Use when ready to document findings, generate a report, or summarize binary analysis results. Compiles analysis findings into structured reports - correlates facts from triage/static/dynamic phases, validates hypotheses, generates documentation with evidence chains. Keywords - "summarize findings", "generate report", "document analysis", "what did we find", "write up results", "export findings"
Compiles analysis findings into structured reports - correlates facts from triage/static/dynamic phases, validates hypotheses, generates documentation with evidence chains. Use when ready to document findings, generate a report, or summarize binary analysis results.
/plugin marketplace add 2389-research/claude-plugins/plugin install binary-re@2389-research-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Compile all gathered knowledge into actionable intelligence. Validate hypotheses against evidence. Produce structured reports with traceable findings.
Gather all recorded knowledge:
FACTS collected:
- From triage: arch, ABI, dependencies, capabilities
- From static: functions, xrefs, decompilation
- From dynamic: syscalls, network, file access
HYPOTHESES formed:
- With supporting evidence
- With contradicting evidence
- Unresolved hypotheses
QUESTIONS remaining:
- Blocking questions (prevent conclusion)
- Open questions (future investigation)
For each hypothesis, determine status:
| Evidence State | Status | Action |
|---|---|---|
| Strong support, no contradictions | Confirmed | Include in conclusions |
| Some support, some contradictions | Uncertain | Document both sides |
| Strong contradictions | Refuted | Explain why wrong |
| No evidence either way | Unvalidated | List as unknown |
Connect findings across phases:
Static finding: Function at 0x8400 calls socket(), connect(), SSL_read()
Dynamic finding: connect() to 192.168.1.100:8443 observed
Strings found: "api.vendor.com/telemetry"
CORRELATED CONCLUSION:
Function 0x8400 is network initialization for telemetry submission
to api.vendor.com:8443 over TLS.
Summarize what the binary CAN do:
## Capabilities
### Network
- [x] HTTP/HTTPS client (libcurl, libssl imports)
- [x] Custom TCP connections (socket/connect observed)
- [ ] Server functionality (no bind/listen/accept)
### File System
- [x] Read configuration (/etc/config.json accessed)
- [x] Write logs (/var/log/app.log)
- [ ] Execute other programs (no exec* calls)
### Cryptography
- [x] TLS encryption (SSL_* imports)
- [ ] Symmetric encryption (no AES/DES imports)
- [ ] Hashing (no SHA*/MD5 imports)
Document observed/inferred behavior:
## Behavioral Analysis
### Startup Sequence
1. Load configuration from /etc/config.json
2. Initialize network subsystem (function 0x8400)
3. Establish TLS connection to api.vendor.com:8443
4. Enter main loop (function 0x10800)
### Main Loop Behavior
- Polls sensor data every 30 seconds (timing from sleep() calls)
- Formats data as JSON (jsmn library identified)
- Submits via HTTPS POST
- Logs results to /var/log/app.log
### Error Handling
- Network failures: retry with exponential backoff
- Config errors: exit with code 1
- Unknown errors: continue with default values
# Binary Analysis Report
## Executive Summary
[2-3 sentence overview of what was found]
## Artifact Information
| Property | Value |
|----------|-------|
| Filename | [name] |
| SHA256 | [hash] |
| Architecture | [arch] |
| Libc | [glibc/musl/uclibc] |
| Stripped | [yes/no] |
| Analysis Date | [date] |
| Analyst | [human + Claude] |
## Identification
**File Type:** ELF [32/64]-bit [LSB/MSB] [executable/shared object]
**Purpose (Hypothesis):** [What we believe this binary does]
**Confidence:** [High/Medium/Low] - [Brief justification]
## Capabilities Summary
### Confirmed Capabilities
- [Capability 1] - Evidence: [source]
- [Capability 2] - Evidence: [source]
### Potential Capabilities (Unverified)
- [Capability] - Reason: [why suspected]
## Technical Findings
### Key Functions
| Address | Inferred Name | Purpose | Confidence |
|---------|---------------|---------|------------|
| 0x8400 | network_init | Initialize network connection | High |
| 0x9200 | parse_config | Parse JSON configuration | Medium |
| 0x10800 | main_loop | Main execution loop | High |
### External Communications
| Destination | Port | Protocol | Purpose |
|-------------|------|----------|---------|
| api.vendor.com | 8443 | HTTPS | Telemetry submission |
### File System Access
| Path | Access | Purpose |
|------|--------|---------|
| /etc/config.json | Read | Configuration |
| /var/log/app.log | Write | Logging |
## Evidence Log
### Confirmed Hypotheses
**H1: Binary is a telemetry client**
- Status: CONFIRMED
- Supporting evidence:
- Import of libcurl (HTTP client)
- String "telemetry" found at 0x12340
- connect() to api.vendor.com:8443 observed
- Contradicting evidence: None
### Refuted Hypotheses
**H2: Binary acts as server**
- Status: REFUTED
- Reason: No bind/listen/accept imports or calls observed
### Unresolved Questions
- Q1: What triggers telemetry submission? (Timing or event-based?)
