--- name: binary-triage description: Performs initial binary triage by surveying memory layout, strings, imports/exports, and functions to quickly understand what a binary does and identify suspicious behavior. Use when first examining a binary, when user asks to triage/survey/analyze a program, or wants an overview before deeper reverse engineering. --- # Binary Triage ## Instructions We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to: 1. Identify key components and behaviors 2. Flag suspicious or interesting areas 3. Create a task list of next steps for deeper investigation ## Binary triage with ReVa Follow this systematic workflow using ReVa's MCP tools: ### 1. Identify the Program - Use `get-current-program` to see the active program - Or use `list-project-files` to see available programs in the project - Note the `programPath` (e.g., "/Hatchery.exe") for use in subsequent tools ### 2. Survey Memory Layout - Use `get-memory-blocks` to understand the binary structure - Examine key sections: - `.text` - executable code - `.data` - initialized data - `.rodata` - read-only data (strings, constants) - `.bss` - uninitialized data - Flag unusual characteristics: - Unusually large sections - Packed/encrypted sections - Executable data sections - Writable code sections ### 3. Survey Strings - Use `get-strings-count` to see total string count - Use `get-strings` with pagination (100-200 strings at a time) - Look for indicators of functionality or malicious behavior: - **Network**: URLs, IP addresses, domain names, API endpoints - **File System**: File paths, registry keys, configuration files - **APIs**: Function names, library references - **Messages**: Error messages, debug strings, log messages - **Suspicious Keywords**: admin, password, credential, token, crypto, encrypt, decrypt, download, execute, inject, shellcode, payload ### 4. Survey Symbols and Imports - Use `get-symbols-count` with `includeExternal=true` to count imports - Use `get-symbols` with `includeExternal=true` and `filterDefaultNames=true` - Focus on external symbols (imports from libraries) - Flag interesting/suspicious imports by category: - **Network APIs**: connect, send, recv, WSAStartup, getaddrinfo, curl_*, socket - **File I/O**: CreateFile, WriteFile, ReadFile, fopen, fwrite, fread - **Process Manipulation**: CreateProcess, exec, fork, system, WinExec, ShellExecute - **Memory Operations**: VirtualAlloc, VirtualProtect, mmap, mprotect - **Crypto**: CryptEncrypt, CryptDecrypt, EVP_*, AES_*, bcrypt, RC4 - **Anti-Analysis**: IsDebuggerPresent, CheckRemoteDebuggerPresent, ptrace - **Registry**: RegOpenKey, RegSetValue, RegQueryValue - Note the ratio of imports to total symbols (heavy import usage may indicate reliance on libraries) ### 5. Survey Functions - Use `get-function-count` with `filterDefaultNames=true` to count named functions - Use `get-function-count` with `filterDefaultNames=false` to count all functions - Calculate ratio of named vs unnamed functions (high unnamed ratio = stripped binary) - Use `get-functions` with `filterDefaultNames=true` to list named functions - Identify key functions: - **Entry points**: `entry`, `start`, `_start` - **Main functions**: `main`, `WinMain`, `DllMain`, `_main` - **Suspicious names**: If not stripped, look for revealing function names ### 6. Cross-Reference Analysis for Key Findings - For interesting strings found in Step 3: - Use `find-cross-references` with `direction="to"` and `includeContext=true` - Identify which functions reference suspicious strings - For suspicious imports found in Step 4: - Use `find-cross-references` with `direction="to"` and `includeContext=true` - Identify which functions call suspicious APIs - This helps prioritize which functions need detailed examination ### 7. Selective Initial Decompilation - Use `get-decompilation` on entry point or main function - Set `limit=30` to get ~30 lines initially - Set `includeIncomingReferences=true` to see callers - Set `includeReferenceContext=true` for context snippets - Use `get-decompilation` on 1-2 suspicious functions identified in Step 6 - Set `limit=20-30` for quick overview - Look for high-level patterns: - Loops (encryption/decryption routines) - Network operations - File operations - Process creation - Suspicious control flow (obfuscation indicators) - **Do not do deep analysis yet** - this is just to understand general behavior ### 8. Document Findings and Create Task List - Use the `TodoWrite` tool to create an actionable task list with items like: - "Investigate string 'http://malicious-c2.com' (referenced at 0x00401234)" - "Decompile function sub_401000 (calls VirtualAlloc + memcpy + CreateThread)" - "Analyze crypto usage in function encrypt_payload (uses CryptEncrypt)" - "Trace anti-debugging checks (IsDebuggerPresent at 0x00402000)" - "Examine packed section .UPX0 for unpacking routine" - Each todo should be: - Specific (include addresses, function names, strings) - Actionable (what needs to be investigated) - Prioritized (most suspicious first) ## Output Format Present triage findings to the user in this structured format: ### Program Overview - **Name**: [Program name from programPath] - **Type**: [Executable type - PE, ELF, Mach-O, etc.] - **Platform**: [Windows, Linux, macOS, etc.] ### Memory Layout - **Total Size**: [Size in bytes/KB/MB] - **Key Sections**: [List main sections with sizes and permissions] - **Unusual Characteristics**: [Any packed/encrypted/suspicious sections] ### String Analysis - **Total Strings**: [Count from get-strings-count] - **Notable Findings**: [Bullet list of interesting strings with context] - **Suspicious Indicators**: [URLs, IPs, suspicious keywords found] ### Import Analysis - **Total Symbols**: [Count from get-symbols-count] - **External Imports**: [Count of external symbols] - **Key Libraries**: [Main libraries imported] - **Suspicious APIs**: [Categorized list of concerning imports] ### Function Analysis - **Total Functions**: [Count with filterDefaultNames=false] - **Named Functions**: [Count with filterDefaultNames=true] - **Stripped Status**: [Yes/No based on ratio] - **Entry Point**: [Address and name] - **Main Function**: [Address and name] - **Key Functions**: [List of important functions identified] ### Suspicious Indicators [Bulleted list of red flags discovered, prioritized by severity] ### Recommended Next Steps [Present the task list created in Step 8] - Each item should be specific and actionable - Prioritize by severity/importance - Include addresses, function names, and context ## Important Notes - **Speed over depth**: This is triage, not full analysis. Move quickly through steps. - **Use pagination**: Don't request thousands of strings/functions at once. Use chunks of 100-200. - **Focus on anomalies**: Flag things that are unusual, suspicious, or interesting. - **Context is key**: When using cross-references, enable `includeContext=true` for code snippets. - **Create actionable todos**: Each next step should be specific enough for another agent to execute. - **Be systematic**: Follow all 8 steps in order for comprehensive coverage.