dynamic-analysis_skill

This skill enables safe dynamic analysis of binaries by guiding QEMU/GDB/Frida workflows with human approval and sandbox safeguards.
  • JavaScript

30

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill 2389-research/claude-plugins --skill dynamic-analysis

  • SKILL.md14.6 KB

Overview

This skill provides a practical toolkit for running and observing binaries during dynamic analysis using QEMU user-mode emulation, GDB debugging, Frida hooking, strace-like syscall tracing, and Docker-based cross-architecture execution. It focuses on safe, reproducible runtime inspection with explicit human approval and sandboxing. Use it to confirm static-analysis hypotheses and capture behavior only visible at execution time.

How this skill works

The skill launches target binaries in isolated environments (qemu-user, Docker, or on-device) and records runtime artifacts: syscall traces, network activity, file accesses, memory dumps, and instruction-level state via GDB. For function-level interception it uses Frida when native-arch execution is available. All runs require an approved sandbox configuration, optional resource limits, and documented commands so results can be stored as structured JSON.

When to use it

  • You need syscall-level behavior mapping without modifying the binary (qemu -strace).
  • You require instruction-level inspection or conditional breakpoints (QEMU + GDB).
  • You want to hook or inspect library/function calls on a native target (Frida).
  • You must run cross-architecture binaries on macOS or Linux hosts (Docker + binfmt).
  • Emulation fails or hardware-specific behavior is needed (on-device gdbserver or frida-server).

Best practices

  • Always obtain explicit human approval and document sandbox/network isolation before execution.
  • Use qemu-user -strace for initial runs to reduce anti-analysis detection surface.
  • Prefer home-directory mounts in Docker (avoid /tmp on Colima) and register binfmt handlers once.
  • Set environment variables and unset LD_PRELOAD/other risky vars to control runtime.
  • Record experiments as structured JSON (command, duration, syscall summary, files, connections).

Example use cases

  • Confirm whether a binary attempts outbound connections and capture destination addresses via qemu -strace.
  • Attach gdb-multiarch to a running QEMU GDB server to single-step and inspect registers or stack for a suspicious branch.
  • Deploy frida-server on a device to hook connect/send functions and log runtime parameters from a native process.
  • Run an ARM64 sample on macOS with Docker --platform and LD_DEBUG=libs to troubleshoot missing linker paths.
  • Use nsjail or timeout+cgexec to enforce CPU/memory/time limits during risky experiment runs.

FAQ

No. Frida requires native-arch execution. For cross-arch targets use frida-server on the device or run natively in a container that matches the architecture.

Is it safe to run any binary under QEMU -strace?

QEMU -strace runs in isolation and reduces detection vectors, but you must still ensure sandbox config, network isolation, and explicit approval before execution.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational