Skill

binary-analysis

Analyzes Windows PE binaries (exe, dll, sys, bin) for malware via Ghidra decompilation, string/import/export extraction, and sandbox threat assessment.

security

npx claudepluginhub DeepBitsTechnology/claude-plugins --plugin drbinary-chat-plugin

Tool Access

This skill uses the workspace's default tool permissions.

Preview

This skill enables deep analysis of suspicious binary files using remote Ghidra tools and sandbox environments. You HAVE TO upload binary files to the remote first before calling any Ghidra or sandbox tools.

SKILL.md

Similar Skills

binary-triage

Performs initial binary triage surveying memory layout, strings, imports/exports, and functions to understand behavior and flag suspicious activity like unusual sections or malicious APIs.

asi

reverse-engineering-malware-with-ghidra

5.9k

Reverse engineers malware binaries with Ghidra to analyze logic, crypto routines, C2 protocols, evasion at assembly/pseudo-C level. For post-triage disassembly, decompilation, binary analysis.

3 files

cybersecurity-skills

binary-re:static-analysis

Performs deep static binary analysis using radare2 and Ghidra for function enumeration, disassembly, decompilation, xrefs, and control flow graphs. Use for reverse engineering binaries without execution.

binary-re

Stats

Parent Repo Stars19

Parent Repo Forks0

Last CommitNov 6, 2025

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Binary Analysis

When to Use This Skill

Use this skill when you need to:

Analyze suspicious executable files (.exe, .dll, .sys)
Decompile binaries to understand their behavior
Extract strings, imports, and exports from files
Identify malware capabilities and techniques
Perform static analysis on unknown binaries
Investigate potential trojans, ransomware, or other malware
Generate threat assessment reports

Workflow

Step 1: Perform Analysis

Use available Ghidra MCP tools to analyze the uploaded binary:

Decompilation: Convert assembly to pseudo-C code
String Analysis: Extract readable strings for IoC identification
Import/Export Analysis: Identify API calls and dependencies
Function Analysis: Map out program logic and control flow
Behavioral Indicators: Identify suspicious patterns (registry manipulation, network calls, process injection)

Step 2: Generate Report

Provide a comprehensive analysis including:

File metadata (size, hash, compilation timestamp)
Identified capabilities (network, file system, registry, process manipulation)
Suspicious indicators
Malware classification (if applicable)
Recommended actions

Analysis Techniques

Static Analysis

PE header examination
Section analysis (.text, .data, .rdata, .rsrc)
Import Address Table (IAT) review
String artifact extraction
Code signature verification

Behavioral Indicators

Look for:

Anti-debugging techniques
Obfuscation/packing
Suspicious API calls (CreateRemoteThread, WriteProcessMemory, etc.)
Network communication patterns
Persistence mechanisms
Privilege escalation attempts

Malware Classification

Common categories:

Trojan/RAT (Remote Access Trojan)
Ransomware
Adware/PUP (Potentially Unwanted Program)
Rootkit
Worm
Spyware
Browser hijacker

Safety Considerations

Never execute the binary on local system
All analysis occurs in remote sandbox environment
Files are automatically isolated
Use Ghidra static analysis tools only
Document all findings for incident response

Output Format

## Binary Analysis Report

**File Information**
- Name: [filename]
- Size: [bytes]
- MD5: [hash]
- SHA256: [hash]

**Analysis Summary**
[Brief overview of findings]

**Detailed Findings**
1. [Finding category]
   - Evidence: [specific data]
   - Significance: [what it means]

**Threat Assessment**
- Severity: [Critical/High/Medium/Low]
- Classification: [malware type]
- Confidence: [High/Medium/Low]

**Recommendations**
1. [Action item]
2. [Action item]

Example Usage

User: "I found a suspicious file called setup_installer.exe. Can you analyze it?"

Response:

Run Ghidra analysis on the full local path of setup_installer.exe
Extract strings, imports, and decompiled code
Identify malicious behavior (if any)
Provide detailed report with recommendations