Use when you need to run a binary, trace execution, or observe runtime behavior. Runtime analysis via QEMU emulation, GDB debugging, and Frida hooking - syscall tracing (strace), breakpoints, memory inspection, function interception. Keywords - "run binary", "execute", "debug", "trace syscalls", "set breakpoint", "qemu", "gdb", "frida", "strace", "watch memory"
Execute binaries under QEMU, GDB, or Frida to observe runtime behavior. Use when you need to trace syscalls, debug execution, or hook functions. Requires explicit human approval before any execution.
/plugin marketplace add 2389-research/claude-plugins/plugin install binary-re@2389-research-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Observe actual runtime behavior. Verify hypotheses from static analysis. Capture data that's only visible during execution.
CRITICAL: All execution requires human approval.
Before running ANY binary:
| Host Platform | Target Arch | Method | Complexity |
|---|---|---|---|
| Linux x86_64 | ARM32/64, MIPS | Native qemu-user | Low |
| Linux x86_64 | x86-32 | Native or linux32 | Low |
| macOS (any) | ARM32/64 | Docker + binfmt | Medium |
| macOS (any) | x86-32 | Docker --platform linux/i386 | Medium |
| Windows | Any | WSL2 → Linux method | Medium |
# Start Docker runtime (Colima, Docker Desktop, etc.)
colima start
# Register ARM emulation handlers (requires privileged mode)
docker run --rm --privileged --platform linux/arm64 \
tonistiigi/binfmt --install arm
CRITICAL: On Colima, /tmp mounts often fail silently. Always use home directory paths:
# ✅ GOOD - use home directory
docker run -v ~/code/samples:/work:ro ...
# ❌ BAD - /tmp mounts can fail on Colima
docker run -v /tmp/samples:/work:ro ...
| Method | Isolation | Granularity | Best For |
|---|---|---|---|
| QEMU -strace | High | Syscall level | Initial behavior mapping |
| QEMU + GDB | High | Instruction level | Detailed debugging |
| Docker | High | Process level | Cross-arch on macOS |
| Frida | Medium | Function level | Hooking without recompilation |
| On-device | Low | Full system | When emulation fails |
Safest approach - runs in isolation with syscall logging.
# Verify sysroot exists
ls /usr/arm-linux-gnueabihf/lib/libc.so*
# ARM 32-bit execution
qemu-arm -L /usr/arm-linux-gnueabihf -strace -- ./binary
# ARM 64-bit execution
qemu-aarch64 -L /usr/aarch64-linux-gnu -strace -- ./binary
| Binary ABI | Sysroot Path | QEMU Flag |
|---|---|---|
| ARM glibc hard-float | /usr/arm-linux-gnueabihf | -L |
| ARM glibc soft-float | /usr/arm-linux-gnueabi | -L |
| ARM64 glibc | /usr/aarch64-linux-gnu | -L |
| ARM musl | Custom extraction needed | -L |
# Set environment variables
qemu-arm -L /sysroot \
-E HOME=/tmp \
-E USER=nobody \
-E LD_DEBUG=bindings \
-- ./binary
# Unset dangerous variables
qemu-arm -L /sysroot \
-U LD_PRELOAD \
-- ./binary
Strace output patterns to watch:
# Network activity
openat.*socket
connect(.*AF_INET
sendto\|send\|write.*socket
recvfrom\|recv\|read.*socket
# File access
openat.*O_RDONLY.*"/etc
openat.*O_WRONLY
stat\|lstat.*"/
# Process operations
execve
fork\|clone
Attach debugger for instruction-level control.
# Start QEMU with GDB server
qemu-arm -g 1234 -L /usr/arm-linux-gnueabihf ./binary &
# Connect with gdb-multiarch
gdb-multiarch -q \
-ex "set architecture arm" \
-ex "target remote :1234" \
-ex "source ~/.gdbinit-gef.py" \
./binary
# Breakpoints
break *0x8400 # Address
break main # Symbol
break *0x8400 if $r0 == 5 # Conditional
# Execution control
continue # Run until break
stepi # Single instruction
nexti # Step over calls
finish # Run until return
# Inspection
info registers # All registers
x/20i $pc # Disassemble from PC
x/10wx $sp # Stack contents
x/s 0x12345 # String at address
# Memory
find 0x8000, 0x10000, "pattern" # Search memory
dump memory /tmp/mem.bin 0x8000 0x9000 # Extract region
With GEF loaded, additional commands:
gef> vmmap # Memory layout
gef> checksec # Security features
gef> context # Full state display
gef> hexdump qword $sp 10 # Better hex dump
gef> pcustom # Structure definitions
# Create GDB script
cat > analyze.gdb << 'EOF'
set architecture arm
target remote :1234
break main
continue
info registers
x/20i $pc
continue
quit
EOF
# Run batch
gdb-multiarch -batch -x analyze.gdb ./binary
Intercept function calls without modifying binary.
