Back to Details

reverse-engineering-quick-triage

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

LIBRARY-FIRST PROTOCOL (MANDATORY)

【优先使用库协议(强制要求)】

Before writing ANY code, you MUST check:
在编写任何代码之前,您必须检查:

Step 1: Library Catalog

步骤1:库目录

  • Location: 
    .claude/library/catalog.json
  • If match >70%: REUSE or ADAPT
  • 位置:
    .claude/library/catalog.json
  • 若匹配度>70%:复用或适配

Step 2: Patterns Guide

步骤2:模式指南

  • Location: 
    .claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md
  • If pattern exists: FOLLOW documented approach
  • 位置:
    .claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.md
  • 若存在对应模式:遵循文档化方法

Step 3: Existing Projects

步骤3:现有项目

  • Location: 
    D:\Projects\*
  • If found: EXTRACT and adapt
  • 位置:
    D:\Projects\*
  • 若找到对应内容:提取并适配

Decision Matrix

决策矩阵

MatchAction
Library >90%REUSE directly
Library 70-90%ADAPT minimally
Pattern existsFOLLOW pattern
In projectEXTRACT
No matchBUILD (add to library after)
匹配度操作
库匹配>90%直接复用
库匹配70-90%最小程度适配
存在对应模式遵循文档化方法
已在项目中存在提取复用
无匹配项构建(完成后添加到库中)

When to Use This Skill

何时使用本技能

Use this skill when analyzing malware samples, reverse engineering binaries for security research, conducting vulnerability assessments, extracting IOCs from suspicious files, validating software for supply chain security, or performing CTF challenges and binary exploitation research.
在分析恶意软件样本、为安全研究逆向工程二进制文件、进行漏洞评估、从可疑文件中提取IOC、验证软件供应链安全性,或参与CTF挑战与二进制漏洞利用研究时,可使用本技能。

When NOT to Use This Skill

何时不使用本技能

Do NOT use for unauthorized reverse engineering of commercial software, analyzing binaries on production systems, reversing software without legal authorization, violating terms of service or EULAs, or analyzing malware outside isolated environments. Avoid for simple string extraction (use basic tools instead).
请勿用于对商业软件进行未授权逆向工程、在生产系统上分析二进制文件、无合法授权逆向软件、违反服务条款或最终用户许可协议(EULA),或在隔离环境外分析恶意软件。简单字符串提取场景请使用基础工具,无需本技能。

Success Criteria

成功标准

  • All security-relevant behaviors identified (network, file, registry, process activity)
  • Malicious indicators extracted with confidence scores (IOCs, C2 domains, encryption keys)
  • Vulnerabilities documented with CVE mapping where applicable
  • Analysis completed within sandbox environment (VM/container with snapshots)
  • Findings validated through multiple analysis methods (static + dynamic + symbolic)
  • Complete IOC report generated (STIX/MISP format for threat intelligence sharing)
  • Zero false positives in vulnerability assessments
  • Exploitation proof-of-concept created (if vulnerability research)
  • 识别所有与安全相关的行为(网络、文件、注册表、进程活动)
  • 提取带有置信度评分的恶意指标(IOC、C2域名、加密密钥)
  • 记录漏洞并在适用时关联CVE编号
  • 在沙箱环境(带快照的虚拟机/容器)内完成分析
  • 通过多种分析方法验证发现(静态+动态+符号执行)
  • 生成完整的IOC报告(采用STIX/MISP格式用于威胁情报共享)
  • 漏洞评估中无假阳性结果
  • 若为漏洞研究,需创建利用概念验证(PoC)

Edge Cases & Challenges

边缘案例与挑战

  • Anti-analysis techniques (debugger detection, VM detection, timing checks)
  • Obfuscated or packed binaries requiring unpacking
  • Multi-stage malware with encrypted payloads
  • Kernel-mode rootkits requiring specialized analysis
  • Symbolic execution state explosion (>10,000 paths)
  • Binary analysis timeout on complex programs (>24 hours)
  • False positives from legitimate software behavior
  • Encrypted network traffic requiring SSL interception
  • 反分析技术(调试器检测、虚拟机检测、计时检查)
  • 需脱壳的混淆或加壳二进制文件
  • 带有加密载荷的多阶段恶意软件
  • 需专用分析工具的内核级Rootkit
  • 符号执行状态爆炸(路径数>10000)
  • 复杂程序的二进制分析超时(>24小时)
  • 合法软件行为导致的假阳性结果
  • 需SSL拦截的加密网络流量

Guardrails (CRITICAL SECURITY RULES)

安全防护规则(关键)

