Stats
Actions
Tags
From drbinary-chat-plugin
Analyze binary files (exe, dll, elf, apk) for malware assessment using static analysis, decompilation, and string/import/export extraction. Useful for security investigations and threat intelligence.
How this skill is triggered — by the user, by Claude, or both
Slash command
/drbinary-chat-plugin:binary-analysisThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill performs deep analysis of suspicious binaries using the remote Dr. Binary MCP server. The server runs analysis remotely and has no access to your local filesystem, so a local file must first be uploaded into the remote workspace before any analysis tool can read it.
This skill performs deep analysis of suspicious binaries using the remote Dr. Binary MCP server. The server runs analysis remotely and has no access to your local filesystem, so a local file must first be uploaded into the remote workspace before any analysis tool can read it.
The upload is done with a short-lived curl command that you (Claude) run from your own shell via the Bash tool — the file's bytes stream directly to the server and never pass through the model context.
Use this skill when you need to:
Call prepare_upload with the name to store the file under. It returns a ready-to-run curl command containing a single-use upload link (valid for 10 minutes), with an <ABSOLUTE_LOCAL_PATH> placeholder.
prepare_upload(file_name="suspicious.exe")
Run the returned command yourself with the Bash tool, substituting <ABSOLUTE_LOCAL_PATH> with the absolute path to the local file. Do not print the command for the user to run — execute it directly. For example:
curl -f -F 'file=@/Users/me/Downloads/suspicious.exe' 'https://chat.deepbits.com/api/workspace/upload?upload_token=...'
On success the file is stored in the remote workspace under the chosen filename. The sandbox/analysis CWD is the workspace root, so you can refer to the file by its bare filename (e.g. suspicious.exe) in subsequent tool calls.
If the upload fails (expired or already-used token), call prepare_upload again to mint a fresh link.
inspect_binaryCall inspect_binary with the stored filename for fast, lightweight triage (powered by rz-bin / Rizin). It returns bounded file info, entrypoints, sections, imports, exports, linked libraries, symbol-derived functions, and strings — without full decompilation.
inspect_binary(filepath="suspicious.exe")
Use this first to understand what the file is before deciding where to dig deeper.
run_sandbox + RizinFor focused, deeper analysis, use run_sandbox to execute Rizin commands against the workspace file:
run_sandbox(command="rizin -qc '<rizin commands>' suspicious.exe")
Useful rizin -qc command strings (separate multiple with ;):
aaa; afl — analyze all, then list functionsaaa; pdf @ main — decompile/disassemble the main functioniz — strings in data sections; izz — strings in the whole fileii — imports; iE — exports; is — symbolsie — entrypoints; iS — sections; iI — binary infoThe sandbox image also includes radare2, binwalk, xxd, clang, python3 (with angr, pwntools, qiling), qemu (for qemu-{arch} -strace ...), apktool, jadx, and more — use run_sandbox for any of these when triage points to a specific need. run_sandbox takes an optional timeout (default 120s, max 600s).
dump_dataFor broad Ghidra-based decompilation across all functions, call dump_data(filepath="suspicious.exe"). It returns a folder path of dumped decompiled/disassembled output, which you can then explore with list_files and read_file. This is heavier than inspect_binary and targeted rizin runs — reach for it when you need wide decompilation coverage.
Analysis tools write text artifacts (decompiled .c files, JSON reports) into the workspace. Use list_files to see them and read_file to read their contents.
Provide a comprehensive analysis including:
prepare_upload(file_name, size?) — mint a one-time curl upload commandinspect_binary(filepath) — lightweight rz-bin triagerun_sandbox(command, timeout?) — run shell/Rizin/analysis commands in the sandboxdump_data(filepath) — full Ghidra decompilation dumplist_files(folder?) / read_file(filepath) — inspect workspace artifactsLook for:
Common categories:
run_sandbox only## Binary Analysis Report
**File Information**
- Name: [filename]
- Size: [bytes]
- MD5: [hash]
- SHA256: [hash]
**Analysis Summary**
[Brief overview of findings]
**Detailed Findings**
1. [Finding category]
- Evidence: [specific data]
- Significance: [what it means]
**Threat Assessment**
- Severity: [Critical/High/Medium/Low]
- Classification: [malware type]
- Confidence: [High/Medium/Low]
**Recommendations**
1. [Action item]
2. [Action item]
User: "I found a suspicious file called setup_installer.exe. Can you analyze it?"
Response:
prepare_upload(file_name="setup_installer.exe"), then run the returned curl (with the file's absolute path) via Bashinspect_binary(filepath="setup_installer.exe") for triagerun_sandbox(command="rizin -qc 'aaa; izz; ii; afl' setup_installer.exe") and decompile suspicious functions as needednpx claudepluginhub deepbitstechnology/claude-plugins --plugin drbinary-chat-pluginPerforms initial binary triage surveying memory layout, strings, imports/exports, and functions to understand behavior and flag suspicious activity like unusual sections or malicious APIs.
Performs static analysis of Windows PE malware samples using PEStudio to examine headers, imports, strings, and resources without execution. Activates for PE file inspection, malware triage, and pre-execution analysis.
Performs static analysis of Windows PE malware samples using PEStudio to examine headers, imports, strings, and resources without execution. Activates for PE file inspection, malware triage, and pre-execution analysis.