binary-re-triage
Use when first encountering an unknown binary, ELF file, executable, or firmware blob. Fast fingerprinting via rabin2 - architecture detection (ARM, x86, MIPS), ABI identification, dependency mapping, string extraction. Keywords - "what is this binary", "identify architecture", "check file type", "rabin2", "file analysis", "quick scan"
Best use case
binary-re-triage is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when first encountering an unknown binary, ELF file, executable, or firmware blob. Fast fingerprinting via rabin2 - architecture detection (ARM, x86, MIPS), ABI identification, dependency mapping, string extraction. Keywords - "what is this binary", "identify architecture", "check file type", "rabin2", "file analysis", "quick scan"
Teams using binary-re-triage should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/triage/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How binary-re-triage Compares
| Feature / Agent | binary-re-triage | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when first encountering an unknown binary, ELF file, executable, or firmware blob. Fast fingerprinting via rabin2 - architecture detection (ARM, x86, MIPS), ABI identification, dependency mapping, string extraction. Keywords - "what is this binary", "identify architecture", "check file type", "rabin2", "file analysis", "quick scan"
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Binary Triage (Phase 1)
## Purpose
Quick fingerprinting to establish baseline facts before deeper analysis. Runs in seconds, not minutes.
## When to Use
- First contact with an unknown binary
- Need architecture/ABI info for tool selection
- Quick capability assessment
- Before committing to expensive analysis
## Key Principle
**Gather facts fast, defer analysis.**
This phase identifies WHAT the binary is, not HOW it works.
## Triage Sequence
### Step 1: File Identification
```bash
# Basic identification
file binary
# Expected output patterns:
# ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3
# ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1
```
**Extract:**
- Architecture (ARM, ARM64, x86_64, MIPS)
- Bit width (32/64)
- Endianness (LSB/MSB)
- Link type (static/dynamic)
- Interpreter path (libc indicator)
### Step 2: Structured Metadata (rabin2)
```bash
# All metadata as JSON
rabin2 -q -j -I binary | jq .
# Key fields:
# .arch - "arm", "x86", "mips"
# .bits - 32 or 64
# .endian - "little" or "big"
# .os - "linux", "none"
# .machine - "ARM", "AARCH64"
# .stripped - true/false
# .static - true/false
```
### Step 3: ABI Detection
```bash
# Interpreter detection
readelf -p .interp binary 2>/dev/null
# Or via rabin2
rabin2 -I binary | grep interp
# ARM-specific: float ABI
readelf -A binary | grep "Tag_ABI_VFP_args"
# hard-float: "VFP registers"
# soft-float: missing or "compatible"
```
**Interpreter → Libc mapping:**
| Interpreter | Libc | Notes |
|-------------|------|-------|
| `/lib/ld-linux-armhf.so.3` | glibc | ARM hard-float |
| `/lib/ld-linux.so.3` | glibc | ARM soft-float |
| `/lib/ld-musl-arm.so.1` | musl | ARM 32-bit |
| `/lib/ld-musl-aarch64.so.1` | musl | ARM 64-bit |
| `/lib/ld-uClibc.so.0` | uClibc | Embedded |
| `/lib64/ld-linux-x86-64.so.2` | glibc | x86_64 |
### Step 4: Dependencies
```bash
# Library dependencies
rabin2 -q -j -l binary | jq '.libs[]'
# Common patterns:
# libcurl.so.* → HTTP client
# libssl.so.* → TLS/crypto
# libpthread.so.* → Threading
# libz.so.* → Compression
# libsqlite3.so.* → Local database
```
### Step 5: Entry Points & Exports
```bash
# Entry points
rabin2 -q -j -e binary | jq .
# Exports (for shared libraries)
rabin2 -q -j -E binary | jq '.exports[] | {name, vaddr}'
```
### Step 6: Quick String Scan
```bash
# All strings with metadata
rabin2 -q -j -zz binary | jq '.strings | length' # Count first
# Filter interesting strings (URLs, paths, errors)
rabin2 -q -j -zz binary | jq '
.strings[] |
select(.length > 8) |
select(.string | test("http|ftp|/etc|/var|error|fail|pass|key|token"; "i"))
'
```
### Step 7: Import Analysis
```bash
# All imports
rabin2 -q -j -i binary | jq '.imports[] | {name, lib}'
# Group by capability
rabin2 -q -j -i binary | jq '
.imports | group_by(.lib) |
map({lib: .[0].lib, functions: [.[].name]})
'
```
## Capability Mapping
| Import Pattern | Capability |
|----------------|------------|
| `socket`, `connect`, `send` | Network client |
| `bind`, `listen`, `accept` | Network server |
| `open`, `read`, `write` | File I/O |
| `fork`, `exec*`, `system` | Process spawning |
| `pthread_*` | Multi-threading |
| `SSL_*`, `EVP_*` | Cryptography |
| `dlopen`, `dlsym` | Dynamic loading |
| `mmap`, `mprotect` | Memory manipulation |
## Output Format
After triage, record structured facts:
```json
{
"artifact": {
"path": "/path/to/binary",
"sha256": "abc123...",
"size_bytes": 245760
},
"identification": {
"arch": "arm",
"bits": 32,
"endian": "little",
"os": "linux",
"stripped": true,
"static": false
},
"abi": {
"interpreter": "/lib/ld-musl-arm.so.1",
"libc": "musl",
"float_abi": "hard"
},
"dependencies": [
"libcurl.so.4",
"libssl.so.1.1",
"libz.so.1"
],
"capabilities_inferred": [
"network_client",
"tls_encryption",
"compression"
],
"strings_of_interest": [
{"value": "https://api.vendor.com/telemetry", "type": "url"},
{"value": "/etc/config.json", "type": "path"}
],
"complexity_estimate": {
"functions": "unknown (stripped)",
"strings": 847,
"imports": 156
}
}
```
## Knowledge Journaling
After triage completes, record findings for episodic memory:
```
[BINARY-RE:triage] {filename} (sha256: {hash})
Identification:
Architecture: {arch} {bits}-bit {endian}
Libc: {glibc|musl|uclibc} ({interpreter_path})
Stripped: {yes|no}
Size: {bytes}
FACT: Links against {library} (source: rabin2 -l)
FACT: Contains {N} strings of interest (source: rabin2 -zz)
FACT: Imports {function} from {library} (source: rabin2 -i)
Capabilities inferred:
- {capability_1} (evidence: {import/string})
- {capability_2} (evidence: {import/string})
HYPOTHESIS: {what binary likely does} (confidence: {0.0-1.0})
QUESTION: {open unknown that needs investigation}
Next phase: {static-analysis|dynamic-analysis}
Sysroot needed: {path or "extract from device"}
```
### Example Journal Entry
```
[BINARY-RE:triage] thermostat_daemon (sha256: a1b2c3d4...)