  • NEVER execute unknown binaries on host systems (ONLY in isolated VM/sandbox)
  • NEVER analyze malware without proper containment (air-gapped lab preferred)
  • NEVER reverse engineer software without legal authorization
  • NEVER share extracted credentials or encryption keys publicly
  • NEVER bypass licensing mechanisms for unauthorized use
  • ALWAYS use sandboxed environments with network monitoring
  • ALWAYS take VM snapshots before executing suspicious binaries
  • ALWAYS validate findings through multiple analysis methods
  • ALWAYS document analysis methodology with timestamps
  • ALWAYS assume binaries are malicious until proven safe
  • ALWAYS use network isolation to prevent malware communication
  • ALWAYS sanitize IOCs before sharing (redact internal IP addresses)
  • 绝对不要在主机系统上执行未知二进制文件(仅在隔离虚拟机/沙箱中运行)
  • 绝对不要在无适当隔离措施的情况下分析恶意软件(首选气隙实验室环境)
  • 绝对不要在无合法授权的情况下逆向工程软件
  • 绝对不要公开分享提取的凭据或加密密钥
  • 绝对不要为未授权使用绕过许可机制
  • 始终使用带网络监控的沙箱环境
  • 始终在执行可疑二进制文件前创建虚拟机快照
  • 始终通过多种分析方法验证发现
  • 始终记录带时间戳的分析方法
  • 始终假设二进制文件为恶意,直至证明其安全
  • 始终使用网络隔离防止恶意软件通信
  • 始终在共享前清理IOC(编辑内部IP地址)

Evidence-Based Validation

基于证据的验证

All reverse engineering findings MUST be validated through:
  1. Multi-method analysis - Static + dynamic + symbolic execution confirm same behavior
  2. Sandbox validation - Execute in isolated environment, capture all activity
  3. Network monitoring - Packet capture validates network-based findings
  4. Memory forensics - Validate runtime secrets through memory dumps
  5. Behavioral correlation - Cross-reference with known malware signatures (YARA, ClamAV)
  6. Reproducibility - Second analyst can replicate findings from analysis artifacts
所有逆向工程发现必须通过以下方式验证:
  1. 多方法分析 - 静态+动态+符号执行确认一致行为
  2. 沙箱验证 - 在隔离环境中执行,捕获所有活动
  3. 网络监控 - 数据包捕获验证基于网络的发现
  4. 内存取证 - 通过内存转储验证运行时机密
  5. 行为关联 - 与已知恶意软件特征(YARA、ClamAV)交叉引用
  6. 可复现性 - 其他分析师可通过分析工件复现发现

Reverse Engineering: Quick Triage

逆向工程:快速分类

What This Skill Does

本技能的功能

Performs rapid reverse engineering triage through two progressive levels:
  • Level 1 (≤30 min): String reconnaissance - Extract URLs, IPs, IOCs, file paths, crypto indicators
  • Level 2 (1-2 hrs): Static analysis - Disassemble with Ghidra/radare2, map control flow, decompile to C
Decision Gate: After Level 1, automatically evaluates if Level 2 is needed or if string analysis answered the question.
Timebox: ≤2 hours total
通过两个递进级别执行快速逆向工程分类:
  • 级别1(≤30分钟):字符串侦察 - 提取URL、IP、IOC、文件路径、加密指标
  • 级别2(1-2小时):静态分析 - 使用Ghidra/radare2反汇编,映射控制流,反编译为C语言
决策门控:完成级别1后,自动评估是否需要进行级别2,或字符串分析是否已解答问题。
时间限制:总时长≤2小时

Prerequisites

前置条件

Required Tools

必备工具

  • strings - GNU binutils (pre-installed on most Linux/macOS)
  • file - File type identification
  • sha256sum - Hashing utility
  • xxd - Hex dump utility
  • strings - GNU binutils(多数Linux/macOS系统预装)
  • file - 文件类型识别工具
  • sha256sum - 哈希工具
  • xxd - 十六进制转储工具

Required for Level 2

级别2必备工具

  • Ghidra - Headless analysis capability OR
  • radare2 - Alternative disassembler
  • graphviz - For callgraph visualization (
    dot
    command)
  • Ghidra - 无头分析功能 或
  • radare2 - 替代反汇编器
  • graphviz - 用于调用图可视化(
    dot
    命令)

MCP Servers (Auto-Configured)

MCP服务器(自动配置)

  • memory-mcp
    - Store findings across sessions
  • filesystem
    - Access binaries and create outputs
  • connascence-analyzer
    - Analyze decompiled code quality
  • sequential-thinking
    - Decision gate reasoning
  • memory-mcp
    - 跨会话存储分析结果
  • filesystem
    - 访问二进制文件并创建输出
  • connascence-analyzer
    - 分析反编译代码质量
  • sequential-thinking
    - 决策门控逻辑

⚠️ CRITICAL SECURITY WARNING

⚠️ 关键安全警告

NEVER execute unknown binaries on your host system!
All dynamic analysis and binary execution MUST be performed in:
  • Isolated VM (VMware/VirtualBox with snapshots enabled)
  • Docker container with security restrictions (
    --security-opt seccomp=unconfined
    )
  • E2B sandbox via sandbox-configurator skill
  • Dedicated malware analysis environment (REMnux, FLARE VM)
Consequences of unsafe execution:
  • Malware infection and persistent backdoors
  • Data exfiltration and credential theft
  • System compromise and lateral movement
  • Ransomware deployment
Safe Practices:
  • Always analyze binaries in an isolated environment
  • Take VM snapshots before analysis
  • Monitor network traffic during execution
  • Never use your primary development machine
  • Assume all unknown binaries are malicious until proven otherwise
绝对不要在您的主机系统上执行未知二进制文件!
所有动态分析和二进制执行必须在以下环境中进行:
  • 隔离虚拟机(启用快照的VMware/VirtualBox)
  • 带安全限制的Docker容器
    --security-opt seccomp=unconfined
  • 通过sandbox-configurator技能配置的E2B沙箱
  • 专用恶意软件分析环境(REMnux、FLARE VM)
不安全执行的后果
  • 恶意软件感染与持久后门
  • 数据泄露与凭据窃取
  • 系统沦陷与横向移动
  • 勒索软件部署
安全实践
  • 始终在隔离环境中分析二进制文件
  • 分析前创建虚拟机快照
  • 执行期间监控网络流量
  • 切勿使用您的主开发机器
  • 假设所有未知二进制文件为恶意,直至证明其安全

