Fast binary analysis with string reconnaissance and static disassembly\ \ (RE Levels 1-2). Use when triaging suspicious binaries, extracting IOCs quickly,\ \ or performing initial malware analysis. Completes in \u22642 hours with automated\ \ decision gates."
Performs rapid binary triage through string reconnaissance and static disassembly to extract IOCs and identify malicious behavior within 2 hours.
/plugin marketplace add DNYoussef/context-cascade/plugin install dnyoussef-context-cascade@DNYoussef/context-cascadeThis skill is limited to using the following tools:
SKILL-meta.yamlresources/README.mdresources/scripts/ghidra-headless.shresources/scripts/ioc-extractor.jsresources/scripts/radare2-triage.pyresources/scripts/strings-analyzer.pyBefore writing ANY code, you MUST check:
.claude/library/catalog.json.claude/docs/inventories/LIBRARY-PATTERNS-GUIDE.mdD:\Projects\*| Match | Action |
|---|---|
| Library >90% | REUSE directly |
| Library 70-90% | ADAPT minimally |
| Pattern exists | FOLLOW pattern |
| In project | EXTRACT |
| No match | BUILD (add to library after) |
Use this skill when analyzing malware samples, reverse engineering binaries for security research, conducting vulnerability assessments, extracting IOCs from suspicious files, validating software for supply chain security, or performing CTF challenges and binary exploitation research.
Do NOT use for unauthorized reverse engineering of commercial software, analyzing binaries on production systems, reversing software without legal authorization, violating terms of service or EULAs, or analyzing malware outside isolated environments. Avoid for simple string extraction (use basic tools instead).
All reverse engineering findings MUST be validated through:
Performs rapid reverse engineering triage through two progressive levels:
Decision Gate: After Level 1, automatically evaluates if Level 2 is needed or if string analysis answered the question.
Timebox: ≤2 hours total
dot command)memory-mcp - Store findings across sessionsfilesystem - Access binaries and create outputsconnascence-analyzer - Analyze decompiled code qualitysequential-thinking - Decision gate reasoningNEVER execute unknown binaries on your host system!
All dynamic analysis and binary execution MUST be performed in:
--security-opt seccomp=unconfined)Consequences of unsafe execution:
Safe Practices:
# 1. Analyze suspicious binary (fastest path)
/re:quick malware.exe
# 2. String analysis only (Level 1, ≤30 min)
/re:quick suspicious.bin --level 1
# 3. Static analysis only (Level 2, 1-2 hrs)
/re:quick crackme.exe --level 2 --output ./analysis/
Auto-Decision: Skill will ask after Level 1: "Suspicious IOCs found. Proceed to Level 2?" (Yes/No/Auto)
# Invoke RE-String-Analyst agent via slash command
/re:strings binary.exe --min-length 10 --output re-project/artifacts/strings.json
What Happens:
strings.json with categorized IOCsExpected Output:
{
"binary": {"hash": "sha256:abc123...", "size": 1048576},
"iocs": [
"http://malicious-c2.tk/checkin",
"192.168.100.50",
"attacker@evil.com"
],
"urls": [...],
"file_paths": ["C:\\Windows\\System32\\malicious.dll"],
"crypto": ["AES-256-CBC"],
"analysis_time": "2025-11-01T10:15:00Z"
}
The skill will display:
Automated Evaluation (via sequential-thinking MCP):
QUESTION: "Should we proceed to Level 2 static analysis?"
