Claude Code Plugins

Community-maintained marketplace

Feedback

binary-triage

@cyberkaida/reverse-engineering-assistant
455
0

Performs initial binary triage by surveying memory layout, strings, imports/exports, and functions to quickly understand what a binary does and identify suspicious behavior. Use when first examining a binary, when user asks to triage/survey/analyze a program, or wants an overview before deeper reverse engineering.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name binary-triage
description Performs initial binary triage by surveying memory layout, strings, imports/exports, and functions to quickly understand what a binary does and identify suspicious behavior. Use when first examining a binary, when user asks to triage/survey/analyze a program, or wants an overview before deeper reverse engineering.

Binary Triage

Instructions

We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to:

  1. Identify key components and behaviors
  2. Flag suspicious or interesting areas
  3. Create a task list of next steps for deeper investigation

Binary triage with ReVa

Follow this systematic workflow using ReVa's MCP tools:

1. Identify the Program

  • Use get-current-program to see the active program
  • Or use list-project-files to see available programs in the project
  • Note the programPath (e.g., "/Hatchery.exe") for use in subsequent tools

2. Survey Memory Layout

  • Use get-memory-blocks to understand the binary structure
  • Examine key sections:
    • .text - executable code
    • .data - initialized data
    • .rodata - read-only data (strings, constants)
    • .bss - uninitialized data
  • Flag unusual characteristics:
    • Unusually large sections
    • Packed/encrypted sections
    • Executable data sections
    • Writable code sections

3. Survey Strings

  • Use get-strings-count to see total string count
  • Use get-strings with pagination (100-200 strings at a time)
  • Look for indicators of functionality or malicious behavior:
    • Network: URLs, IP addresses, domain names, API endpoints
    • File System: File paths, registry keys, configuration files
    • APIs: Function names, library references
    • Messages: Error messages, debug strings, log messages
    • Suspicious Keywords: admin, password, credential, token, crypto, encrypt, decrypt, download, execute, inject, shellcode, payload

4. Survey Symbols and Imports

  • Use get-symbols-count with includeExternal=true to count imports
  • Use get-symbols with includeExternal=true and filterDefaultNames=true
  • Focus on external symbols (imports from libraries)
  • Flag interesting/suspicious imports by category:
    • Network APIs: connect, send, recv, WSAStartup, getaddrinfo, curl_*, socket
    • File I/O: CreateFile, WriteFile, ReadFile, fopen, fwrite, fread
    • Process Manipulation: CreateProcess, exec, fork, system, WinExec, ShellExecute
    • Memory Operations: VirtualAlloc, VirtualProtect, mmap, mprotect
    • Crypto: CryptEncrypt, CryptDecrypt, EVP_*, AES_*, bcrypt, RC4
    • Anti-Analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, ptrace
    • Registry: RegOpenKey, RegSetValue, RegQueryValue
  • Note the ratio of imports to total symbols (heavy import usage may indicate reliance on libraries)

5. Survey Functions

  • Use get-function-count with filterDefaultNames=true to count named functions
  • Use get-function-count with filterDefaultNames=false to count all functions
  • Calculate ratio of named vs unnamed functions (high unnamed ratio = stripped binary)
  • Use get-functions with filterDefaultNames=true to list named functions
  • Identify key functions:
    • Entry points: entry, start, _start
    • Main functions: main, WinMain, DllMain, _main
    • Suspicious names: If not stripped, look for revealing function names

6. Cross-Reference Analysis for Key Findings

  • For interesting strings found in Step 3:
    • Use find-cross-references with direction="to" and includeContext=true
    • Identify which functions reference suspicious strings
  • For suspicious imports found in Step 4:
    • Use find-cross-references with direction="to" and includeContext=true
    • Identify which functions call suspicious APIs
  • This helps prioritize which functions need detailed examination

7. Selective Initial Decompilation

  • Use get-decompilation on entry point or main function
    • Set limit=30 to get ~30 lines initially
    • Set includeIncomingReferences=true to see callers
    • Set includeReferenceContext=true for context snippets
  • Use get-decompilation on 1-2 suspicious functions identified in Step 6
    • Set limit=20-30 for quick overview
  • Look for high-level patterns:
    • Loops (encryption/decryption routines)
    • Network operations
    • File operations
    • Process creation
    • Suspicious control flow (obfuscation indicators)
  • Do not do deep analysis yet - this is just to understand general behavior

8. Document Findings and Create Task List

  • Use the TodoWrite tool to create an actionable task list with items like:
    • "Investigate string 'http://malicious-c2.com' (referenced at 0x00401234)"
    • "Decompile function sub_401000 (calls VirtualAlloc + memcpy + CreateThread)"
    • "Analyze crypto usage in function encrypt_payload (uses CryptEncrypt)"
    • "Trace anti-debugging checks (IsDebuggerPresent at 0x00402000)"
    • "Examine packed section .UPX0 for unpacking routine"
  • Each todo should be:
    • Specific (include addresses, function names, strings)
    • Actionable (what needs to be investigated)
    • Prioritized (most suspicious first)

Output Format

Present triage findings to the user in this structured format:

Program Overview

  • Name: [Program name from programPath]
  • Type: [Executable type - PE, ELF, Mach-O, etc.]
  • Platform: [Windows, Linux, macOS, etc.]

Memory Layout

  • Total Size: [Size in bytes/KB/MB]
  • Key Sections: [List main sections with sizes and permissions]
  • Unusual Characteristics: [Any packed/encrypted/suspicious sections]

String Analysis

  • Total Strings: [Count from get-strings-count]
  • Notable Findings: [Bullet list of interesting strings with context]
  • Suspicious Indicators: [URLs, IPs, suspicious keywords found]

Import Analysis

  • Total Symbols: [Count from get-symbols-count]
  • External Imports: [Count of external symbols]
  • Key Libraries: [Main libraries imported]
  • Suspicious APIs: [Categorized list of concerning imports]

Function Analysis

  • Total Functions: [Count with filterDefaultNames=false]
  • Named Functions: [Count with filterDefaultNames=true]
  • Stripped Status: [Yes/No based on ratio]
  • Entry Point: [Address and name]
  • Main Function: [Address and name]
  • Key Functions: [List of important functions identified]

Suspicious Indicators

[Bulleted list of red flags discovered, prioritized by severity]

Recommended Next Steps

[Present the task list created in Step 8]

  • Each item should be specific and actionable
  • Prioritize by severity/importance
  • Include addresses, function names, and context

Important Notes

  • Speed over depth: This is triage, not full analysis. Move quickly through steps.
  • Use pagination: Don't request thousands of strings/functions at once. Use chunks of 100-200.
  • Focus on anomalies: Flag things that are unusual, suspicious, or interesting.
  • Context is key: When using cross-references, enable includeContext=true for code snippets.
  • Create actionable todos: Each next step should be specific enough for another agent to execute.
  • Be systematic: Follow all 8 steps in order for comprehensive coverage.