binary-triage

Original🇺🇸 English
Translated

Performs initial binary triage by surveying memory layout, strings, imports/exports, and functions to quickly understand what a binary does and identify suspicious behavior. Use when first examining a binary, when user asks to triage/survey/analyze a program, or wants an overview before deeper reverse engineering.

1installs
Sourceth3w1zard1/reverse-engineering-assistant
Added on

NPX Install

npx skill4agent add th3w1zard1/reverse-engineering-assistant binary-triage

Tags

Translated version includes tags in frontmatter
binary-triagereverse-engineeringmalware-analysisreva-toolsmemory-layout-analysis

SKILL.md Content

View Translation Comparison →

Binary Triage

Instructions

We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to:
  1. Identify key components and behaviors
  2. Flag suspicious or interesting areas
  3. Create a task list of next steps for deeper investigation

Binary triage with ReVa

Follow this systematic workflow using ReVa's MCP tools:

1. Identify the Program

  • Use 
    get-current-program
    to see the active program
  • Or use 
    list-project-files
    to see available programs in the project
  • Note the 
    programPath
    (e.g., "/Hatchery.exe") for use in subsequent tools

2. Survey Memory Layout

  • Use 
    get-memory-blocks
    to understand the binary structure
  • Examine key sections: 
    • .text
      - executable code
    • .data
      - initialized data
    • .rodata
      - read-only data (strings, constants)
    • .bss
      - uninitialized data
  • Flag unusual characteristics:
    • Unusually large sections
    • Packed/encrypted sections
    • Executable data sections
    • Writable code sections

3. Survey Strings

  • Use 
    get-strings-count
    to see total string count
  • Use 
    get-strings
    with pagination (100-200 strings at a time)
  • Look for indicators of functionality or malicious behavior:
    • Network: URLs, IP addresses, domain names, API endpoints
    • File System: File paths, registry keys, configuration files
    • APIs: Function names, library references
    • Messages: Error messages, debug strings, log messages
    • Suspicious Keywords: admin, password, credential, token, crypto, encrypt, decrypt, download, execute, inject, shellcode, payload

4. Survey Symbols and Imports

  • Use 
    get-symbols-count
    with 
    includeExternal=true
    to count imports
  • Use 
    get-symbols
    with 
    includeExternal=true
    and 
    filterDefaultNames=true
  • Focus on external symbols (imports from libraries)
  • Flag interesting/suspicious imports by category:
    • Network APIs: connect, send, recv, WSAStartup, getaddrinfo, curl_*, socket
    • File I/O: CreateFile, WriteFile, ReadFile, fopen, fwrite, fread
    • Process Manipulation: CreateProcess, exec, fork, system, WinExec, ShellExecute
    • Memory Operations: VirtualAlloc, VirtualProtect, mmap, mprotect
    • Crypto: CryptEncrypt, CryptDecrypt, EVP_, AES_, bcrypt, RC4
    • Anti-Analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, ptrace
    • Registry: RegOpenKey, RegSetValue, RegQueryValue
  • Note the ratio of imports to total symbols (heavy import usage may indicate reliance on libraries)

5. Survey Functions

  • Use 
    get-function-count
    with 
    filterDefaultNames=true
    to count named functions
  • Use 
    get-function-count
    with 
    filterDefaultNames=false
    to count all functions
  • Calculate ratio of named vs unnamed functions (high unnamed ratio = stripped binary)
  • Use 
    get-functions
    with 
    filterDefaultNames=true
    to list named functions
  • Identify key functions:
    • Entry points: 
      entry
      , 
      start
      , 
      _start
    • Main functions: 
      main
      , 
      WinMain
      , 
      DllMain
      , 
      _main
    • Suspicious names: If not stripped, look for revealing function names

6. Cross-Reference Analysis for Key Findings

  • For interesting strings found in Step 3:
    • Use 
      find-cross-references
      with 
      direction="to"
      and 
      includeContext=true
    • Identify which functions reference suspicious strings
  • For suspicious imports found in Step 4:
    • Use 
      find-cross-references
      with 
      direction="to"
      and 
      includeContext=true
    • Identify which functions call suspicious APIs
  • This helps prioritize which functions need detailed examination

7. Selective Initial Decompilation

  • Use 
    get-decompilation
    on entry point or main function
    • Set 
      limit=30
      to get ~30 lines initially
    • Set 
      includeIncomingReferences=true
      to see callers
    • Set 
      includeReferenceContext=true
      for context snippets
  • Use 
    get-decompilation
    on 1-2 suspicious functions identified in Step 6
    • Set 
      limit=20-30
      for quick overview
  • Look for high-level patterns:
    • Loops (encryption/decryption routines)
    • Network operations
    • File operations
    • Process creation
    • Suspicious control flow (obfuscation indicators)
  • Do not do deep analysis yet - this is just to understand general behavior

8. Document Findings and Create Task List

  • Use the 
    TodoWrite
    tool to create an actionable task list with items like:
    • "Investigate string 'http://malicious-c2.com' (referenced at 0x00401234)"
    • "Decompile function sub_401000 (calls VirtualAlloc + memcpy + CreateThread)"
    • "Analyze crypto usage in function encrypt_payload (uses CryptEncrypt)"
    • "Trace anti-debugging checks (IsDebuggerPresent at 0x00402000)"
    • "Examine packed section .UPX0 for unpacking routine"
  • Each todo should be:
    • Specific (include addresses, function names, strings)
    • Actionable (what needs to be investigated)
    • Prioritized (most suspicious first)

Output Format

Present triage findings to the user in this structured format:

Program Overview

  • Name: [Program name from programPath]
  • Type: [Executable type - PE, ELF, Mach-O, etc.]
  • Platform: [Windows, Linux, macOS, etc.]

Memory Layout

  • Total Size: [Size in bytes/KB/MB]
  • Key Sections: [List main sections with sizes and permissions]
  • Unusual Characteristics: [Any packed/encrypted/suspicious sections]

String Analysis

  • Total Strings: [Count from get-strings-count]
  • Notable Findings: [Bullet list of interesting strings with context]
  • Suspicious Indicators: [URLs, IPs, suspicious keywords found]

Import Analysis

  • Total Symbols: [Count from get-symbols-count]
  • External Imports: [Count of external symbols]
  • Key Libraries: [Main libraries imported]
  • Suspicious APIs: [Categorized list of concerning imports]

Function Analysis

  • Total Functions: [Count with filterDefaultNames=false]
  • Named Functions: [Count with filterDefaultNames=true]
  • Stripped Status: [Yes/No based on ratio]
  • Entry Point: [Address and name]
  • Main Function: [Address and name]
  • Key Functions: [List of important functions identified]

Suspicious Indicators

[Bulleted list of red flags discovered, prioritized by severity]

Recommended Next Steps

[Present the task list created in Step 8]
  • Each item should be specific and actionable
  • Prioritize by severity/importance
  • Include addresses, function names, and context

Important Notes

  • Speed over depth: This is triage, not full analysis. Move quickly through steps.
  • Use pagination: Don't request thousands of strings/functions at once. Use chunks of 100-200.
  • Focus on anomalies: Flag things that are unusual, suspicious, or interesting.
  • Context is key: When using cross-references, enable 
    includeContext=true
    for code snippets.
  • Create actionable todos: Each next step should be specific enough for another agent to execute.
  • Be systematic: Follow all 8 steps in order for comprehensive coverage.