capa-triage

Community

Quick .so/ELF triage for capabilities and strings

Authorwarterbili
Version1.0.0
Installs0

System Documentation

What problem does it solve?

Manually identifying capabilities and deobfuscating strings in unknown native binaries before deep reverse engineering is slow and inefficient, wasting valuable analyst time on irrelevant code paths.

Core Features & Use Cases

  • Automated Capability Identification: Uses Mandiant capa to map binary capabilities (crypto, network, anti-debug, file operations) with exact hit addresses for targeted decompilation in Ghidra or IDA.
  • Obfuscated String Recovery: Retrieves hidden, stack-built, or encoded strings (URLs, encryption keys, C2 endpoints) using FLOSS for PE/shellcode samples and native tooling for ELF/.so files.
  • Use Case: When analyzing an unknown malicious .so library from an Android app, run this triage first to locate all crypto and network-related functions, so you can focus decompiler efforts only on the relevant code sections instead of the entire binary.

Quick Start

Use the capa-triage skill to perform a quick capability and string triage on the unknown native library 'libsuspect.so' extracted from an unpacked Android APK.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: capa-triage
Download link: https://github.com/warterbili/AUTO_REVERSE/archive/main.zip#capa-triage

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.