Identification:
Architecture: ARM 32-bit LE
Libc: musl (/lib/ld-musl-arm.so.1)
Stripped: yes
Size: 153,600 bytes
FACT: Links against libcurl.so.4 (source: rabin2 -l)
FACT: Links against libssl.so.1.1 (source: rabin2 -l)
FACT: Contains string "api.thermco.com" (source: rabin2 -zz)
FACT: Imports curl_easy_perform (source: rabin2 -i)
Capabilities inferred:
- HTTP client (evidence: libcurl import)
- TLS encryption (evidence: libssl import)
- Network communication (evidence: URL string)
HYPOTHESIS: Telemetry client that reports to api.thermco.com (confidence: 0.6)
QUESTION: What data does it collect and transmit?
Next phase: static-analysis
Sysroot needed: musl ARM (extract from device or Alpine)
```
## Decision Points
After triage, determine:
1. **Sysroot selection** - Based on arch + libc
2. **Analysis tool chain** - r2 vs Ghidra vs both
3. **Dynamic analysis feasibility** - QEMU viability based on arch
4. **Initial hypotheses** - What does this binary likely do?
## Next Steps
→ Proceed to `binary-re-static-analysis` for function enumeration
→ Or `binary-re-dynamic-analysis` if behavior observation is priorityRelated Skills
gws-gmail-triage
Gmail: Show unread inbox summary (sender, subject, date).
debian-linux-triage
Triage and resolve Debian Linux issues with apt, systemd, and AppArmor-aware guidance.
centos-linux-triage
Triage and resolve CentOS issues using RHEL-compatible tooling, SELinux-aware practices, and firewalld.
arch-linux-triage
Triage and resolve Arch Linux issues with pacman, systemd, and rolling-release best practices.
issue-triage
GitHub Issue 处理协作流程。当用户收到 issue 需要分析和回复时使用。通过"诊断 → 定性 → 决策 → 回复"四步法,从一个 issue 产出准确的根因分析和得体的用户回复,避免误判问题类型或回复不专业。
binary-analysis-patterns
Master binary analysis patterns including disassembly, decompilation, control flow analysis, and code pattern recognition. Use when analyzing executables, understanding compiled code, or performing static analysis on binaries.
binary-analysis
Analyze binary files (exe, dll, sys, bin, ocx, scr, cpl, drv) to assess if they are malicious, perform decompilation, extract strings/imports/exports, detect malware, and provide threat assessment. Use this skill when user asks to analyze, examine, check, or assess any binary file, asks if a file is malicious/suspicious/safe, or provides a file path to a binary. Trigger for phrases like "Is [file] malicious?", "Analyze [file]", "What does [binary] do?", or any request involving binary file analysis.
fiftyone-pr-triage
Triage FiftyOne GitHub issues by validating status, categorizing resolution, and generating standardized responses. Use when reviewing issues to determine if fixed, won't fix, not reproducible, no longer relevant, or still valid.
binary-re-tool-setup
Use when reverse engineering tools are missing, not working, or need configuration. Installation guides for radare2 (r2), Ghidra, GDB, QEMU, Frida, binutils, and cross-compilation toolchains. Keywords - "install radare2", "setup ghidra", "r2 not found", "qemu missing", "tool not installed", "configure gdb", "cross-compiler"
binary-re-synthesis
Use when ready to document findings, generate a report, or summarize binary analysis results. Compiles analysis findings into structured reports - correlates facts from triage/static/dynamic phases, validates hypotheses, generates documentation with evidence chains. Keywords - "summarize findings", "generate report", "document analysis", "what did we find", "write up results", "export findings"
binary-re-static-analysis
Use when analyzing binary structure, disassembling code, or decompiling functions. Deep static analysis via radare2 (r2) and Ghidra headless - function enumeration, cross-references (xrefs), decompilation, control flow graphs. Keywords - "disassemble", "decompile", "what does this function do", "find functions", "analyze code", "r2", "ghidra", "pdg", "afl"
binary-re-dynamic-analysis
Use when you need to run a binary, trace execution, or observe runtime behavior. Runtime analysis via QEMU emulation, GDB debugging, and Frida hooking - syscall tracing (strace), breakpoints, memory inspection, function interception. Keywords - "run binary", "execute", "debug", "trace syscalls", "set breakpoint", "qemu", "gdb", "frida", "strace", "watch memory"