binary-triage

The binary-triage skill is a foundational component of the ReVa (Reverse Engineering Assistant) toolkit, designed to help security researchers and developers perform a rapid, structured survey of unknown binaries. It bridges the gap between opening a file in Ghidra and embarking on a deep-dive investigation. By automating the extraction of key indicators such as strings, symbols, memory blocks, and imports, it enables users to form a high-level hypothesis about a program's functionality, origin, and potential malice within minutes.

• Automated survey of binary memory layout including .text, .data, .rodata, and .bss sections to detect packing, encryption, or unusual memory permissions.

• Intelligent string analysis to identify network artifacts (URLs, IPs), filesystem paths, registry keys, and suspicious keywords like 'payload', 'shellcode', or 'cryptography' related terms.

• Systematic import and symbol classification to flag high-risk APIs associated with network activity, process injection, anti-analysis, and system manipulation.

• Function-level overview providing insights into the entry point, main function, and binary stripping status, helping to focus manual analysis efforts on the most critical code paths.

• Integration with ReVa's MCP (Model Context Protocol) toolset, allowing the agent to perform cross-reference analysis between suspicious strings/APIs and their usage context in decompiled code.

• Structured reporting format that summarizes the program architecture and generates a prioritized TodoWrite task list for subsequent, deeper reverse engineering phases.

• Use this skill during the first stage of binary examination or when you need a summary of an unfamiliar executable program.

• It requires an active Ghidra project and a loaded program. The skill leverages ReVa's headless and assistant modes to interact with Ghidra's analysis engine, ensuring that context remains accurate while minimizing token overhead.

• While it supports selective initial decompilation of entry points, it is explicitly designed to avoid exhaustive analysis, serving instead as a roadmap for the researcher to follow.

• Effective inputs include file paths or program handles from the active Ghidra session; the expected output is a comprehensive, markdown-formatted triage report ready for further investigation.