Quick Start (3 commands)

快速开始(3条命令)

bash
undefined
bash
undefined

1. Analyze suspicious binary (fastest path)

1. 分析可疑二进制文件(最快路径)

/re:quick malware.exe
/re:quick malware.exe

2. String analysis only (Level 1, ≤30 min)

2. 仅执行字符串分析(级别1,≤30分钟)

/re:quick suspicious.bin --level 1
/re:quick suspicious.bin --level 1

3. Static analysis only (Level 2, 1-2 hrs)

3. 仅执行静态分析(级别2,1-2小时)

/re:quick crackme.exe --level 2 --output ./analysis/

**Auto-Decision**: Skill will ask after Level 1: "Suspicious IOCs found. Proceed to Level 2?" (Yes/No/Auto)

---
/re:quick crackme.exe --level 2 --output ./analysis/

**自动决策**:完成级别1后,技能会询问:"发现可疑IOC,是否继续执行级别2?"(是/否/自动)

---

Step-by-Step Guide

分步指南

Level 1: String Reconnaissance (≤30 minutes)

级别1:字符串侦察(≤30分钟)

Step 1: Launch String Analysis

步骤1:启动字符串分析

bash
undefined
bash
undefined

Invoke RE-String-Analyst agent via slash command

通过斜杠命令调用RE-String-Analyst代理

/re:strings binary.exe --min-length 10 --output re-project/artifacts/strings.json

**What Happens**:
1. Computes SHA256 hash of binary
2. Checks memory-mcp for prior analysis (avoids duplicate work)
3. Extracts printable strings with adaptive min-length
4. Categorizes findings: URLs, IPs, emails, file paths, protocols, crypto indicators
5. Generates `strings.json` with categorized IOCs

**Expected Output**:
```json
{
  "binary": {"hash": "sha256:abc123...", "size": 1048576},
  "iocs": [
    "http://malicious-c2.tk/checkin",
    "192.168.100.50",
    "attacker@evil.com"
  ],
  "urls": [...],
  "file_paths": ["C:\\Windows\\System32\\malicious.dll"],
  "crypto": ["AES-256-CBC"],
  "analysis_time": "2025-11-01T10:15:00Z"
}
/re:strings binary.exe --min-length 10 --output re-project/artifacts/strings.json

**执行流程**:
1. 计算二进制文件的SHA256哈希
2. 检查memory-mcp中是否有过往分析记录(避免重复工作)
3. 提取自适应最小长度的可打印字符串
4. 对发现结果分类:URL、IP、邮箱、文件路径、协议、加密指标
5. 生成包含分类后IOC的`strings.json`文件

**预期输出**:
```json
{
  "binary": {"hash": "sha256:abc123...", "size": 1048576},
  "iocs": [
    "http://malicious-c2.tk/checkin",
    "192.168.100.50",
    "attacker@evil.com"
  ],
  "urls": [...],
  "file_paths": ["C:\\Windows\\System32\\malicious.dll"],
  "crypto": ["AES-256-CBC"],
  "analysis_time": "2025-11-01T10:15:00Z"
}

Step 2: Review String Findings

步骤2:查看字符串分析结果

The skill will display:
  • IOCs Found: 15 suspicious indicators
  • Known-Good URLs: 42 (Microsoft, Google - likely benign)
  • Private IPs: 5 (internal communication)
  • Crypto Usage: AES-256, RSA-2048 detected
技能将展示:
  • 发现的IOC数量:15个可疑指标
  • 已知安全URL:42个(微软、谷歌等,大概率为良性)
  • 私有IP:5个(内部通信)
  • 加密算法使用:检测到AES-256、RSA-2048

Step 3: Decision Gate

步骤3:决策门控

Automated Evaluation (via sequential-thinking MCP):
QUESTION: "Should we proceed to Level 2 static analysis?"
FACTORS:
- Suspicious C2 domain found (malicious-c2.tk) ✅
- Hardcoded credential strings present ✅
- Obfuscation indicators (encoded strings) ✅
- User's analytical question answered? ❌ (need deeper analysis)
DECISION: ESCALATE TO LEVEL 2
User Override:
  • Type 
    skip
    to exit after Level 1 (findings sufficient)
  • Type 
    continue
    to force Level 2 (even if not recommended)
  • Type 
    auto
    (default) to follow recommendation
自动评估(通过sequential-thinking MCP):
问题:"是否应继续执行级别2静态分析?"
评估因素:
- 发现可疑C2域名(malicious-c2.tk) ✅
- 存在硬编码凭据字符串 ✅
- 存在混淆指标(编码字符串) ✅
- 用户的分析问题是否已解答? ❌(需更深入分析)
决策:升级至级别2
用户手动覆盖
  • 输入
    skip
    在级别1后退出(结果已足够)
  • 输入
    continue
    强制执行级别2(即使不推荐)
  • 输入
    auto
    (默认)遵循系统推荐

