Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aeondave/binaryninja

Name: binaryninja
Author: aeondave

offensive-tools/rev/binaryninja/SKILL.md

npx skillsauth add aeondave/malskill binaryninja

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Binary Ninja

Programmable RE platform — disassembler + decompiler + multi-level IL + Python API.

Quick Start

File → Open → target binary
Wait for auto-analysis (progress bar at bottom)
Navigate: Functions list (left) → click to view disassembly
Toggle views: Disassembly / HLIL (decompiler) / MLIL / LLIL / Graph
Right-click → Linear View or Graph View

Key Views

| View | Purpose | |------|---------| | Graph | Control flow graph of current function | | Linear | Linear disassembly (IDA-style) | | HLIL | High-Level IL — decompiler (C-like pseudocode) | | MLIL | Medium-Level IL — variables recovered, stack abstracted | | LLIL | Low-Level IL — close to assembly, normalized | | Hex | Raw hex editor | | Strings | All detected strings | | Cross References | XREF list for selected symbol |

Navigation

| Key | Action | |-----|--------| | G | Go to address or symbol | | N | Rename symbol | | Y | Change type | | L | Change label | | / | Add comment | | Tab | Switch between graph/linear | | H | Toggle between IL levels (LLIL→MLIL→HLIL→Disasm) | | X | Cross references | | Ctrl+E | Edit bytes | | P | Create function at cursor | | U | Undefine | | D | Change data type | | Ctrl+Shift+M | Open script console |

Intermediate Languages (IL)

Binary Ninja's defining feature — layered IL system:

LLIL — Low-Level IL: one-to-one with assembly but normalized. Architecture-independent register/flag access.

MLIL — Medium-Level IL: stack variables promoted to named variables; constant propagation; dead store elimination. Good for cross-function analysis.

HLIL — High-Level IL: decompiler output. Loops, if/else, switch, and variable declarations recovered. Best for human reading.

# Access different IL layers for a function
func = bv.get_function_at(here)
for block in func.hlil:
    for inst in block:
        print(f"  {inst.address:#x}: {inst}")

Python API (Scripting)

Basics

# Script console: View -> Script Console (or Ctrl+Shift+M)
# Or headless: import binaryninja; bv = binaryninja.load("/path/to/binary")

# List all functions
for func in bv.functions:
    print(f"{func.start:#x}: {func.name}")

# Get function at address
func = bv.get_function_at(0x401000)
print(func.name, func.start, func.total_bytes)

Find suspicious API calls

suspicious = ['VirtualAlloc', 'CreateRemoteThread', 'WriteProcessMemory',
              'LoadLibrary', 'GetProcAddress', 'connect', 'send']

for func in bv.functions:
    for block in func.hlil:
        for inst in block:
            if inst.operation == HighLevelILOperation.HLIL_CALL:
                target = str(inst.dest)
                for s in suspicious:
                    if s.lower() in target.lower():
                        print(f"  {func.name} @ {inst.address:#x} calls {target}")

Extract strings with cross-references

for s in bv.strings:
    if any(kw in s.value.lower() for kw in ['http', 'password', 'key', 'exec']):
        refs = bv.get_code_refs(s.start)
        for ref in refs:
            func = bv.get_functions_containing(ref.address)
            if func:
                print(f"  '{s.value}' referenced in {func[0].name} @ {ref.address:#x}")

Trace data flow (MLIL)

func = bv.get_function_at(0x401234)
for block in func.mlil:
    for inst in block:
        if inst.operation == MediumLevelILOperation.MLIL_CALL:
            if 'VirtualAlloc' in str(inst):
                if len(inst.params) > 3:
                    prot = inst.params[3]
                    print(f"  VirtualAlloc protect={prot} @ {inst.address:#x}")

Batch analysis (headless)