⚠️ Architecture Constraint: Frida requires native-arch execution. It cannot attach to QEMU-user targets.
| Scenario | Works? | Alternative |
|---|---|---|
| Native binary (x86_64 on x86_64) | ✅ | - |
| Cross-arch under QEMU-user | ❌ | Use on-device frida-server |
| Docker native-arch container | ✅ | - |
| Docker cross-arch (emulated) | ❌ | Use on-device frida-server |
For cross-arch Frida, deploy frida-server to the target device:
# On target device:
./frida-server &
# On host:
frida -H device:27042 -f ./binary -l hook.js --no-pause
// hook_connect.js
Interceptor.attach(Module.findExportByName(null, "connect"), {
onEnter: function(args) {
console.log("[connect] Called");
var sockaddr = args[1];
var family = sockaddr.readU16();
if (family == 2) { // AF_INET
var port = sockaddr.add(2).readU16();
var ip = sockaddr.add(4).readByteArray(4);
console.log(" Port: " + ((port >> 8) | ((port & 0xff) << 8)));
console.log(" IP: " + new Uint8Array(ip).join("."));
}
},
onLeave: function(retval) {
console.log(" Return: " + retval);
}
});
# Run with Frida
frida -f ./binary -l hook_connect.js --no-pause
// trace_libcurl.js
var libcurl = Process.findModuleByName("libcurl.so.4");
if (libcurl) {
libcurl.enumerateExports().forEach(function(exp) {
if (exp.type === "function") {
Interceptor.attach(exp.address, {
onEnter: function(args) {
console.log("[" + exp.name + "] called");
}
});
}
});
}
// dump_memory.js
var base = Module.findBaseAddress("binary");
console.log("Base: " + base);
// Dump region
var data = base.add(0x1000).readByteArray(256);
console.log(hexdump(data, { offset: 0, length: 256 }));
Use Docker for cross-arch execution when native QEMU unavailable.
docker run --rm --platform linux/arm/v7 \
-v ~/code/samples:/work:ro \
arm32v7/debian:bullseye-slim \
sh -c '
# Fix linker path mismatch (common issue)
ln -sf /lib/ld-linux-armhf.so.3 /lib/ld-linux.so.3 2>/dev/null || true
# Install dependencies if needed (check rabin2 -l output)
apt-get update -qq && apt-get install -qq -y libcap2 libacl1 2>/dev/null
# Run with library debug output (strace alternative)
LD_DEBUG=libs /work/binary args
'
docker run --rm --platform linux/arm64 \
-v ~/code/samples:/work:ro \
arm64v8/debian:bullseye-slim \
sh -c 'LD_DEBUG=libs /work/binary args'
docker run --rm --platform linux/i386 \
-v ~/code/samples:/work:ro \
i386/debian:bullseye-slim \
sh -c '/work/binary args'
| Method | Works? | Alternative |
|---|---|---|
| strace | ❌ (ptrace not implemented) | LD_DEBUG=files,libs |
| ltrace | ❌ (same reason) | Direct observation or Frida |
| gdb | ✓ (with QEMU -g flag) | N/A |
LD_DEBUG=libs # Library search and loading
LD_DEBUG=files # File operations during loading
LD_DEBUG=symbols # Symbol resolution
LD_DEBUG=bindings # Symbol binding details
LD_DEBUG=all # Everything (verbose)
When emulation fails or device-specific behavior needed.
# On target device (via SSH/ADB)
gdbserver :1234 ./binary
# On host (with port forward)
ssh -L 1234:localhost:1234 user@device &
gdb-multiarch -q \
-ex "target remote localhost:1234" \
./binary
# On target device
strace -f -o /tmp/trace.log ./binary
# Pull log
scp user@device:/tmp/trace.log .
nsjail \
--mode o \
--chroot /sysroot \
--user 65534 \
--group 65534 \
--disable_clone_newnet \
--rlimit_as 512 \
--time_limit 60 \
-- /binary
# CPU time limit
timeout 60 qemu-arm -L /sysroot -strace ./binary
# Memory limit via cgroup (requires setup)
cgexec -g memory:qemu_sandbox qemu-arm -L /sysroot ./binary
Before dynamic analysis, check for common anti-debugging/anti-analysis patterns:
# Check for anti-debug strings/imports
strings -a binary | grep -Ei 'ptrace|anti|debugger|seccomp|LD_PRELOAD|/proc/self'
# r2: Look for ptrace/prctl/seccomp imports
r2 -q -c 'iij' binary | jq '.[].name' | grep -Ei 'ptrace|prctl|seccomp'
# Common anti-analysis indicators:
# - ptrace(PTRACE_TRACEME) - Prevent debugger attach
# - prctl(PR_SET_DUMPABLE, 0) - Prevent core dumps
# - seccomp - Syscall filtering
# - /proc/self/status checks - Detect TracerPid
# If native execution possible:
strace -f ./binary 2>&1 | grep -E 'ptrace|prctl|seccomp|/proc/self'
| Pattern | Detection | Bypass |
|---|---|---|
ptrace(TRACEME) | Returns EPERM if debugger attached | Patch call to NOP, use QEMU |
/proc/self/status check | Reads TracerPid field | Use QEMU (no /proc emulation) |
| Timing checks | gettimeofday/rdtsc loops | Single-step with GDB, patch checks |
| Self-checksum | Reads own binary/memory | Compute expected checksum, patch |
When anti-analysis detected: Prefer QEMU-strace over GDB (fewer detection vectors), or patch checks in r2 before execution.