Level 2: Static Analysis (1-2 hours)

级别2:静态分析(1-2小时)

Step 1: Launch Disassembly

步骤1:启动反汇编

bash
undefined
bash
undefined

Invoke RE-Disassembly-Expert agent via slash command

通过斜杠命令调用RE-Disassembly-Expert代理

/re:static binary.exe --tool ghidra --decompile true --callgraph true

**What Happens**:
1. Detects binary architecture (x86/x64/ARM/MIPS)
2. Loads into Ghidra headless analyzer
3. Performs auto-analysis (function discovery, CFG)
4. Decompiles key functions to pseudo-C
5. Generates callgraph visualization
6. Runs connascence-analyzer on decompiled code

**Timeline**:
- Small binary (<1MB): 30-45 minutes
- Medium binary (1-10MB): 1-1.5 hours
- Large binary (>10MB): 1.5-2 hours
/re:static binary.exe --tool ghidra --decompile true --callgraph true

**执行流程**:
1. 检测二进制文件架构(x86/x64/ARM/MIPS)
2. 加载至Ghidra无头分析器
3. 执行自动分析(函数发现、控制流图CFG)
4. 将关键函数反编译为伪C代码
5. 生成调用图可视化
6. 对反编译代码运行connascence-analyzer

**时间线**:
- 小型二进制文件(<1MB):30-45分钟
- 中型二进制文件(1-10MB):1-1.5小时
- 大型二进制文件(>10MB):1.5-2小时

Step 2: Review Disassembly Results

步骤2:查看反汇编结果

Output Structure:
re-project/
├── ghidra/
│   ├── binary.gpr                 # Ghidra project
│   ├── decompiled/
│   │   ├── main.c                 # Decompiled entry point
│   │   ├── check_auth.c           # Authentication function
│   │   └── encrypt_data.c         # Crypto function
│   ├── callgraphs/
│   │   └── main-callgraph.png     # Call graph visualization
│   └── cfg/
│       └── main-cfg.dot           # Control flow graph
├── notes/
│   ├── 001-strings-l1.md          # Level 1 findings
│   └── 002-static-l2.md           # Level 2 findings
└── artifacts/
    ├── strings.json               # From Level 1
    ├── imports.txt                # External library calls
    └── suspicious-functions.txt   # Flagged vulnerabilities
输出结构
re-project/
├── ghidra/
│   ├── binary.gpr                 # Ghidra项目文件
│   ├── decompiled/
│   │   ├── main.c                 # 反编译的入口点
│   │   ├── check_auth.c           # 认证函数
│   │   └── encrypt_data.c         # 加密函数
│   ├── callgraphs/
│   │   └── main-callgraph.png     # 调用图可视化
│   └── cfg/
│       └── main-cfg.dot           # 控制流图
├── notes/
│   ├── 001-strings-l1.md          # 级别1分析结果
│   └── 002-static-l2.md           # 级别2分析结果
└── artifacts/
    ├── strings.json               # 来自级别1的结果
    ├── imports.txt                # 外部库调用
    └── suspicious-functions.txt   # 标记的漏洞函数

Step 3: Code Quality Analysis

步骤3:代码质量分析

Automatically applies connascence-analyzer to decompiled C code:
Detects:
  • God Objects (functions > 500 lines)
  • Parameter Bombs (functions > 7 parameters)
  • Deep Nesting (> 4 levels)
  • Complexity Issues
  • NASA Power of 10 violations
Sample Output:
CONNASCENCE VIOLATIONS:
- check_auth.c:45 - God Object (723 lines)
- encrypt_data.c:12 - Parameter Bomb (11 parameters)
- network_handler.c:89 - Deep Nesting (6 levels)
自动对反编译的C代码应用connascence分析:
检测内容
  • 上帝对象(函数行数>500)
  • 参数爆炸(函数参数>7个)
  • 深层嵌套(嵌套层级>4)
  • 复杂度问题
  • 违反NASA十大编码规范
示例输出
CONNASCENCE违规:
- check_auth.c:45 - 上帝对象(723行)
- encrypt_data.c:12 - 参数爆炸(11个参数)
- network_handler.c:89 - 深层嵌套(6级)

Step 4: Store Findings in Memory

步骤4:将结果存储至内存

javascript
// Automatically stored by RE-Disassembly-Expert agent
mcp__memory-mcp__memory_store({
  content: {
    binary_hash: "sha256:abc123...",
    level_completed: 2,
    entry_point: "0x401000",
    critical_functions: [
      {name: "check_auth", address: "0x401234", decompiled: "check_auth.c"},
      {name: "encrypt_data", address: "0x401567", decompiled: "encrypt_data.c"}
    ],
    vulnerabilities: [
      {type: "buffer_overflow", function: "read_input", severity: "HIGH"},
      {type: "format_string", function: "log_message", severity: "MEDIUM"}
    ],
    callgraph: "callgraphs/main-callgraph.png",
    connascence_violations: 12
  },
  metadata: {
    agent: "RE-Disassembly-Expert",
    category: "reverse-engineering",
    intent: "static-analysis",
    layer: "long_term",
    project: `binary-analysis-${date}`,
    keywords: ["disassembly", "decompilation", "ghidra", "static"],
    re_level: 2,
    binary_hash: "sha256:abc123..."
  }
})
javascript
// 由RE-Disassembly-Expert代理自动存储
mcp__memory-mcp__memory_store({
  content: {
    binary_hash: "sha256:abc123...",
    level_completed: 2,
    entry_point: "0x401000",
    critical_functions: [
      {name: "check_auth", address: "0x401234", decompiled: "check_auth.c"},
      {name: "encrypt_data", address: "0x401567", decompiled: "encrypt_data.c"}
    ],
    vulnerabilities: [
      {type: "buffer_overflow", function: "read_input", severity: "HIGH"},
      {type: "format_string", function: "log_message", severity: "MEDIUM"}
    ],
    callgraph: "callgraphs/main-callgraph.png",
    connascence_violations: 12
  },
  metadata: {
    agent: "RE-Disassembly-Expert",
    category: "reverse-engineering",
    intent: "static-analysis",
    layer: "long_term",
    project: `binary-analysis-${date}`,
    keywords: ["disassembly", "decompilation", "ghidra", "static"],
    re_level: 2,
    binary_hash: "sha256:abc123..."
  }
})

