Binary Triage
Instructions
We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to:
- •Identify key components and behaviors
- •Flag suspicious or interesting areas
- •Create a task list of next steps for deeper investigation
Binary triage with ReVa
Follow this systematic workflow using ReVa's MCP tools:
1. Identify the Program
- •Use
get-current-programto see the active program - •Or use
list-project-filesto see available programs in the project - •Note the
programPath(e.g., "/Hatchery.exe") for use in subsequent tools
2. Survey Memory Layout
- •Use
get-memory-blocksto understand the binary structure - •Examine key sections:
- •
.text- executable code - •
.data- initialized data - •
.rodata- read-only data (strings, constants) - •
.bss- uninitialized data
- •
- •Flag unusual characteristics:
- •Unusually large sections
- •Packed/encrypted sections
- •Executable data sections
- •Writable code sections
3. Survey Strings
- •Use
get-strings-countto see total string count - •Use
get-stringswith pagination (100-200 strings at a time) - •Look for indicators of functionality or malicious behavior:
- •Network: URLs, IP addresses, domain names, API endpoints
- •File System: File paths, registry keys, configuration files
- •APIs: Function names, library references
- •Messages: Error messages, debug strings, log messages
- •Suspicious Keywords: admin, password, credential, token, crypto, encrypt, decrypt, download, execute, inject, shellcode, payload
4. Survey Symbols and Imports
- •Use
get-symbols-countwithincludeExternal=trueto count imports - •Use
get-symbolswithincludeExternal=trueandfilterDefaultNames=true - •Focus on external symbols (imports from libraries)
- •Flag interesting/suspicious imports by category:
- •Network APIs: connect, send, recv, WSAStartup, getaddrinfo, curl_*, socket
- •File I/O: CreateFile, WriteFile, ReadFile, fopen, fwrite, fread
- •Process Manipulation: CreateProcess, exec, fork, system, WinExec, ShellExecute
- •Memory Operations: VirtualAlloc, VirtualProtect, mmap, mprotect
- •Crypto: CryptEncrypt, CryptDecrypt, EVP_, AES_, bcrypt, RC4
- •Anti-Analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, ptrace
- •Registry: RegOpenKey, RegSetValue, RegQueryValue
- •Note the ratio of imports to total symbols (heavy import usage may indicate reliance on libraries)
5. Survey Functions
- •Use
get-function-countwithfilterDefaultNames=trueto count named functions - •Use
get-function-countwithfilterDefaultNames=falseto count all functions - •Calculate ratio of named vs unnamed functions (high unnamed ratio = stripped binary)
- •Use
get-functionswithfilterDefaultNames=trueto list named functions - •Identify key functions:
- •Entry points:
entry,start,_start - •Main functions:
main,WinMain,DllMain,_main - •Suspicious names: If not stripped, look for revealing function names
- •Entry points:
6. Cross-Reference Analysis for Key Findings
- •For interesting strings found in Step 3:
- •Use
find-cross-referenceswithdirection="to"andincludeContext=true - •Identify which functions reference suspicious strings
- •Use
- •For suspicious imports found in Step 4:
- •Use
find-cross-referenceswithdirection="to"andincludeContext=true - •Identify which functions call suspicious APIs
- •Use
- •This helps prioritize which functions need detailed examination
7. Selective Initial Decompilation
- •Use
get-decompilationon entry point or main function- •Set
limit=30to get ~30 lines initially - •Set
includeIncomingReferences=trueto see callers - •Set
includeReferenceContext=truefor context snippets
- •Set
- •Use
get-decompilationon 1-2 suspicious functions identified in Step 6- •Set
limit=20-30for quick overview
- •Set
- •Look for high-level patterns:
- •Loops (encryption/decryption routines)
- •Network operations
- •File operations
- •Process creation
- •Suspicious control flow (obfuscation indicators)
- •Do not do deep analysis yet - this is just to understand general behavior
8. Document Findings and Create Task List
- •Use the
TodoWritetool to create an actionable task list with items like:- •"Investigate string 'http://malicious-c2.com' (referenced at 0x00401234)"
- •"Decompile function sub_401000 (calls VirtualAlloc + memcpy + CreateThread)"
- •"Analyze crypto usage in function encrypt_payload (uses CryptEncrypt)"
- •"Trace anti-debugging checks (IsDebuggerPresent at 0x00402000)"
- •"Examine packed section .UPX0 for unpacking routine"
- •Each todo should be:
- •Specific (include addresses, function names, strings)
- •Actionable (what needs to be investigated)
- •Prioritized (most suspicious first)
Output Format
Present triage findings to the user in this structured format:
Program Overview
- •Name: [Program name from programPath]
- •Type: [Executable type - PE, ELF, Mach-O, etc.]
- •Platform: [Windows, Linux, macOS, etc.]
Memory Layout
- •Total Size: [Size in bytes/KB/MB]
- •Key Sections: [List main sections with sizes and permissions]
- •Unusual Characteristics: [Any packed/encrypted/suspicious sections]
String Analysis
- •Total Strings: [Count from get-strings-count]
- •Notable Findings: [Bullet list of interesting strings with context]
- •Suspicious Indicators: [URLs, IPs, suspicious keywords found]
Import Analysis
- •Total Symbols: [Count from get-symbols-count]
- •External Imports: [Count of external symbols]
- •Key Libraries: [Main libraries imported]
- •Suspicious APIs: [Categorized list of concerning imports]
Function Analysis
- •Total Functions: [Count with filterDefaultNames=false]
- •Named Functions: [Count with filterDefaultNames=true]
- •Stripped Status: [Yes/No based on ratio]
- •Entry Point: [Address and name]
- •Main Function: [Address and name]
- •Key Functions: [List of important functions identified]
Suspicious Indicators
[Bulleted list of red flags discovered, prioritized by severity]
Recommended Next Steps
[Present the task list created in Step 8]
- •Each item should be specific and actionable
- •Prioritize by severity/importance
- •Include addresses, function names, and context
Important Notes
- •Speed over depth: This is triage, not full analysis. Move quickly through steps.
- •Use pagination: Don't request thousands of strings/functions at once. Use chunks of 100-200.
- •Focus on anomalies: Flag things that are unusual, suspicious, or interesting.
- •Context is key: When using cross-references, enable
includeContext=truefor code snippets. - •Create actionable todos: Each next step should be specific enough for another agent to execute.
- •Be systematic: Follow all 8 steps in order for comprehensive coverage.