- Q2: What data is collected? (Need deeper dynamic analysis)
## Recommendations
### For Security Review
- [ ] Verify TLS certificate validation
- [ ] Check for hardcoded credentials
- [ ] Audit data collection scope
### For Further Analysis
- [ ] Capture network traffic during execution
- [ ] Analyze configuration format in detail
- [ ] Test behavior with malformed config
## Appendices
### A. Tool Outputs
[Truncated raw outputs from key analysis steps]
### B. Timeline
[Chronological log of analysis steps taken]
### C. File Hashes
[SHA256 of all analyzed files]
Use consistent confidence levels:
| Level | Meaning | Evidence Required |
|---|---|---|
| High | Near certain | Multiple independent sources confirm |
| Medium | Likely correct | Some evidence, no contradictions |
| Low | Possible | Limited evidence, some uncertainty |
| Speculative | Guess | Based on patterns, not direct evidence |
Before finalizing report:
After synthesis, record final summary for episodic memory:
[BINARY-RE:synthesis] {filename} (sha256: {hash})
Analysis completed: {date}
Phases completed: {triage|static|dynamic|synthesis}
=== FINAL CONCLUSIONS ===
Primary purpose: {what binary does}
Confidence: {HIGH|MEDIUM|LOW}
Confirmed hypotheses:
CONFIRMED: {hypothesis} (evidence: {facts})
Refuted hypotheses:
REFUTED: {hypothesis} (reason: {contradicting evidence})
Key capabilities:
- {capability}: {evidence summary}
Security findings:
{CRITICAL|HIGH|MEDIUM|LOW}: {finding} (location: {addr/function})
Remaining unknowns:
UNRESOLVED: {question}
Recommendations:
- {actionable recommendation}
=== EVIDENCE INDEX ===
Facts: {count} recorded across phases
Hypotheses: {confirmed}/{total}
Questions: {answered}/{total}
[BINARY-RE:synthesis] thermostat_daemon (sha256: a1b2c3d4...)
Analysis completed: 2024-01-15
Phases completed: triage, static, dynamic, synthesis
=== FINAL CONCLUSIONS ===
Primary purpose: IoT telemetry client that reports temperature/humidity to vendor cloud
Confidence: HIGH
Confirmed hypotheses:
CONFIRMED: "Telemetry client reporting to api.thermco.com" (evidence: URL string, curl imports, connect() observed)
CONFIRMED: "30-second reporting interval" (evidence: sleep(30) in main loop, strace timing)
Refuted hypotheses:
REFUTED: "May have local web server" (reason: no bind/listen/accept imports or calls)
Key capabilities:
- HTTPS client: libcurl + libssl, connects to api.thermco.com:443
- Config parsing: reads /etc/thermostat.conf at startup
- Logging: writes to /var/log/thermostat.log
Security findings:
LOW: No certificate pinning detected (standard libssl usage)
INFO: Config file may contain API credentials (needs review)
Remaining unknowns:
UNRESOLVED: Exact data fields in telemetry payload
UNRESOLVED: Authentication mechanism (API key location)
Recommendations:
- Review /etc/thermostat.conf for sensitive data
- Monitor network traffic to confirm payload contents
- Consider blocking if telemetry is unwanted
=== EVIDENCE INDEX ===
Facts: 23 recorded across phases
Hypotheses: 2/3 confirmed
Questions: 4/6 answered
{
"artifact": { "sha256": "...", "arch": "arm" },
"conclusions": [
{
"statement": "Binary is telemetry client",
"confidence": 0.9,
"evidence": ["fact_001", "fact_012", "obs_003"]
}
],
"capabilities": {
"network_client": true,
"network_server": false
},
"open_questions": ["Q1: Trigger mechanism"]
}
See template above.
If binary is potentially malicious, format findings for sharing:
{
"type": "malware",
"spec_version": "2.1",
"id": "malware--...",
"name": "telemetry-client",
"malware_types": ["spyware"],
"capabilities": ["exfiltrates-data"],
"implementation_languages": ["c"]
}
After synthesis:
Use when working with Payload CMS projects (payload.config.ts, collections, fields, hooks, access control, Payload API). Use when debugging validation errors, security issues, relationship queries, transactions, or hook behavior.