Advanced Options

高级选项

Custom String Extraction

自定义字符串提取

bash
undefined
bash
undefined

Extract shorter strings for small binaries

为小型二进制文件提取更短的字符串

/re:strings tiny-binary.exe --min-length 4
/re:strings tiny-binary.exe --min-length 4

IOCs only (skip non-IOC strings)

仅提取IOC(跳过非IOC字符串)

/re:strings malware.bin --ioc-only
/re:strings malware.bin --ioc-only

Unicode strings only

仅提取Unicode字符串

/re:strings international-app.exe --encoding unicode
undefined
/re:strings international-app.exe --encoding unicode
undefined

Custom Disassembly Tools

自定义反汇编工具

bash
undefined
bash
undefined

Use radare2 instead of Ghidra (faster, less accurate)

使用radare2替代Ghidra(速度更快,精度较低)

/re:static binary.exe --tool radare2
/re:static binary.exe --tool radare2

Use objdump (very fast, no decompilation)

使用objdump(速度极快,无反编译功能)

/re:static binary.exe --tool objdump --decompile false
/re:static binary.exe --tool objdump --decompile false

Focus on specific functions

仅分析指定函数

/re:static binary.exe --functions main,check_password,crypto_init
undefined
/re:static binary.exe --functions main,check_password,crypto_init
undefined

Batch Analysis

批量分析

bash
undefined
bash
undefined

Analyze multiple binaries (Level 1 only for speed)

分析多个二进制文件(仅级别1以提升速度)

find ./malware-samples/ -name "*.exe" | while read binary; do /re:quick "$binary" --level 1 --store-findings true done
find ./malware-samples/ -name "*.exe" | while read binary; do /re:quick "$binary" --level 1 --store-findings true done

Cross-reference findings in memory-mcp

在memory-mcp中交叉引用结果

mcp__memory-mcp__vector_search({ query: "malicious-c2.tk", # Search for common IOC across all samples limit: 100, filter: {category: "reverse-engineering", re_level: 1} })

---
mcp__memory-mcp__vector_search({ query: "malicious-c2.tk", # 在所有样本中搜索通用IOC limit: 100, filter: {category: "reverse-engineering", re_level: 1} })

---

Integration with Other Tools

与其他工具的集成

Handoff to Dynamic Analysis

移交至动态分析

If static analysis reveals interesting runtime behavior:
bash
undefined
若静态分析发现有趣的运行时行为:
bash
undefined

After Level 2 completes, check recommendations

完成级别2后,查看推荐建议

cat re-project/notes/002-static-l2.md
cat re-project/notes/002-static-l2.md

If recommended: "Proceed to dynamic analysis"

若建议为:"继续执行动态分析"

/re:deep binary.exe --breakpoints 0x401234,0x401567

**Automatic Handoff**:
The skill stores handoff data in memory-mcp:
```javascript
{
  key: "re-handoff/static-to-dynamic/${binary_hash}",
  value: {
    decision: "ESCALATE_TO_LEVEL_3",
    entry_point: "0x401000",
    critical_functions: ["check_password@0x401234"],
    breakpoint_suggestions: ["0x401234", "0x401567"],
    findings: {...}
  }
}
/re:deep binary.exe --breakpoints 0x401234,0x401567

**自动移交**:
技能会将移交数据存储至memory-mcp:
```javascript
{
  key: "re-handoff/static-to-dynamic/${binary_hash}",
  value: {
    decision: "ESCALATE_TO_LEVEL_3",
    entry_point: "0x401000",
    critical_functions: ["check_password@0x401234"],
    breakpoint_suggestions: ["0x401234", "0x401567"],
    findings: {...}
  }
}

Export Findings

导出分析结果

bash
undefined
bash
undefined

Export to JSON for threat intel platform

导出为JSON格式用于威胁情报平台

cat re-project/artifacts/strings.json | jq '.iocs[]' > iocs-export.txt
cat re-project/artifacts/strings.json | jq '.iocs[]' > iocs-export.txt

Export decompiled code

导出反编译代码

tar -czf decompiled-code.tar.gz re-project/ghidra/decompiled/
tar -czf decompiled-code.tar.gz re-project/ghidra/decompiled/

