binary-triage
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseBinary Triage
二进制文件分类分析
Instructions
操作说明
We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to:
- Identify key components and behaviors
- Flag suspicious or interesting areas
- Create a task list of next steps for deeper investigation
我们正在对二进制文件进行分类分析,以快速了解其功能。这是初步检查,而非深度分析。我们的目标是:
- 识别关键组件与行为
- 标记可疑或值得关注的区域
- 创建后续深度调查的任务清单
Binary triage with ReVa
基于ReVa的二进制文件分类分析
Follow this systematic workflow using ReVa's MCP tools:
遵循以下系统化工作流,使用ReVa的MCP工具:
1. Identify the Program
1. 识别程序
- Use to see the active program
get-current-program - Or use to see available programs in the project
list-project-files - Note the (e.g., "/Hatchery.exe") for use in subsequent tools
programPath
- 使用查看当前活跃的程序
get-current-program - 或使用查看项目中可用的程序
list-project-files - 记录(例如"/Hatchery.exe"),以便后续工具使用
programPath
2. Survey Memory Layout
2. 检查内存布局
- Use to understand the binary structure
get-memory-blocks - Examine key sections:
- - executable code
.text - - initialized data
.data - - read-only data (strings, constants)
.rodata - - uninitialized data
.bss
- Flag unusual characteristics:
- Unusually large sections
- Packed/encrypted sections
- Executable data sections
- Writable code sections
- 使用了解二进制文件结构
get-memory-blocks - 检查关键区段:
- - 可执行代码
.text - - 已初始化数据
.data - - 只读数据(字符串、常量)
.rodata - - 未初始化数据
.bss
- 标记异常特征:
- 异常庞大的区段
- 打包/加密的区段
- 可执行数据区段
- 可写代码区段
3. Survey Strings
3. 检查字符串
- Use to see total string count
get-strings-count - Use with pagination (100-200 strings at a time)
get-strings - Look for indicators of functionality or malicious behavior:
- Network: URLs, IP addresses, domain names, API endpoints
- File System: File paths, registry keys, configuration files
- APIs: Function names, library references
- Messages: Error messages, debug strings, log messages
- Suspicious Keywords: admin, password, credential, token, crypto, encrypt, decrypt, download, execute, inject, shellcode, payload
- 使用查看字符串总数
get-strings-count - 使用并启用分页(每次100-200个字符串)
get-strings - 寻找功能或恶意行为的指示符:
- 网络相关:URL、IP地址、域名、API端点
- 文件系统相关:文件路径、注册表项、配置文件
- API相关:函数名、库引用
- 消息相关:错误信息、调试字符串、日志消息
- 可疑关键词:admin、password、credential、token、crypto、encrypt、decrypt、download、execute、inject、shellcode、payload
4. Survey Symbols and Imports
4. 检查符号与导入表
- Use with
get-symbols-countto count importsincludeExternal=true - Use with
get-symbolsandincludeExternal=truefilterDefaultNames=true - Focus on external symbols (imports from libraries)
- Flag interesting/suspicious imports by category:
- Network APIs: connect, send, recv, WSAStartup, getaddrinfo, curl_*, socket
- File I/O: CreateFile, WriteFile, ReadFile, fopen, fwrite, fread
- Process Manipulation: CreateProcess, exec, fork, system, WinExec, ShellExecute
- Memory Operations: VirtualAlloc, VirtualProtect, mmap, mprotect
- Crypto: CryptEncrypt, CryptDecrypt, EVP_, AES_, bcrypt, RC4
- Anti-Analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, ptrace
- Registry: RegOpenKey, RegSetValue, RegQueryValue
- Note the ratio of imports to total symbols (heavy import usage may indicate reliance on libraries)
- 使用并设置
get-symbols-count统计导入项数量includeExternal=true - 使用并设置
get-symbols和includeExternal=truefilterDefaultNames=true - 重点关注外部符号(从库中导入的内容)
- 按类别标记值得关注/可疑的导入项:
- 网络API:connect、send、recv、WSAStartup、getaddrinfo、curl_*、socket
- 文件I/O:CreateFile、WriteFile、ReadFile、fopen、fwrite、fread
- 进程操作:CreateProcess、exec、fork、system、WinExec、ShellExecute
- 内存操作:VirtualAlloc、VirtualProtect、mmap、mprotect
- 加密相关:CryptEncrypt、CryptDecrypt、EVP_、AES_、bcrypt、RC4
- 反分析相关:IsDebuggerPresent、CheckRemoteDebuggerPresent、ptrace
- 注册表相关:RegOpenKey、RegSetValue、RegQueryValue
