binary-triage_skill

This skill performs initial binary triage by surveying memory layout, strings, imports, and functions to quickly summarize a binary's behavior.
  • Java

510

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill cyberkaida/reverse-engineering-assistant --skill binary-triage

  • SKILL.md7.1 KB

Overview

This skill performs an initial binary triage to rapidly summarize what a program does and flag suspicious behavior. It provides a structured, prioritized survey of memory layout, strings, imports/exports, and functions to guide follow-up reverse-engineering tasks. Use it to get a quick, actionable overview before deeper analysis.

How this skill works

The skill runs a stepwise workflow: identify the program, map memory sections, enumerate and sample strings, list imports/exports, and count and sample functions. It cross-references strings and imports into functions, performs selective decompilation of entry and suspicious routines, and produces a prioritized todo list for deeper investigation. Outputs are concise findings and specific follow-up tasks with addresses and context.

When to use it

  • When first opening an unfamiliar binary to get a fast orientation
  • When you need to flag potential malicious behavior before deep analysis
  • Before allocating time for full decompilation or dynamic analysis
  • When preparing a prioritized list of next RE tasks for a team
  • To check for packing, anti-analysis, or network indicators quickly

Best practices

  • Work in order: program -> memory -> strings -> imports -> functions -> cross-references -> selective decompilation
  • Use pagination for heavy listings (strings/functions) in 100–200 item chunks
  • Focus on anomalies: writable code, packed sections, unexpected network or crypto APIs
  • Record addresses and context for every suspicious item so follow-up tasks are actionable
  • Prioritize tasks by impact: C2, persistence, process injection, unpacking routines first

Example use cases

  • Rapidly triage a Windows PE to determine if it contains C2 hardcoded URLs and which functions reference them
  • Survey an ELF suspected of packing to locate unpacking stubs and writable-executable sections
  • Produce a prioritized task list for a teammate to analyze a suspicious crypto routine and its callers
  • Quickly determine if a DLL exports suspicious entry points and which imports it relies on
  • Assess whether a binary performs process creation or memory allocation that could indicate injection or shellcode execution

FAQ

Triage is shallow by design: it surfaces key components, cross-references, and short decompilation snippets but avoids full code audits or formal proofs.

What outputs should I expect?

A structured report: program overview, memory layout, string/import/function highlights, prioritized red flags, and an actionable todo list with addresses and function names.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational