Agent skill

binary-triage

Performs initial binary triage by surveying memory layout, strings, imports/exports, and functions to quickly understand what a binary does and identify suspicious behavior. Use when first examining a binary, when user asks to triage/survey/analyze a program, or wants an overview before deeper reverse engineering.

View SKILL.md on GitHub Repository
Stars 691
Forks 59

Install this agent skill to your Project

npx add-skill https://github.com/cyberkaida/reverse-engineering-assistant/tree/main/ReVa/skills/binary-triage

SKILL.md

Binary Triage

Instructions

We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to:

  1. Identify key components and behaviors
  2. Flag suspicious or interesting areas
  3. Create a task list of next steps for deeper investigation

Binary triage with ReVa

Follow this systematic workflow using ReVa's MCP tools:

1. Identify the Program

  • Use get-current-program to see the active program
  • Or use list-project-files to see available programs in the project
  • Note the programPath (e.g., "/Hatchery.exe") for use in subsequent tools

2. Survey Memory Layout

  • Use get-memory-blocks to understand the binary structure
  • Examine key sections:
    • .text - executable code
    • .data - initialized data
    • .rodata - read-only data (strings, constants)
    • .bss - uninitialized data
  • Flag unusual characteristics:
    • Unusually large sections
    • Packed/encrypted sections
    • Executable data sections
    • Writable code sections

3. Survey Strings

  • Use get-strings-count to see total string count
  • Use get-strings with pagination (100-200 strings at a time)
  • Look for indicators of functionality or malicious behavior:
    • Network: URLs, IP addresses, domain names, API endpoints
    • File System: File paths, registry keys, configuration files
    • APIs: Function names, library references
    • Messages: Error messages, debug strings, log messages
    • Suspicious Keywords: admin, password, credential, token, crypto, encrypt, decrypt, download, execute, inject, shellcode, payload

4. Survey Symbols and Imports

  • Use get-symbols-count with includeExternal=true to count imports
  • Use get-symbols with includeExternal=true and filterDefaultNames=true
  • Focus on external symbols (imports from libraries)
  • Flag interesting/suspicious imports by category:
    • Network APIs: connect, send, recv, WSAStartup, getaddrinfo, curl_*, socket
    • File I/O: CreateFile, WriteFile, ReadFile, fopen, fwrite, fread
    • Process Manipulation: CreateProcess, exec, fork, system, WinExec, ShellExecute
    • Memory Operations: VirtualAlloc, VirtualProtect, mmap, mprotect
    • Crypto: CryptEncrypt, CryptDecrypt, EVP_, AES_, bcrypt, RC4
    • Anti-Analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, ptrace
    • Registry: RegOpenKey, RegSetValue, RegQueryValue
  • Note the ratio of imports to total symbols (heavy import usage may indicate reliance on libraries)

5. Survey Functions

  • Use get-function-count with filterDefaultNames=true to count named functions
  • Use get-function-count with filterDefaultNames=false to count all functions
  • Calculate ratio of named vs unnamed functions (high unnamed ratio = stripped binary)
  • Use get-functions with filterDefaultNames=true to list named functions
  • Identify key functions:
    • Entry points: entry, start, _start
    • Main functions: main, WinMain, DllMain, _main
    • Suspicious names: If not stripped, look for revealing function names

6. Cross-Reference Analysis for Key Findings

  • For interesting strings found in Step 3:
    • Use find-cross-references with direction="to" and includeContext=true
    • Identify which functions reference suspicious strings
  • For suspicious imports found in Step 4:
    • Use find-cross-references with direction="to" and includeContext=true
    • Identify which functions call suspicious APIs
  • This helps prioritize which functions need detailed examination

7. Selective Initial Decompilation

  • Use get-decompilation on entry point or main function
    • Set limit=30 to get ~30 lines initially
    • Set includeIncomingReferences=true to see callers
    • Set includeReferenceContext=true for context snippets
  • Use get-decompilation on 1-2 suspicious functions identified in Step 6
    • Set limit=20-30 for quick overview
  • Look for high-level patterns:
    • Loops (encryption/decryption routines)
    • Network operations
    • File operations
    • Process creation
    • Suspicious control flow (obfuscation indicators)
  • Do not do deep analysis yet - this is just to understand general behavior

