First calls
Use discovery and triage before opening heavier backends. Learn the file shape, backend availability, and likely next target before asking for broad decompiler output.
get_backend_statuschecks whether optional backends are available.list_toolsandlookup_toolshow the registered tools.triage_binarycollects hashes, format, sections, imports, strings, function stats, xref-heavy functions, and call-graph summary.static_viewreads PE, ELF, and Mach-O metadata without opening radare2.binary_security_properties,static_callgraph,binary_capabilities,fuzzable_functions,binary_component_profilegive Rust-native follow-up views before r2 or Ghidra.
| Tool | Use when | Backend | Next step |
|---|---|---|---|
get_backend_status | Before a session, to see what is installed. | None | list_tools or the lowest-cost available backend. |
triage_binary | You have an unknown file and need a compact overview. | Mixed, depending on local availability. | static_view, r2_open, or ghidra_import. |
static_view | You need format facts without r2. | None | static_view mode=imports or mode=sections. |
binary_security_properties | You need loader and hardening posture with bounded evidence. | None | entropy_profile, compiler_packer_detect, or static_callgraph. |
static_callgraph | You need a compact x86/x64 call graph before opening r2 or Ghidra. | None | binary_capabilities or r2_function_view on a selected address. |
binary_capabilities | You need ranked behavior families from imports, symbols, and callgraph external calls. | None | r2_function_view or ghidra_callsite_facts for a source function. |
strings_extract | You need IOCs, URLs, paths, mutex names, or literals. | strings(1) | r2_find or Ghidra search once a backend is open. |
{
"tool": "triage_binary",
"arguments": {
"binary_path": "/samples/unknown.exe"
}
}{
"tool": "static_view",
"arguments": {
"binary_path": "/samples/unknown.exe",
"mode": "imports"
}
}Good default flow
Start narrow, then move into r2 or Ghidra only after the first pass gives you a reason.
get_backend_statusfile_identifytriage_binarystatic_viewwithmode=infobinary_security_propertiesstatic_callgraphbinary_capabilitiesfuzzable_functionsif parser, decoder, unpacking, or input handling matters.binary_component_profileif component or runtime evidence matters.strings_extract
| Signal | Likely meaning | Use next | Why |
|---|---|---|---|
| High section entropy | Packed, encrypted, or compressed data. | entropy_profile, binwalk_scan, compiler_packer_detect | Confirm whether this is packing before reading decompiler output. |
| Stripped imports | Dynamic API resolution or staged loading. | ghidra_dynamic_dispatch_table, export_hash_resolve | Look for hash tables, resolver loops, and call gates. |
| Many external calls in one function | Dispatcher, initializer, loader, or behavior hub. | static_callgraph, binary_capabilities, ghidra_decompiler_calls | Pick a source function before reading full pseudocode. |
| Specific field offset appears often | State struct, context object, or decoder state. | ghidra_field_flow, objdump_search_disasm | Follow the field instead of scanning full functions manually. |
| Parser, decoder, or input API names | Possible fuzzing target, not a vulnerability claim. | fuzzable_functions, then r2_function_view | Rank candidates first; inspect code before drafting a harness. |
| Runtime or package hints | Go, Rust, .NET, imported shared libraries, or weak package evidence. | binary_component_profile | Separates high-confidence components from low-confidence hints. |
{
"tool": "binary_security_properties",
"arguments": {
"binary_path": "/samples/payload.exe",
"max_evidence_per_property": 3
}
}
{
"tool": "static_callgraph",
"arguments": {
"binary_path": "/samples/payload.exe",
"max_nodes": 100,
"max_edges": 200
}
}
{
"tool": "binary_capabilities",
"arguments": {
"binary_path": "/samples/payload.exe"
}
}