Generate executive summary

生成执行摘要

cat re-project/notes/002-static-l2.md

---
cat re-project/notes/002-static-l2.md

---

Troubleshooting

故障排除

Issue: "Binary already analyzed" Message

问题:"二进制文件已分析"提示

Symptoms: Skill exits immediately with cached results
Cause: SHA256 hash found in memory-mcp from prior analysis
Solution:
bash
undefined
症状:技能立即退出并返回缓存结果
原因:在memory-mcp中发现该二进制文件的SHA256哈希过往分析记录
解决方案
bash
undefined

Option 1: Use cached results (recommended if binary unchanged)

选项1:使用缓存结果(若二进制文件未修改,推荐使用)

mcp__memory-mcp__vector_search({query: "sha256:abc123...", limit: 1})
mcp__memory-mcp__vector_search({query: "sha256:abc123...", limit: 1})

Option 2: Force re-analysis

选项2:强制重新分析

/re:quick binary.exe --force-reanalyze true
undefined
/re:quick binary.exe --force-reanalyze true
undefined

Issue: Ghidra Headless Analysis Fails

问题:Ghidra无头分析失败

Symptoms: "Ghidra headless not found" or timeout errors
Cause: Ghidra not installed or not in PATH
Solution:
bash
undefined
症状:提示"未找到Ghidra无头分析器"或超时错误
原因:未安装Ghidra或未将其添加至系统PATH
解决方案
bash
undefined

Install Ghidra

安装Ghidra

wget https://github.com/NationalSecurityAgency/ghidra/releases/download/.../ghidra.zip unzip ghidra.zip export PATH=$PATH:/path/to/ghidra/support
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/.../ghidra.zip unzip ghidra.zip export PATH=$PATH:/path/to/ghidra/support

Verify installation

验证安装

analyzeHeadless -help
analyzeHeadless -help

Alternative: Use radare2

替代方案:使用radare2

/re:static binary.exe --tool radare2
undefined
/re:static binary.exe --tool radare2
undefined

Issue: Too Many Strings (Noise)

问题:字符串数量过多(噪音大)

Symptoms: strings.json contains 50,000+ strings, hard to analyze
Cause: Min string length too short for large binary
Solution:
bash
undefined
症状:strings.json包含50000+条字符串,难以分析
原因:针对大型二进制文件设置的最小字符串长度过短
解决方案
bash
undefined

Increase min length automatically (skill does this by default)

自动增加最小长度(技能默认会执行此操作)

Or manually:

或手动设置:

/re:strings large-binary.exe --min-length 15
/re:strings large-binary.exe --min-length 15

For firmware (very large)

针对固件(超大文件)

/re:strings firmware.bin --min-length 20
undefined
/re:strings firmware.bin --min-length 20
undefined

Issue: Decompilation Quality Poor

问题:反编译质量差

Symptoms: Decompiled C code is unreadable or incorrect
Cause: Heavy obfuscation, packing, or custom compiler
Solution:
bash
undefined
症状:反编译后的C代码难以阅读或存在错误
原因:重度混淆、加壳或使用自定义编译器
解决方案
bash
undefined

Step 1: Check for packing

步骤1:检查是否加壳

binwalk -E binary.exe # High entropy = likely packed
binwalk -E binary.exe # 高熵值=大概率已加壳

Step 2: Unpack first (if packed)

步骤2:若已加壳,先脱壳

upx -d binary.exe -o unpacked.exe
upx -d binary.exe -o unpacked.exe

Step 3: Re-run static analysis

步骤3:重新执行静态分析

/re:static unpacked.exe
/re:static unpacked.exe

If still poor: Manual analysis needed or try different tool

若仍无改善:需手动分析或尝试其他工具

/re:static binary.exe --tool ida-pro # If IDA Pro available

---
/re:static binary.exe --tool ida-pro # 若有IDA Pro授权

---

Performance Optimization

性能优化

Speed Up Level 1 (String Analysis)

加速级别1(字符串分析)

bash
undefined
bash
undefined

Parallel string extraction for multiple encodings

并行提取多种编码的字符串

strings -n 10 -e s binary.exe > ascii.txt & strings -n 10 -e l binary.exe > unicode.txt & wait
strings -n 10 -e s binary.exe > ascii.txt & strings -n 10 -e l binary.exe > unicode.txt & wait

Grep in parallel

并行执行Grep匹配

grep -oE 'http[s]?://[^\s]*' ascii.txt > urls.txt & grep -oE '([0-9]{1,3}.){3}[0-9]{1,3}' ascii.txt > ips.txt & wait
undefined
grep -oE 'http[s]?://[^\s]*' ascii.txt > urls.txt & grep -oE '([0-9]{1,3}.){3}[0-9]{1,3}' ascii.txt > ips.txt & wait
undefined

Speed Up Level 2 (Static Analysis)

加速级别2(静态分析)

bash
undefined
bash
undefined

Use radare2 for speed (sacrifice accuracy)

使用radare2提升速度(牺牲部分精度)

/re:static binary.exe --tool radare2 # 3-5x faster than Ghidra
/re:static binary.exe --tool radare2 # 速度比Ghidra快3-5倍

Skip decompilation if only need CFG

若仅需控制流图,跳过反编译

/re:static binary.exe --decompile false --callgraph true
/re:static binary.exe --decompile false --callgraph true

Analyze only critical functions (from Level 1 findings)