- 记录导入项与总符号的比例(大量使用导入项可能表明依赖外部库)
5. Survey Functions
5. 检查函数
- Use with
get-function-countto count named functionsfilterDefaultNames=true - Use with
get-function-countto count all functionsfilterDefaultNames=false - Calculate ratio of named vs unnamed functions (high unnamed ratio = stripped binary)
- Use with
get-functionsto list named functionsfilterDefaultNames=true - Identify key functions:
- Entry points: ,
entry,start_start - Main functions: ,
main,WinMain,DllMain_main - Suspicious names: If not stripped, look for revealing function names
- Entry points:
- 使用并设置
get-function-count统计已命名函数数量filterDefaultNames=true - 使用并设置
get-function-count统计所有函数数量filterDefaultNames=false - 计算已命名函数与未命名函数的比例(未命名函数占比高表示二进制文件已被剥离符号)
- 使用并设置
get-functions列出已命名函数filterDefaultNames=true - 识别关键函数:
- 入口点:、
entry、start_start - 主函数:、
main、WinMain、DllMain_main - 可疑名称:若未剥离符号,寻找能暴露功能的函数名
- 入口点:
6. Cross-Reference Analysis for Key Findings
6. 关键发现的交叉引用分析
- For interesting strings found in Step 3:
- Use with
find-cross-referencesanddirection="to"includeContext=true - Identify which functions reference suspicious strings
- Use
- For suspicious imports found in Step 4:
- Use with
find-cross-referencesanddirection="to"includeContext=true - Identify which functions call suspicious APIs
- Use
- This helps prioritize which functions need detailed examination
- 针对步骤3中发现的可疑字符串:
- 使用并设置
find-cross-references和direction="to"includeContext=true - 识别哪些函数引用了可疑字符串
- 使用
- 针对步骤4中发现的可疑导入项:
- 使用并设置
find-cross-references和direction="to"includeContext=true - 识别哪些函数调用了可疑API
- 使用
- 这有助于确定需要详细检查的函数优先级
7. Selective Initial Decompilation
7. 选择性初步反编译
- Use on entry point or main function
get-decompilation- Set to get ~30 lines initially
limit=30 - Set to see callers
includeIncomingReferences=true - Set for context snippets
includeReferenceContext=true
- Set
- Use on 1-2 suspicious functions identified in Step 6
get-decompilation- Set for quick overview
limit=20-30
- Set
- Look for high-level patterns:
- Loops (encryption/decryption routines)
- Network operations
- File operations
- Process creation
- Suspicious control flow (obfuscation indicators)
- Do not do deep analysis yet - this is just to understand general behavior
- 对入口点或主函数使用
get-decompilation- 设置以获取约30行代码
limit=30 - 设置以查看调用方
includeIncomingReferences=true - 设置以获取代码片段上下文
includeReferenceContext=true
- 设置
- 对步骤6中识别的1-2个可疑函数使用
get-decompilation- 设置以快速概览
limit=20-30
- 设置
- 寻找高层级模式:
- 循环(加密/解密例程)
- 网络操作
- 文件操作
- 进程创建
- 可疑控制流(混淆指示符)
- 暂不进行深度分析 - 此步骤仅用于了解整体行为
8. Document Findings and Create Task List
8. 记录发现并创建任务清单
- Use the tool to create an actionable task list with items like:
TodoWrite- "Investigate string 'http://malicious-c2.com' (referenced at 0x00401234)"
- "Decompile function sub_401000 (calls VirtualAlloc + memcpy + CreateThread)"
- "Analyze crypto usage in function encrypt_payload (uses CryptEncrypt)"
- "Trace anti-debugging checks (IsDebuggerPresent at 0x00402000)"
- "Examine packed section .UPX0 for unpacking routine"
- Each todo should be:
- Specific (include addresses, function names, strings)
- Actionable (what needs to be investigated)
- Prioritized (most suspicious first)
- 使用工具创建可执行的任务清单,例如:
TodoWrite- "调查字符串'http://malicious-c2.com'(引用地址0x00401234)"
- "反编译函数sub_401000(调用VirtualAlloc + memcpy + CreateThread)"
- "分析函数encrypt_payload中的加密使用(调用CryptEncrypt)"
- "追踪反调试检查(IsDebuggerPresent位于0x00402000)"
- "检查打包区段.UPX0的解包例程"
- 每个任务应:
- 具体(包含地址、函数名、字符串)
- 可执行(明确需要调查的内容)
- 优先级排序(最可疑的内容优先)
Output Format
输出格式
Present triage findings to the user in this structured format:
按照以下结构化格式向用户呈现分类分析结果:
Program Overview
程序概览
- Name: [Program name from programPath]
- Type: [Executable type - PE, ELF, Mach-O, etc.]
