  • Use pagination: Don't request thousands of strings/functions at once. Use chunks of 100-200.

  • Focus on anomalies: Flag things that are unusual, suspicious, or interesting.

  • Context is key: When using cross-references, enable includeContext=true for code snippets.

  • Create actionable todos: Each next step should be specific enough for another agent to execute.

  • Be systematic: Follow all 8 steps in order for comprehensive coverage.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Research

deep-analysis

No summary provided by upstream source.

Repository SourceNeeds Review
-121
cyberkaida
General

ctf-pwn

No summary provided by upstream source.

Repository SourceNeeds Review
-113
cyberkaida
General

ctf-rev

No summary provided by upstream source.

Repository SourceNeeds Review
-99
cyberkaida