# Analyze Runtime Behavior in Binaries

Dynamic binary analysis is risky and hard to document consistently. This skill guides controlled execution, tracing, debugging, and evidence capture for reverse-engineering work.

## Install

```bash
npx skillstore add 2389-research/binary-re-dynamic-analysis
```

## Metadata

- - Slug: 2389-research-binary-re-dynamic-analysis
- - Version: 1.0.0
- - Author: 2389-research
- - GitHub username: 2389-research
- - License: MIT
- - Repository: https://github.com/2389-research/claude-plugins/tree/main/binary-re/skills/dynamic-analysis
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: high
- - Risk factors: external\_commands, network, filesystem
- - Quality score: 38
- - Quality tier: warning
- - Public page: https://skillstore.pages.dev/skills/2389-research-binary-re-dynamic-analysis
- - Manifest: https://skillstore.pages.dev/api/skills/2389-research-binary-re-dynamic-analysis/manifest

## Capabilities

- Plans human-approved dynamic analysis before any binary execution.
- Guides QEMU user-mode execution with syscall tracing for ARM and ARM64 targets.
- Shows GDB and gdb-multiarch workflows for breakpoints, registers, stack, and memory inspection.
- Explains Frida hooks for function interception and runtime memory inspection.
- Documents Docker and on-device workflows for cross-architecture or device-specific analysis.
- Provides structured formats for syscall summaries, observations, hypotheses, and journal entries.

## Use Cases

- Map Unknown Binary Behavior: Trace syscalls, file access, process activity, and network attempts while preserving an evidence trail.
- Debug Cross-Architecture Firmware Samples: Run ARM or ARM64 binaries from a Linux or macOS workstation using QEMU, Docker, and gdb-multiarch.
- Validate Static Analysis Hypotheses: Confirm suspected functions, anti-debug behavior, and runtime connections with controlled tracing and hooks.

## Prompt Templates

### Prepare a Safe Run Plan

```
Create a dynamic analysis plan for this binary. Include required approvals, sandbox settings, network isolation, commands to run, and evidence to capture.
```

### Trace Runtime Behavior

```
Use the dynamic analysis workflow to design a QEMU or strace run. Focus on files, processes, network calls, exit code, and suspicious runtime behavior.
```

### Debug a Specific Function

```
Plan a GDB session for this binary and suspected function. Include breakpoints, register inspection, stack inspection, memory dumps, and stopping conditions.
```

### Compare Runtime Evidence to Hypotheses

```
Review these runtime observations and update the analysis hypotheses. Separate confirmed facts, contradicted assumptions, unresolved questions, and follow-up experiments.
```

## Limitations

- It is guidance only and does not provide an automated sandbox or enforcement layer.
- Execution safety depends on the user validating isolation, network controls, and target authorization.
- Frida support is limited to native architecture targets or on-device frida-server workflows.
- Some examples require installed tools such as QEMU, GDB, Docker, nsjail, Frida, r2, jq, SSH, and strace.

## Best Practices

- Get explicit human approval before executing any sample or attaching to a target device.
- Use network isolation, timeouts, resource limits, and read-only mounts before collecting runtime evidence.
- Record commands, sandbox settings, observations, and confidence changes immediately after each experiment.

## Anti Patterns

- Do not run unknown binaries directly on a host workstation without isolation.
- Do not use privileged Docker or on-device debugging on systems that contain sensitive data.
- Do not treat sample IP addresses, paths, or journal examples as proof without runtime evidence.

## Security Audit

- - Safe to publish: false
- - Audited at: 2026-06-27T16:03:16.546\+00:00
- - Summary: Static findings are mostly true positives because the skill intentionally documents commands that execute binaries, start privileged Docker containers, attach debuggers, trace processes, and read runtime files. Several IP address and log path alerts are false positives because they appear in example output, not active code. No prompt injection or confirmed malicious intent was found, but publication should require strong warnings and reviewer approval.

## Stats

- - Views: 175
- - Downloads: 10
- - Favorites: 0
- - Popularity score: 0