| Error | Cause | Solution |
|---|---|---|
Unsupported syscall | QEMU limitation | Try Qiling or on-device |
Invalid ELF image | Wrong arch/sysroot | Verify file output |
Segfault at 0x0 | Missing library | Check ldd equivalent |
QEMU hangs | Blocking on I/O | Add timeout, check strace |
Anti-debugging | Detection code | Use Frida stalker mode |
exec format error in Docker | binfmt not registered | Run tonistiigi/binfmt --install arm |
ld-linux.so.3 not found | Linker path mismatch | Create symlink in container |
libXXX.so not found | Missing dependency | apt install in container |
| Empty mount in Docker | Colima /tmp issue | Use ~/ path instead of /tmp/ |
ptrace: Operation not permitted | strace in QEMU | Use LD_DEBUG instead |
Record observations as structured data:
{
"experiment": {
"id": "exp_001",
"method": "qemu_strace",
"command": "qemu-arm -L /usr/arm-linux-gnueabihf -strace ./binary",
"duration_secs": 12,
"exit_code": 0
},
"syscall_summary": {
"network": {
"socket": 2,
"connect": 1,
"send": 5,
"recv": 3
},
"file": {
"openat": 4,
"read": 12,
"close": 4
}
},
"network_connections": [
{
"family": "AF_INET",
"address": "192.168.1.100",
"port": 8443,
"protocol": "tcp"
}
],
"files_accessed": [
{"path": "/etc/config.json", "mode": "read"},
{"path": "/var/log/app.log", "mode": "write"}
],
"hypotheses_tested": [
{
"hypothesis_id": "hyp_001",
"result": "confirmed",
"evidence": "connect() to 192.168.1.100:8443 observed"
}
]
}
After dynamic analysis, record findings for episodic memory:
[BINARY-RE:dynamic] {filename} (sha256: {hash})
Execution method: {qemu-strace|qemu-gdb|frida|on-device}
DECISION: Approved execution with {sandbox_config} (rationale: {why_safe})
Runtime observations:
FACT: Binary reads {path} (source: strace openat)
FACT: Binary connects to {ip}:{port} (source: strace connect)
FACT: Binary writes to {path} (source: strace write)
FACT: Function {addr} receives args {values} at runtime (source: gdb)
Syscall summary:
Network: {socket|connect|send|recv counts}
File: {open|read|write|close counts}
Process: {fork|exec|clone counts}
HYPOTHESIS UPDATE: {confirmed or refined theory} (confidence: {new_value})
Confirmed by: {runtime observation}
Contradicted by: {if any}
New questions:
QUESTION: {runtime-discovered unknown}
Answered questions:
RESOLVED: {question} → {runtime evidence}
[BINARY-RE:dynamic] thermostat_daemon (sha256: a1b2c3d4...)
Execution method: qemu-strace
DECISION: Approved execution with network-blocked sandbox (rationale: static analysis shows outbound only, no server)
Runtime observations:
FACT: Binary reads /etc/thermostat.conf at startup (source: strace openat)
FACT: Binary attempts connect to 93.184.216.34:443 (source: strace connect)
FACT: Binary writes to /var/log/thermostat.log (source: strace openat O_WRONLY)
FACT: sleep(30) called between network attempts (source: strace nanosleep)
Syscall summary:
Network: socket(2), connect(1-blocked), send(0), recv(0)
File: openat(4), read(12), write(8), close(4)
Process: none
HYPOTHESIS UPDATE: Telemetry client confirmed - reads config, attempts HTTPS to thermco servers every 30s (confidence: 0.95)
Confirmed by: connect() to expected IP, sleep(30) timing, config file read
Contradicted by: none
Answered questions:
RESOLVED: "Does it actually phone home?" → Yes, connect() to 93.184.216.34:443 observed
RESOLVED: "What files does it access?" → /etc/thermostat.conf (read), /var/log/thermostat.log (write)
→ binary-re-synthesis to compile findings into report
→ Additional static analysis if new functions identified
→ Repeat with different inputs if behavior varies
Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.