#!/usr/bin/env python3
"""Headless Binary Ninja analysis."""
import binaryninja

bv = binaryninja.load("/path/to/binary", update_analysis=True)
if bv is None:
    exit(1)
bv.update_analysis_and_wait()

print(f"Functions: {len(bv.functions)}")
print(f"Strings: {len(bv.strings)}")
print(f"Sections: {[s.name for s in bv.sections.values()]}")

for func in bv.functions:
    for ref in func.call_sites:
        callee = bv.get_function_at(ref.mlil.dest.constant)
        if callee and not callee.name.startswith("sub_"):
            print(f"  {func.name} -> {callee.name}")

bv.file.close()

Common RE Workflows

Malware static triage

Open sample → wait for analysis
Strings view → search for URLs, IPs, registry paths, suspicious keywords
Imports → check for injection/evasion/network APIs
Cross-reference suspicious imports → follow to calling functions
Switch to HLIL for decompiled view of key functions
Rename functions as you identify their purpose

Identify encryption algorithms

# Look for crypto constants (AES S-box)
aes_sbox = bytes([0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5])
results = bv.find_all_data(bv.start, bv.end, aes_sbox)
for addr in results:
    print(f"  AES S-box found at {addr:#x}")
    refs = bv.get_code_refs(addr)
    for ref in refs:
        print(f"    Referenced from {ref.address:#x}")

Firmware analysis

File → Open with Options → set architecture and base address manually
Use Strings and XREF to find interesting code paths
Supports: ARM, Thumb, MIPS, PPC, RISC-V, x86, x64

Plugins

# Install via Plugin Manager: Edit -> Preferences -> Plugin Manager
# Useful plugins:
# - SigMaker: create IDA-compatible signatures
# - Syscall identifier: annotate syscall numbers
# - binja-msdn: auto-annotate WinAPI parameters

Resources

| File | When to load | |------|--------------| | references/scripting-recipes.md | Python API recipes for common analysis tasks | | references/il-guide.md | LLIL/MLIL/HLIL operation types and traversal patterns |

aeondave/binaryninja

offensive-tools/rev/binaryninja/SKILL.md

Commercial reverse engineering platform with decompiler, multi-architecture IL system (LLIL/MLIL/HLIL), and Python scripting API. Use when performing static analysis with decompilation, writing automated RE scripts, analyzing firmware or multi-arch binaries, or when a programmable disassembler with type recovery is needed.

3 stars

development

Updated May 19, 2026

$ install --global

skillsauth

npx skillsauth add aeondave/malskill binaryninja

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 19, 2026, 4:54 AM181.5s3 files scanned

SKILL.md

name:: binaryninja
description:: Commercial reverse engineering platform with decompiler, multi-architecture IL system (LLIL/MLIL/HLIL), and Python scripting API. Use when performing static analysis with decompilation, writing automated RE scripts, analyzing firmware or multi-arch binaries, or when a programmable disassembler with type recovery is needed.
license:: MIT
compatibility:: Windows/Linux/macOS; x86/x64/ARM/MIPS/PPC/RISC-V; binary.ninja
author:: AeonDave
version:: 1.1

Binary Ninja

Programmable RE platform — disassembler + decompiler + multi-level IL + Python API.

Quick Start

File → Open → target binary
Wait for auto-analysis (progress bar at bottom)
Navigate: Functions list (left) → click to view disassembly
Toggle views: Disassembly / HLIL (decompiler) / MLIL / LLIL / Graph
Right-click → Linear View or Graph View

Key Views

Navigation

Intermediate Languages (IL)

Binary Ninja's defining feature — layered IL system:

LLIL — Low-Level IL: one-to-one with assembly but normalized. Architecture-independent register/flag access.

MLIL — Medium-Level IL: stack variables promoted to named variables; constant propagation; dead store elimination. Good for cross-function analysis.

HLIL — High-Level IL: decompiler output. Loops, if/else, switch, and variable declarations recovered. Best for human reading.

