Skip to content
Wadie Bouanfar

11 May 2026 · 2 min read

A first-pass methodology for unknown binaries

Reverse Engineering · Ghidra · Malware Analysis

Reverse engineering rewards patience and punishes assumptions — but most of the time you don't need deep analysis to answer the first questions about an unknown binary: what is this, roughly, and does it deserve more of my time? This is the first-pass routine I run before opening a disassembler in anger. None of it is novel; the value is in doing it in the same order every time, so the notes from one sample are comparable with the next.

0. Provenance and hashes first

Before anything executes or opens: record SHA-256, size, source and timestamps, and check the hash against known-sample databases. Two minutes of bookkeeping saves hours of re-analysis later — and occasionally ends the investigation immediately.

1. File identity, not file extension

file, magic bytes, and header sanity. Is it really a PE/ELF? Which architecture, which linker, which compiler artefacts? Packers announce themselves here more often than people expect: section names, abnormal entry points, or a .text section that is suspiciously small.

2. Strings — but read them like evidence

Everyone runs strings; fewer people read the output critically. I look for three classes:

  • Infrastructure: URLs, IPs, domains, user agents, registry paths
  • Capability hints: format strings, error messages, command templates
  • Absence: a real program has boring strings everywhere. A binary with almost none is telling you it's packed or obfuscated — which is itself a finding.

3. Imports as a capability map

The import table is the cheapest behavioural summary you will ever get. VirtualAlloc + WriteProcessMemory + CreateRemoteThread reads as injection; CryptEncrypt next to file-enumeration APIs reads as ransomware; almost no imports at all reads as a loader that resolves everything at runtime. Write the hypothesis down before disassembly — the point of the deep pass is to falsify it.

4. Entropy tells you where to look

Per-section entropy separates packed from plain in seconds. High-entropy .rsrc or overlay data is where payloads hide; a high-entropy .text means the real program only exists at runtime, and static analysis should shift to the unpacking stub instead of the noise.

5. Only now, the disassembler

With a hypothesis, Ghidra time is targeted instead of exploratory: entry point, the functions referencing the interesting strings and imports, cross-references outward. I annotate as I go and stop when the hypothesis is confirmed or broken — the goal of a first pass is a decision (escalate, archive, or detonate in the lab), not a complete reconstruction.

The meta-lesson

The routine matters more than the tools. Every step produces an artefact — hashes, identity, string classes, capability map, entropy profile — and the artefacts compose into a triage report that someone else can review. That reviewability is what separates analysis from vibes, and it is exactly the part worth automating. Automating it is an ongoing project of mine — the Binary Triage Toolkit — and this checklist is its specification.