仅分析级别1发现的关键函数

/re:static binary.exe --functions check_password,validate_license
undefined
/re:static binary.exe --functions check_password,validate_license
undefined

Memory-MCP Caching Strategy

Memory-MCP缓存策略

bash
undefined
bash
undefined

Store Level 1 results immediately (fast, always cacheable)

立即存储级别1结果(速度快,始终可缓存)

Level 1 completes in 10-15 min, cache for 30 days

级别1需10-15分钟完成,缓存30天

Store Level 2 results after completion

完成后存储级别2结果

Level 2 completes in 1-2 hrs, cache for 30 days

级别2需1-2小时完成,缓存30天

Benefit: Second analysis of same binary takes <1 second

优势:同一二进制文件的第二次分析耗时<1秒


---

---

Agents & Commands Used

使用的代理与命令

Agents Invoked

调用的代理

  1. RE-String-Analyst (Level 1)
    • Specialist: String reconnaissance and IOC extraction
    • Tools: strings, grep, regex patterns
    • Output: strings.json, IOC lists
  2. RE-Disassembly-Expert (Level 2)
    • Specialist: Static analysis and decompilation
    • Tools: Ghidra, radare2, objdump
    • Output: Decompiled C code, callgraphs, CFG
  3. code-analyzer (Level 2, automatic)
    • Applies connascence analysis to decompiled code
    • Detects code smells and complexity
  4. graph-analyst (Level 2, automatic)
    • Generates callgraph and CFG visualizations
  1. RE-String-Analyst(级别1)
    • 专长:字符串侦察与IOC提取
    • 工具:strings、grep、正则表达式
    • 输出:strings.json、IOC列表
  2. RE-Disassembly-Expert(级别2)
    • 专长:静态分析与反编译
    • 工具:Ghidra、radare2、objdump
    • 输出:反编译C代码、调用图、控制流图
  3. code-analyzer(级别2,自动调用)
    • 对反编译代码应用connascence分析
    • 检测代码异味与复杂度问题
  4. graph-analyst(级别2,自动调用)
    • 生成调用图与控制流图可视化

Slash Commands

斜杠命令

  • /re:quick <binary>
    - Full Level 1+2 analysis (this skill's primary command)
  • /re:strings <binary>
    - Level 1 only
  • /re:static <binary>
    - Level 2 only
  • /re:quick <binary>
    - 完整级别1+2分析(本技能的主命令)
  • /re:strings <binary>
    - 仅执行级别1
  • /re:static <binary>
    - 仅执行级别2

MCP Servers

MCP服务器

  • memory-mcp: Cross-session persistence, deduplication
  • filesystem: Binary access, output creation
  • connascence-analyzer: Code quality analysis
  • sequential-thinking: Decision gate logic
  • memory-mcp:跨会话持久化存储、去重
  • filesystem:二进制文件访问、输出创建
  • connascence-analyzer:代码质量分析
  • sequential-thinking:决策门控逻辑

Related Skills

相关技能

  • Reverse Engineering: Deep Analysis - Levels 3-4 (dynamic + symbolic)
  • Reverse Engineering: Firmware - Level 5 (firmware extraction)
  • Code Review Assistant - Review decompiled code
  • Functionality Audit - Validate reverse-engineered logic
  • 逆向工程:深度分析 - 级别3-4(动态+符号执行)
  • 逆向工程:固件分析 - 级别5(固件提取)
  • 代码审核助手 - 审核反编译代码
  • 功能审计 - 验证逆向工程逻辑

Resources

参考资源

External Tools

外部工具

  • Ghidra - NSA's reverse engineering suite
  • radare2 - Open-source disassembler
  • binwalk - Firmware analysis
  • IDA Pro - Commercial disassembler

Learning Resources

学习资源

Community

社区

Created: 2025-11-01 RE Levels: 1-2 (String Reconnaissance + Static Analysis) Timebox: ≤2 hours Agents: RE-String-Analyst, RE-Disassembly-Expert Category: Security, Malware Analysis, Binary Analysis Difficulty: Intermediate

创建时间:2025-11-01 逆向工程级别:1-2级(字符串侦察+静态分析) 时间限制:≤2小时 使用代理:RE-String-Analyst、RE-Disassembly-Expert 分类:安全、恶意软件分析、二进制分析 难度:中级

Core Principles

核心原则

Reverse Engineering: Quick Triage operates on 3 fundamental principles:
逆向工程:快速分类基于3个核心原则运行:

Principle 1: Low-Hanging Fruit First

原则1:先抓低垂的果实

80% of malware behavior is revealed through strings and static analysis without execution.
In practice:
  • Extract URLs, IPs, file paths, and crypto indicators from printable strings
  • Identify C2 domains, hardcoded credentials, and API endpoints in minutes
  • Categorize IOCs (indicators of compromise) for immediate threat intelligence
  • Use SHA256 hash to check memory-mcp for prior analysis (avoid duplicate work)
80%的恶意软件行为可通过字符串与静态分析揭示,无需执行文件。
实践应用:
  • 从可打印字符串中提取URL、IP、文件路径与加密指标
  • 在数分钟内识别C2域名、硬编码凭据与API端点
  • 对IOC(入侵指标)分类以生成即时威胁情报
  • 使用SHA256哈希检查memory-mcp过往分析记录(避免重复工作)