# Access different IL layers for a function
func = bv.get_function_at(here)
for block in func.hlil:
    for inst in block:
        print(f"  {inst.address:#x}: {inst}")

Python API (Scripting)

Basics

# Script console: View -> Script Console (or Ctrl+Shift+M)
# Or headless: import binaryninja; bv = binaryninja.load("/path/to/binary")

# List all functions
for func in bv.functions:
    print(f"{func.start:#x}: {func.name}")

# Get function at address
func = bv.get_function_at(0x401000)
print(func.name, func.start, func.total_bytes)

Find suspicious API calls

suspicious = ['VirtualAlloc', 'CreateRemoteThread', 'WriteProcessMemory',
              'LoadLibrary', 'GetProcAddress', 'connect', 'send']

for func in bv.functions:
    for block in func.hlil:
        for inst in block:
            if inst.operation == HighLevelILOperation.HLIL_CALL:
                target = str(inst.dest)
                for s in suspicious:
                    if s.lower() in target.lower():
                        print(f"  {func.name} @ {inst.address:#x} calls {target}")

Extract strings with cross-references

for s in bv.strings:
    if any(kw in s.value.lower() for kw in ['http', 'password', 'key', 'exec']):
        refs = bv.get_code_refs(s.start)
        for ref in refs:
            func = bv.get_functions_containing(ref.address)
            if func:
                print(f"  '{s.value}' referenced in {func[0].name} @ {ref.address:#x}")

Trace data flow (MLIL)

func = bv.get_function_at(0x401234)
for block in func.mlil:
    for inst in block:
        if inst.operation == MediumLevelILOperation.MLIL_CALL:
            if 'VirtualAlloc' in str(inst):
                if len(inst.params) > 3:
                    prot = inst.params[3]
                    print(f"  VirtualAlloc protect={prot} @ {inst.address:#x}")

Batch analysis (headless)

#!/usr/bin/env python3
"""Headless Binary Ninja analysis."""
import binaryninja

bv = binaryninja.load("/path/to/binary", update_analysis=True)
if bv is None:
    exit(1)
bv.update_analysis_and_wait()

print(f"Functions: {len(bv.functions)}")
print(f"Strings: {len(bv.strings)}")
print(f"Sections: {[s.name for s in bv.sections.values()]}")

for func in bv.functions:
    for ref in func.call_sites:
        callee = bv.get_function_at(ref.mlil.dest.constant)
        if callee and not callee.name.startswith("sub_"):
            print(f"  {func.name} -> {callee.name}")

bv.file.close()

Common RE Workflows

Malware static triage

Open sample → wait for analysis
Strings view → search for URLs, IPs, registry paths, suspicious keywords
Imports → check for injection/evasion/network APIs
Cross-reference suspicious imports → follow to calling functions
Switch to HLIL for decompiled view of key functions
Rename functions as you identify their purpose

Identify encryption algorithms

# Look for crypto constants (AES S-box)
aes_sbox = bytes([0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5])
results = bv.find_all_data(bv.start, bv.end, aes_sbox)
for addr in results:
    print(f"  AES S-box found at {addr:#x}")
    refs = bv.get_code_refs(addr)
    for ref in refs:
        print(f"    Referenced from {ref.address:#x}")

Firmware analysis

File → Open with Options → set architecture and base address manually
Use Strings and XREF to find interesting code paths
Supports: ARM, Thumb, MIPS, PPC, RISC-V, x86, x64

Plugins

# Install via Plugin Manager: Edit -> Preferences -> Plugin Manager
# Useful plugins:
# - SigMaker: create IDA-compatible signatures
# - Syscall identifier: annotate syscall numbers
# - binja-msdn: auto-annotate WinAPI parameters

Resources

Related Skills

aeondave/offensive-linux-role

data-ai

VerifiedTrustedCommunity

Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.

4SKILL.mdUpdated Jun 5, 2026

aeondave/offensive-linux-role

aeondave/ics-technique

development

VerifiedTrustedCommunity

Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).

4SKILL.mdUpdated Jun 2, 2026

aeondave/ics-technique

aeondave/game-technique

tools

VerifiedTrustedCommunity

Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).

4SKILL.mdUpdated Jun 2, 2026

aeondave/game-technique

aeondave/hardware-technique

development

VerifiedTrustedCommunity

Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.

4SKILL.mdUpdated Jun 2, 2026

aeondave/hardware-technique

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aeondave/malskill.git

# Copy into Claude Code skills folder (global)
cp -r malskill/offensive-tools/rev/binaryninja ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aeondave/malskill

3 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT