스킬 binary-re-dynamic-analysis

🔬

binary-re-dynamic-analysis

Name: binary-re-dynamic-analysis
Author: 2389-research

낮은 위험 ⚙️ 외부 명령어📁 파일 시스템 액세스

Analyze Binaries with Dynamic Runtime Tracing

Security researchers need to observe actual binary behavior at runtime, not just static code. This skill provides safe, sandboxed execution with QEMU emulation, GDB debugging, and Frida hooking to trace syscalls, inspect memory, and validate reverse engineering hypotheses.

지원: Claude Codex Code(CC)

⚠️ 66 나쁨

스킬 ZIP 다운로드

Claude에서 업로드

설정 → 기능 → 스킬 → 스킬 업로드로 이동

토글을 켜고 사용 시작

테스트해 보기

"binary-re-dynamic-analysis" 사용 중입니다. Run this binary with QEMU strace and tell me what files it accesses

예상 결과:

Executed binary using QEMU user-mode emulation with syscall tracing. Observed file access patterns:
- Read: /etc/config.json (configuration data)
- Write: /var/log/app.log (logging output)
- Read: /usr/lib/libssl.so (SSL library dependency)
No network syscalls detected. Binary appears to be a local configuration processor.

"binary-re-dynamic-analysis" 사용 중입니다. Use Frida to hook the authenticate() function and show me what password it checks

예상 결과:

Attached Frida to running binary and intercepted authenticate() function at offset 0x2a40. Captured argument at call time: password buffer contains "admin123". Function returns 1 (success) when this value matches, 0 otherwise. This appears to be a hardcoded authentication check.

"binary-re-dynamic-analysis" 사용 중입니다. Debug this binary with GDB and examine memory at the stack pointer when main() starts

예상 결과:

Started binary under QEMU with GDB server on port 1234. Set breakpoint at main() symbol. Execution paused at 0x000084c0. Stack pointer (sp) is at 0xbefff7a0. Memory dump shows:
0xbefff7a0: argc=2
0xbefff7a4: argv pointer
0xbefff7a8: environment variables
Stack is properly aligned for ARM ABI.

보안 감사

낮은 위험

v4 • 1/21/2026

This is a legitimate security research and reverse engineering skill for authorized binary analysis. All static findings are false positives related to documentation examples showing proper use of analysis tools. The skill requires explicit human approval before executing any binaries and emphasizes sandbox isolation. No malicious patterns detected.

스캔된 파일

1,912

분석된 줄 수

발견 사항

총 감사 수

낮은 위험 문제 (1)

SKILL.md:1-564

Documentation Contains Security Tool Examples

The skill documentation includes examples of using QEMU, GDB, Frida, and strace for binary analysis. These are legitimate security research tools used for authorized reverse engineering. The skill explicitly requires human approval before execution and emphasizes sandbox configuration. All flagged patterns are documentation examples, not executable code.

위험 요인

⚙️ 외부 명령어 (3)

SKILL.md:26-41 SKILL.md:73-107 SKILL.md:136-202

📁 파일 시스템 액세스 (2)

SKILL.md:144 SKILL.md:404-428

감사자: claude 감사 이력 보기 →

품질 점수

아키텍처

100

유지보수성

콘텐츠

커뮤니티

보안

사양 준수

만들 수 있는 것

Malware Analysis in Sandbox

Security analysts can safely execute suspicious binaries in isolated QEMU environments to observe network behavior, file modifications, and syscall patterns without risking the host system.

Cross-Architecture Firmware Debugging

Embedded systems developers can debug ARM or MIPS binaries on x86 development machines using QEMU emulation with GDB, eliminating the need for physical hardware during analysis.

Reverse Engineering Protected Binaries

Penetration testers can use Frida hooks to intercept cryptographic functions, authentication checks, and network protocols in compiled applications to understand their behavior and find vulnerabilities.

이 프롬프트를 사용해 보세요

Basic Syscall Trace

Use QEMU to run this ARM binary and trace all syscalls to identify what network connections it makes

Debug with Breakpoints

Start this binary under QEMU with GDB attached, set a breakpoint at address 0x8400, and show me the register state when it hits

Hook Network Functions

Create a Frida script to intercept all connect() calls in this binary and log the IP addresses and ports it tries to reach

Cross-Platform Container Execution

Run this ARM32 binary in a Docker container on macOS with platform emulation and capture all library loading events using LD_DEBUG

모범 사례

Always get explicit human approval before executing any binary and document the sandbox configuration being used
Start with QEMU syscall tracing before deeper analysis to understand high-level behavior safely
Use network isolation in sandbox environments when analyzing binaries with unknown network behavior

피하기

Running unknown binaries without sandbox isolation or on production systems
Attempting to use Frida with QEMU user-mode emulation (architecture mismatch will fail)
Using /tmp directory paths for Docker volume mounts on Colima (fails silently, use home directory instead)

자주 묻는 질문

Can this skill execute Windows PE binaries?

This skill focuses on Linux ELF binaries. For Windows PE analysis, you would need Wine or a Windows VM rather than QEMU user-mode emulation.

Is it safe to run malware with this skill?

The skill emphasizes sandbox isolation using QEMU, Docker, or nsjail. However, you must configure appropriate network isolation and get human approval before executing any suspicious binary.

Why does Frida not work with QEMU emulated binaries?

Frida requires native architecture execution to inject its agent. QEMU user-mode creates a different process space that Frida cannot attach to. Use on-device frida-server for cross-arch targets.

What sandbox configuration should I use for unknown binaries?

Start with QEMU user-mode which provides high isolation. Add network blocking, resource limits, and run as unprivileged user. Document your configuration and get approval before execution.

Can I debug ARM binaries on an x86 machine?

Yes, QEMU user-mode emulation allows running ARM binaries on x86 hosts. You can attach gdb-multiarch for debugging. On macOS, use Docker with platform emulation.

How do I handle anti-debugging techniques in binaries?

QEMU user-mode bypasses many anti-debug checks like ptrace detection and /proc inspection. For timing checks, use GDB or patch the detection code. The skill provides mitigation strategies in the documentation.

개발자 세부 정보

작성자

2389-research

라이선스

MIT

리포지토리

https://github.com/2389-research/claude-plugins/tree/main/binary-re/skills/dynamic-analysis

참조

main

파일 구조

📄 SKILL.md