# Analyze Binaries with Static RE Tools

Binary reverse engineering is difficult when functions, strings, imports, and data flow are scattered across tools. This skill gives Claude, Codex, and Claude Code a structured workflow for static analysis with radare2 and Ghidra.

## Install

```bash
npx skillstore add 2389-research/binary-re-static-analysis
```

## Metadata

- - Status: approved
- - Slug: 2389-research-binary-re-static-analysis
- - Version: 1.0.0
- - Author: 2389-research
- - GitHub username: 2389-research
- - License: MIT
- - Repository: https://github.com/2389-research/claude-plugins/tree/main/binary-re/skills/static-analysis
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: external\_commands, filesystem
- - Quality score: 72
- - Public page: https://skillstore.pages.dev/skills/2389-research-binary-re-static-analysis
- - Manifest: https://skillstore.pages.dev/api/skills/2389-research-binary-re-static-analysis/manifest

## Capabilities

- Selects light or deep static analysis based on binary size and investigation goals.
- Guides radare2 function enumeration, import mapping, string search, and cross-reference review.
- Provides targeted decompilation workflows using r2ghidra and Ghidra headless.
- Supports control-flow and call-graph extraction for selected functions.
- Suggests patterns for tracing network calls, configuration access, and cryptographic routines.
- Defines structured notes for functions, hypotheses, data flow, and unresolved questions.

## Use Cases

- Map Unknown Firmware Binaries: Identify functions, imports, strings, and architecture-specific analysis settings before deeper investigation.
- Triage Suspected Malware Statically: Trace network APIs, configuration paths, crypto routines, and call chains without initially running the sample.
- Explain Decompiled Functions: Use targeted decompilation and cross-references to explain what selected functions do and how they connect.

## Prompt Templates

### Start Static Triage

```
Analyze this binary statically. Start with architecture-aware function enumeration, imports, strings, and high-value functions to inspect next.
```

### Trace a Function

```
Use static analysis to explain the target function. Include callers, callees, referenced strings, local variables, and a confidence-rated behavior summary.
```

### Find Network Behavior

```
Trace network-related imports and strings. Map caller chains, likely endpoints, request construction, and any unresolved data-flow questions.
```

### Build a Static Analysis Report

```
Produce a static analysis report with functions analyzed, call graph highlights, data-flow hypotheses, confidence levels, and next dynamic checks.
```

## Limitations

- It depends on external tools such as radare2, r2ghidra, Ghidra, Docker, QEMU, jq, and grep.
- It does not replace dynamic analysis when behavior depends on runtime state or environment checks.
- It may be slow or incomplete for very large, packed, obfuscated, or self-modifying binaries.
- It requires analyst judgment before executing unknown binaries or installing analysis plugins.

## Best Practices

- Analyze untrusted binaries in an isolated environment with explicit approval before any execution.
- Record facts, hypotheses, confidence levels, and command sources separately.
- Start with broad enumeration, then decompile only the functions that answer the investigation question.

## Anti Patterns

- Running unknown binaries natively before static triage and approval.
- Using deep analysis on large binaries before narrowing the target functions.
- Treating decompiler output as ground truth without checking disassembly and cross-references.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-27T16:06:22.976\+00:00
- - Summary: Static findings for external commands are mostly true positives as tool-invocation guidance, but they are not evidence of malicious code in the skill. The skill legitimately supports reverse engineering with radare2, Ghidra, QEMU, Docker, shell loops, and temporary project files; this creates elevated operational risk when analyzing untrusted binaries. No prompt injection, credential exfiltration, hidden network beaconing, or malicious intent was found in SKILL.md.

## Stats

- - Views: 177
- - Downloads: 8
- - Favorites: 0
- - Popularity score: 0