- Platform: [Windows, Linux, macOS, etc.]
- 名称:[来自programPath的程序名]
- 类型:[可执行文件类型 - PE、ELF、Mach-O等]
- 平台:[Windows、Linux、macOS等]
Memory Layout
内存布局
- Total Size: [Size in bytes/KB/MB]
- Key Sections: [List main sections with sizes and permissions]
- Unusual Characteristics: [Any packed/encrypted/suspicious sections]
- 总大小:[以字节/KB/MB为单位的大小]
- 关键区段:[列出主要区段及其大小和权限]
- 异常特征:[任何打包/加密/可疑区段]
String Analysis
字符串分析
- Total Strings: [Count from get-strings-count]
- Notable Findings: [Bullet list of interesting strings with context]
- Suspicious Indicators: [URLs, IPs, suspicious keywords found]
- 字符串总数:[来自get-strings-count的统计数]
- 值得关注的发现:[带上下文的有趣字符串列表]
- 可疑指示符:[发现的URL、IP、可疑关键词]
Import Analysis
导入表分析
- Total Symbols: [Count from get-symbols-count]
- External Imports: [Count of external symbols]
- Key Libraries: [Main libraries imported]
- Suspicious APIs: [Categorized list of concerning imports]
- 总符号数:[来自get-symbols-count的统计数]
- 外部导入项:[外部符号的数量]
- 关键库:[主要导入的库]
- 可疑API:[按类别列出的值得关注的导入项]
Function Analysis
函数分析
- Total Functions: [Count with filterDefaultNames=false]
- Named Functions: [Count with filterDefaultNames=true]
- Stripped Status: [Yes/No based on ratio]
- Entry Point: [Address and name]
- Main Function: [Address and name]
- Key Functions: [List of important functions identified]
- 总函数数:[设置filterDefaultNames=false时的统计数]
- 已命名函数数:[设置filterDefaultNames=true时的统计数]
- 符号剥离状态:[是/否,基于比例判断]
- 入口点:[地址和名称]
- 主函数:[地址和名称]
- 关键函数:[识别出的重要函数列表]
Suspicious Indicators
可疑指示符
[Bulleted list of red flags discovered, prioritized by severity]
[按严重程度排序的已发现风险点列表]
Recommended Next Steps
推荐后续步骤
[Present the task list created in Step 8]
- Each item should be specific and actionable
- Prioritize by severity/importance
- Include addresses, function names, and context
[呈现步骤8中创建的任务清单]
- 每个条目应具体且可执行
- 按严重程度/重要性排序
- 包含地址、函数名和上下文
Important Notes
重要提示
- Speed over depth: This is triage, not full analysis. Move quickly through steps.
- Use pagination: Don't request thousands of strings/functions at once. Use chunks of 100-200.
- Focus on anomalies: Flag things that are unusual, suspicious, or interesting.
- Context is key: When using cross-references, enable for code snippets.
includeContext=true - Create actionable todos: Each next step should be specific enough for another agent to execute.
- Be systematic: Follow all 8 steps in order for comprehensive coverage.
- 速度优先于深度:这是分类分析,而非完整分析。快速完成各步骤。
- 使用分页:不要一次性请求数千个字符串/函数。每次请求100-200个。
- 关注异常:标记不寻常、可疑或有趣的内容。
- 上下文至关重要:使用交叉引用时,启用以获取代码片段。
includeContext=true - 创建可执行的任务:每个后续步骤应足够具体,以便其他Agent执行。
- 系统化执行:按顺序完成所有8个步骤以确保全面覆盖。