binary-re-triagelisted

# Binary Triage (Phase 1) ## Purpose Quick fingerprinting to establish baseline facts before deeper analysis. Runs in seconds, not minutes. ## When to Use - First contact with an unknown binary - Need architecture/ABI info for tool selection - Quick capability assessment - Before committing to expensive analysis ## Key Principle **Gather facts fast, defer analysis.** This phase identifies WHAT the binary is, not HOW it works. ## Triage Sequence ### Step 1: File Identification ```bash # Basic identification file binary # Expected output patterns: # ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3 # ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1 ``` **Extract:** - Architecture (ARM, ARM64, x86_64, MIPS) - Bit width (32/64) - Endianness (LSB/MSB) - Link type (static/dynamic) - Interpreter path (libc indicator) ### Step 2: Structured Metadata (rabin2) ```bash # All metadata as JSON rabin2 -q -j -I binary | jq . # Key fields: # .arch - "arm", "x86", "mips" # .bits - 32 or 64 # .endian - "little" or "big" # .os - "linux", "none" # .machine - "ARM", "AARCH64" # .stripped - true/false # .static - true/false ``` ### Step 3: ABI Detection ```bash # Interpreter detection readelf -p .interp binary 2>/dev/null # Or via rabin2 rabin2 -I binary | grep interp # ARM-specific: float ABI readelf -A binary | grep "Tag_ABI_