FACTORS:
- Suspicious C2 domain found (malicious-c2.tk) ✅
- Hardcoded credential strings present ✅
- Obfuscation indicators (encoded strings) ✅
- User's analytical question answered? ❌ (need deeper analysis)
DECISION: ESCALATE TO LEVEL 2
User Override:
skip to exit after Level 1 (findings sufficient)continue to force Level 2 (even if not recommended)auto (default) to follow recommendation# Invoke RE-Disassembly-Expert agent via slash command
/re:static binary.exe --tool ghidra --decompile true --callgraph true
What Happens:
Timeline:
Output Structure:
re-project/
├── ghidra/
│ ├── binary.gpr # Ghidra project
│ ├── decompiled/
│ │ ├── main.c # Decompiled entry point
│ │ ├── check_auth.c # Authentication function
│ │ └── encrypt_data.c # Crypto function
│ ├── callgraphs/
│ │ └── main-callgraph.png # Call graph visualization
│ └── cfg/
│ └── main-cfg.dot # Control flow graph
├── notes/
│ ├── 001-strings-l1.md # Level 1 findings
│ └── 002-static-l2.md # Level 2 findings
└── artifacts/
├── strings.json # From Level 1
├── imports.txt # External library calls
└── suspicious-functions.txt # Flagged vulnerabilities
Automatically applies connascence-analyzer to decompiled C code:
Detects:
Sample Output:
CONNASCENCE VIOLATIONS:
- check_auth.c:45 - God Object (723 lines)
- encrypt_data.c:12 - Parameter Bomb (11 parameters)
- network_handler.c:89 - Deep Nesting (6 levels)
// Automatically stored by RE-Disassembly-Expert agent
mcp__memory-mcp__memory_store({
content: {
binary_hash: "sha256:abc123...",
level_completed: 2,
entry_point: "0x401000",
critical_functions: [
{name: "check_auth", address: "0x401234", decompiled: "check_auth.c"},
{name: "encrypt_data", address: "0x401567", decompiled: "encrypt_data.c"}
],
vulnerabilities: [
{type: "buffer_overflow", function: "read_input", severity: "HIGH"},
{type: "format_string", function: "log_message", severity: "MEDIUM"}
],
callgraph: "callgraphs/main-callgraph.png",
connascence_violations: 12
},
metadata: {
agent: "RE-Disassembly-Expert",
category: "reverse-engineering",
intent: "static-analysis",
layer: "long_term",
project: `binary-analysis-${date}`,
keywords: ["disassembly", "decompilation", "ghidra", "static"],
re_level: 2,
binary_hash: "sha256:abc123..."
}
})
# Extract shorter strings for small binaries
/re:strings tiny-binary.exe --min-length 4
# IOCs only (skip non-IOC strings)
/re:strings malware.bin --ioc-only
# Unicode strings only
/re:strings international-app.exe --encoding unicode
# Use radare2 instead of Ghidra (faster, less accurate)
/re:static binary.exe --tool radare2
# Use objdump (very fast, no decompilation)
/re:static binary.exe --tool objdump --decompile false
# Focus on specific functions
/re:static binary.exe --functions main,check_password,crypto_init
# Analyze multiple binaries (Level 1 only for speed)
find ./malware-samples/ -name "*.exe" | while read binary; do
/re:quick "$binary" --level 1 --store-findings true
done
# Cross-reference findings in memory-mcp
mcp__memory-mcp__vector_search({
query: "malicious-c2.tk", # Search for common IOC across all samples
limit: 100,
filter: {category: "reverse-engineering", re_level: 1}
})
If static analysis reveals interesting runtime behavior:
# After Level 2 completes, check recommendations
cat re-project/notes/002-static-l2.md
# If recommended: "Proceed to dynamic analysis"
/re:deep binary.exe --breakpoints 0x401234,0x401567
Automatic Handoff: The skill stores handoff data in memory-mcp:
{
key: "re-handoff/static-to-dynamic/${binary_hash}",
value: {
decision: "ESCALATE_TO_LEVEL_3",
entry_point: "0x401000",
critical_functions: ["check_password@0x401234"],
breakpoint_suggestions: ["0x401234", "0x401567"],
findings: {...}
}
}
# Export to JSON for threat intel platform
cat re-project/artifacts/strings.json | jq '.iocs[]' > iocs-export.txt
# Export decompiled code
tar -czf decompiled-code.tar.gz re-project/ghidra/decompiled/
# Generate executive summary
cat re-project/notes/002-static-l2.md
Symptoms: Skill exits immediately with cached results
Cause: SHA256 hash found in memory-mcp from prior analysis
Solution:
# Option 1: Use cached results (recommended if binary unchanged)
mcp__memory-mcp__vector_search({query: "sha256:abc123...", limit: 1})
# Option 2: Force re-analysis
/re:quick binary.exe --force-reanalyze true
Symptoms: "Ghidra headless not found" or timeout errors
Cause: Ghidra not installed or not in PATH
Solution:
# Install Ghidra
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/.../ghidra.zip
unzip ghidra.zip
export PATH=$PATH:/path/to/ghidra/support
# Verify installation
analyzeHeadless -help
# Alternative: Use radare2
/re:static binary.exe --tool radare2