Principle 2: Decision Gate Escalation

原则2:决策门控升级

Not every binary needs deep analysis - automated gates prevent over-analysis.
In practice:
  • Level 1 (strings) completes in 10-30 minutes, answers simple triage questions
  • Escalate to Level 2 (static disassembly) only when suspicious IOCs found
  • Use sequential-thinking MCP to evaluate if user question is answered
  • Stop analysis when findings are sufficient to avoid wasting time
并非所有二进制文件都需要深度分析 - 自动化门控可防止过度分析。
实践应用:
  • 级别1(字符串分析)需10-30分钟,可解答简单分类问题
  • 仅在发现可疑IOC时升级至级别2(静态反汇编)
  • 使用sequential-thinking MCP评估用户问题是否已解答
  • 当结果足够时停止分析,避免浪费时间

Principle 3: Decompilation for Comprehension

原则3:反汇编用于理解

Disassembly is for machines, decompiled C pseudo-code is for analysts.
In practice:
  • Use Ghidra headless mode to generate readable pseudo-C code
  • Apply connascence analysis to detect god objects and complexity violations
  • Generate callgraphs to visualize function relationships
  • Focus on critical functions (auth, crypto, network) identified in Level 1
汇编是给机器看的,反编译伪C代码是给分析师看的。
实践应用:
  • 使用Ghidra无头模式生成可读伪C代码
  • 应用connascence分析检测上帝对象与复杂度违规
  • 生成调用图以可视化函数关系
  • 聚焦级别1中识别的关键函数(认证、加密、网络)

Common Anti-Patterns

常见反模式

Anti-PatternProblemSolution
Immediately running Level 2 without Level 1Waste 1-2 hours on disassembly when strings would have answered questionALWAYS run Level 1 first, check decision gate before escalating
Analyzing same binary multiple timesRedundant work, wasted analysis hours, inconsistent findingsCheck memory-mcp for SHA256 hash before starting analysis
Using min-length=4 on large binaries50,000+ strings with massive noise, impossible to analyzeUse adaptive min-length (10-15 for normal, 20+ for firmware), enable --ioc-only filter
Skipping architecture detectionGhidra fails to disassemble, CFG incomplete, decompilation garbageRun file command first, verify architecture before loading into Ghidra
Not validating decompilation qualityFalse positives from obfuscation, incorrect conclusions, wasted follow-upCheck for packing with binwalk entropy, unpack before re-analyzing
反模式问题解决方案
未执行级别1直接运行级别2当字符串分析即可解答问题时,浪费1-2小时在反汇编上始终先运行级别1,在升级前检查决策门控
重复分析同一二进制文件冗余工作、浪费分析时间、结果不一致分析前检查memory-mcp中的SHA256哈希记录
对大型二进制文件设置min-length=4生成50000+条带大量噪音的字符串,无法分析使用自适应最小长度(普通文件10-15,固件20+),启用--ioc-only过滤器
跳过架构检测Ghidra反汇编失败、控制流图不完整、反编译结果无效先运行file命令,在加载至Ghidra前验证架构
跳过反编译质量验证混淆导致假阳性结果、结论错误、后续工作浪费使用binwalk熵检测是否加壳,脱壳后重新分析

Conclusion

总结

Reverse Engineering: Quick Triage is the first-responder skill for binary analysis - fast, focused, and decisive. By combining string reconnaissance (Level 1) with static disassembly (Level 2), this skill delivers actionable intelligence in under 2 hours, making it ideal for incident response, malware triage, and CTF challenges where speed matters.
The skill's automated decision gates ensure analysis effort matches threat severity. Simple malware with obvious C2 domains stops at Level 1, while sophisticated samples with obfuscation automatically escalate to Level 2 for deeper investigation. Integration with memory-mcp creates organizational memory - once a binary is analyzed, its findings are instantly retrievable by hash, preventing redundant analysis across teams.
Use this skill when you need rapid answers: Is this binary malicious? What C2 servers does it contact? Are there hardcoded credentials? What vulnerabilities does it exploit? The 2-hour timebox makes it suitable for high-velocity security operations where dozens of samples need daily triage. For samples requiring runtime analysis or input synthesis, the skill seamlessly hands off to Level 3-4 (reverse-engineering-deep) with pre-populated breakpoints and critical function addresses, maximizing overall analysis efficiency.
逆向工程:快速分类是二进制分析的一线响应技能 - 快速、聚焦、果断。通过结合字符串侦察(级别1)与静态反汇编(级别2),本技能可在2小时内提供可操作情报,非常适合事件响应、恶意软件分类与CTF挑战等对速度有要求的场景。
技能的自动化决策门控确保分析投入与威胁严重程度匹配。带有明显C2域名的简单恶意软件在级别1即可完成分析,而带有混淆的复杂样本会自动升级至级别2进行深入调查。与memory-mcp的集成可创建组织级记忆 - 一旦二进制文件被分析,其结果可通过哈希立即检索,避免跨团队的重复分析。
当您需要快速解答以下问题时使用本技能:该二进制文件是否为恶意?它连接哪些C2服务器?是否存在硬编码凭据?它利用了哪些漏洞?2小时的时间限制使其适用于高流速安全运营场景,可每日分类数十个样本。对于需要运行时分析或输入合成的样本,技能可无缝移交至级别3-4(逆向工程深度分析),并预填充断点与关键函数地址,最大化整体分析效率。