8. Document Findings and Create Task List

  • Use the TodoWrite tool to create an actionable task list with items like:
    • "Investigate string 'http://malicious-c2.com' (referenced at 0x00401234)"
    • "Decompile function sub_401000 (calls VirtualAlloc + memcpy + CreateThread)"
    • "Analyze crypto usage in function encrypt_payload (uses CryptEncrypt)"
    • "Trace anti-debugging checks (IsDebuggerPresent at 0x00402000)"
    • "Examine packed section .UPX0 for unpacking routine"
  • Each todo should be:
    • Specific (include addresses, function names, strings)
    • Actionable (what needs to be investigated)
    • Prioritized (most suspicious first)

Output Format

Present triage findings to the user in this structured format:

Program Overview

  • Name: [Program name from programPath]
  • Type: [Executable type - PE, ELF, Mach-O, etc.]
  • Platform: [Windows, Linux, macOS, etc.]

Memory Layout

  • Total Size: [Size in bytes/KB/MB]
  • Key Sections: [List main sections with sizes and permissions]
  • Unusual Characteristics: [Any packed/encrypted/suspicious sections]

String Analysis

  • Total Strings: [Count from get-strings-count]
  • Notable Findings: [Bullet list of interesting strings with context]
  • Suspicious Indicators: [URLs, IPs, suspicious keywords found]

Import Analysis

  • Total Symbols: [Count from get-symbols-count]
  • External Imports: [Count of external symbols]
  • Key Libraries: [Main libraries imported]
  • Suspicious APIs: [Categorized list of concerning imports]

Function Analysis

  • Total Functions: [Count with filterDefaultNames=false]
  • Named Functions: [Count with filterDefaultNames=true]
  • Stripped Status: [Yes/No based on ratio]
  • Entry Point: [Address and name]
  • Main Function: [Address and name]
  • Key Functions: [List of important functions identified]

Suspicious Indicators

[Bulleted list of red flags discovered, prioritized by severity]

Recommended Next Steps

[Present the task list created in Step 8]

  • Each item should be specific and actionable
  • Prioritize by severity/importance
  • Include addresses, function names, and context

Important Notes

  • Speed over depth: This is triage, not full analysis. Move quickly through steps.
  • Use pagination: Don't request thousands of strings/functions at once. Use chunks of 100-200.
  • Focus on anomalies: Flag things that are unusual, suspicious, or interesting.
  • Context is key: When using cross-references, enable includeContext=true for code snippets.
  • Create actionable todos: Each next step should be specific enough for another agent to execute.
  • Be systematic: Follow all 8 steps in order for comprehensive coverage.

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

cyberkaida/reverse-engineering-assistant

deep-analysis

Performs focused, depth-first investigation of specific reverse engineering questions through iterative analysis and database improvement. Answers questions like "What does this function do?", "Does this use crypto?", "What's the C2 address?", "Fix types in this function". Makes incremental improvements (renaming, retyping, commenting) to aid understanding. Returns evidence-based answers with new investigation threads. Use after binary-triage for investigating specific suspicious areas or when user asks focused questions about binary behavior.

691 59
Explore
cyberkaida/reverse-engineering-assistant

ctf-crypto

Solve CTF cryptography challenges by identifying, analyzing, and exploiting weak crypto implementations in binaries to extract keys or decrypt data. Use for custom ciphers, weak crypto, key extraction, or algorithm identification.

691 59
Explore
cyberkaida/reverse-engineering-assistant

ctf-pwn

Solve CTF binary exploitation challenges by discovering and exploiting memory corruption vulnerabilities to read flags. Use for buffer overflows, format strings, heap exploits, ROP challenges, or any pwn/exploitation task.

691 59
Explore
cyberkaida/reverse-engineering-assistant

ctf-rev

Solve CTF reverse engineering challenges using systematic analysis to find flags, keys, or passwords. Use for crackmes, binary bombs, key validators, obfuscated code, algorithm recovery, or any challenge requiring program comprehension to extract hidden information.

691 59
Explore
sickn33/antigravity-awesome-skills

obsidian-clipper-template-creator

Guide for creating templates for the Obsidian Web Clipper. Use when you want to create a new clipping template, understand available variables, or format clipped content.

28,421 4,766
Explore
sickn33/antigravity-awesome-skills

claude-code-expert

Especialista profundo em Claude Code - CLI da Anthropic. Maximiza produtividade com atalhos, hooks, MCPs, configuracoes avancadas, workflows, CLAUDE.md, memoria, sub-agentes, permissoes e integracao com ecossistemas.

28,421 4,766
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results