Symptoms: strings.json contains 50,000+ strings, hard to analyze
Cause: Min string length too short for large binary
Solution:
# Increase min length automatically (skill does this by default)
# Or manually:
/re:strings large-binary.exe --min-length 15
# For firmware (very large)
/re:strings firmware.bin --min-length 20
Symptoms: Decompiled C code is unreadable or incorrect
Cause: Heavy obfuscation, packing, or custom compiler
Solution:
# Step 1: Check for packing
binwalk -E binary.exe # High entropy = likely packed
# Step 2: Unpack first (if packed)
upx -d binary.exe -o unpacked.exe
# Step 3: Re-run static analysis
/re:static unpacked.exe
# If still poor: Manual analysis needed or try different tool
/re:static binary.exe --tool ida-pro # If IDA Pro available
# Parallel string extraction for multiple encodings
strings -n 10 -e s binary.exe > ascii.txt &
strings -n 10 -e l binary.exe > unicode.txt &
wait
# Grep in parallel
grep -oE 'http[s]?://[^\s]*' ascii.txt > urls.txt &
grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' ascii.txt > ips.txt &
wait
# Use radare2 for speed (sacrifice accuracy)
/re:static binary.exe --tool radare2 # 3-5x faster than Ghidra
# Skip decompilation if only need CFG
/re:static binary.exe --decompile false --callgraph true
# Analyze only critical functions (from Level 1 findings)
/re:static binary.exe --functions check_password,validate_license
# Store Level 1 results immediately (fast, always cacheable)
# Level 1 completes in 10-15 min, cache for 30 days
# Store Level 2 results after completion
# Level 2 completes in 1-2 hrs, cache for 30 days
# Benefit: Second analysis of same binary takes <1 second
RE-String-Analyst (Level 1)
RE-Disassembly-Expert (Level 2)
code-analyzer (Level 2, automatic)
graph-analyst (Level 2, automatic)
/re:quick <binary> - Full Level 1+2 analysis (this skill's primary command)/re:strings <binary> - Level 1 only/re:static <binary> - Level 2 onlyReverse Engineering: Quick Triage operates on 3 fundamental principles:
80% of malware behavior is revealed through strings and static analysis without execution.
In practice:
Not every binary needs deep analysis - automated gates prevent over-analysis.
In practice:
Disassembly is for machines, decompiled C pseudo-code is for analysts.
In practice:
| Anti-Pattern | Problem | Solution |
|---|---|---|
| Immediately running Level 2 without Level 1 | Waste 1-2 hours on disassembly when strings would have answered question | ALWAYS run Level 1 first, check decision gate before escalating |
| Analyzing same binary multiple times | Redundant work, wasted analysis hours, inconsistent findings | Check memory-mcp for SHA256 hash before starting analysis |
| Using min-length=4 on large binaries | 50,000+ strings with massive noise, impossible to analyze | Use adaptive min-length (10-15 for normal, 20+ for firmware), enable --ioc-only filter |
| Skipping architecture detection | Ghidra fails to disassemble, CFG incomplete, decompilation garbage | Run file command first, verify architecture before loading into Ghidra |
| Not validating decompilation quality | False positives from obfuscation, incorrect conclusions, wasted follow-up | Check for packing with binwalk entropy, unpack before re-analyzing |
Reverse Engineering: Quick Triage is the first-responder skill for binary analysis - fast, focused, and decisive. By combining string reconnaissance (Level 1) with static disassembly (Level 2), this skill delivers actionable intelligence in under 2 hours, making it ideal for incident response, malware triage, and CTF challenges where speed matters.
The skill's automated decision gates ensure analysis effort matches threat severity. Simple malware with obvious C2 domains stops at Level 1, while sophisticated samples with obfuscation automatically escalate to Level 2 for deeper investigation. Integration with memory-mcp creates organizational memory - once a binary is analyzed, its findings are instantly retrievable by hash, preventing redundant analysis across teams.
Use this skill when you need rapid answers: Is this binary malicious? What C2 servers does it contact? Are there hardcoded credentials? What vulnerabilities does it exploit? The 2-hour timebox makes it suitable for high-velocity security operations where dozens of samples need daily triage. For samples requiring runtime analysis or input synthesis, the skill seamlessly hands off to Level 3-4 (reverse-engineering-deep) with pre-populated breakpoints and critical function addresses, maximizing overall analysis efficiency.
This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.