binary-triage

Binary Triage

Instructions

We are triaging a binary to quickly understand what it does. This is an initial survey, not deep analysis. Our goal is to:

1. Identify key components and behaviors
2. Flag suspicious or interesting areas
3. Create a task list of next steps for deeper investigation

Binary triage with ReVa

Follow this systematic workflow using ReVa's MCP tools:

1. Identify the Program

• Use get-current-program to see the active program
• Or use list-project-files to see available programs in the project
• Note the programPath (e.g., "/Hatchery.exe") for use in subsequent tools

2. Survey Memory Layout

• Use get-memory-blocks to understand the binary structure
• Examine key sections:
  • .text - executable code
  • .data - initialized data
  • .rodata - read-only data (strings, constants)
  • .bss - uninitialized data
• Flag unusual characteristics:
  • Unusually large sections
  • Packed/encrypted sections
  • Executable data sections
  • Writable code sections

3. Survey Strings

• Use get-strings-count to see total string count
• Use get-strings with pagination (100-200 strings at a time)
• Look for indicators of functionality or malicious behavior:
  • Network: URLs, IP addresses, domain names, API endpoints
  • File System: File paths, registry keys, configuration files
  • APIs: Function names, library references
  • Messages: Error messages, debug strings, log messages
  • Suspicious Keywords: admin, password, credential, token, crypto, encrypt, decrypt, download, execute, inject, shellcode, payload

4. Survey Symbols and Imports

• Use get-symbols-count with includeExternal=true to count imports
• Use get-symbols with includeExternal=true and filterDefaultNames=true
• Focus on external symbols (imports from libraries)
• Flag interesting/suspicious imports by category:
  • Network APIs: connect, send, recv, WSAStartup, getaddrinfo, curl_*, socket
  • File I/O: CreateFile, WriteFile, ReadFile, fopen, fwrite, fread
  • Process Manipulation: CreateProcess, exec, fork, system, WinExec, ShellExecute
  • Memory Operations: VirtualAlloc, VirtualProtect, mmap, mprotect
  • Crypto: CryptEncrypt, CryptDecrypt, EVP_, AES_, bcrypt, RC4
  • Anti-Analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, ptrace
  • Registry: RegOpenKey, RegSetValue, RegQueryValue
• Note the ratio of imports to total symbols (heavy import usage may indicate reliance on libraries)

5. Survey Functions

• Use get-function-count with filterDefaultNames=true to count named functions
• Use get-function-count with filterDefaultNames=false to count all functions
• Calculate ratio of named vs unnamed functions (high unnamed ratio = stripped binary)
• Use get-functions with filterDefaultNames=true to list named functions
• Identify key functions:
  • Entry points: entry, start, _start
  • Main functions: main, WinMain, DllMain, _main
  • Suspicious names: If not stripped, look for revealing function names

6. Cross-Reference Analysis for Key Findings

• For interesting strings found in Step 3:
  • Use find-cross-references with direction="to" and includeContext=true
  • Identify which functions reference suspicious strings
• For suspicious imports found in Step 4:
  • Use find-cross-references with direction="to" and includeContext=true
  • Identify which functions call suspicious APIs
• This helps prioritize which functions need detailed examination

7. Selective Initial Decompilation

• Use get-decompilation on entry point or main function
  • Set limit=30 to get ~30 lines initially
  • Set includeIncomingReferences=true to see callers
  • Set includeReferenceContext=true for context snippets
• Use get-decompilation on 1-2 suspicious functions identified in Step 6
  • Set limit=20-30 for quick overview
• Look for high-level patterns:
  • Loops (encryption/decryption routines)
  • Network operations
  • File operations
  • Process creation
  • Suspicious control flow (obfuscation indicators)
• Do not do deep analysis yet - this is just to understand general behavior

8. Document Findings and Create Task List

• Use the TodoWrite tool to create an actionable task list with items like:
  • "Investigate string 'http://malicious-c2.com' (referenced at 0x00401234)"
  • "Decompile function sub_401000 (calls VirtualAlloc + memcpy + CreateThread)"
  • "Analyze crypto usage in function encrypt_payload (uses CryptEncrypt)"
  • "Trace anti-debugging checks (IsDebuggerPresent at 0x00402000)"
  • "Examine packed section .UPX0 for unpacking routine"
• Each todo should be:
  • Specific (include addresses, function names, strings)
  • Actionable (what needs to be investigated)
  • Prioritized (most suspicious first)

Output Format

Present triage findings to the user in this structured format:

Program Overview

• Name: [Program name from programPath]
• Type: [Executable type - PE, ELF, Mach-O, etc.]
• Platform: [Windows, Linux, macOS, etc.]

Memory Layout

• Total Size: [Size in bytes/KB/MB]
• Key Sections: [List main sections with sizes and permissions]
• Unusual Characteristics: [Any packed/encrypted/suspicious sections]

String Analysis

• Total Strings: [Count from get-strings-count]
• Notable Findings: [Bullet list of interesting strings with context]
• Suspicious Indicators: [URLs, IPs, suspicious keywords found]

Import Analysis

• Total Symbols: [Count from get-symbols-count]
• External Imports: [Count of external symbols]
• Key Libraries: [Main libraries imported]
• Suspicious APIs: [Categorized list of concerning imports]

Function Analysis

• Total Functions: [Count with filterDefaultNames=false]
• Named Functions: [Count with filterDefaultNames=true]
• Stripped Status: [Yes/No based on ratio]
• Entry Point: [Address and name]
• Main Function: [Address and name]
• Key Functions: [List of important functions identified]

Suspicious Indicators

[Bulleted list of red flags discovered, prioritized by severity]

Recommended Next Steps

[Present the task list created in Step 8]

• Each item should be specific and actionable
• Prioritize by severity/importance
• Include addresses, function names, and context

Important Notes

• Speed over depth: This is triage, not full analysis. Move quickly through steps.
• Use pagination: Don't request thousands of strings/functions at once. Use chunks of 100-200.
• Focus on anomalies: Flag things that are unusual, suspicious, or interesting.
• Context is key: When using cross-references, enable includeContext=true for code snippets.
• Create actionable todos: Each next step should be specific enough for another agent to execute.
• Be systematic: Follow all 8 steps in order for comprehensive coverage.