/triage appinfo.dll
/audit appinfo.dll AiLaunchProcess
/explain appinfo.dll AiCheckSecureApplicationDirectory
/scan appinfo.dll --top 15
/compare-modules appinfo.dll consent.exe
/health
python .claude/helpers/pipeline_cli.py list-steps
python .claude/helpers/pipeline_cli.py validate config/pipelines/security-sweep.yaml
python .claude/helpers/pipeline_cli.py run config/pipelines/security-sweep.yaml --dry-run
python .claude/helpers/pipeline_cli.py run config/pipelines/quick-triage.yaml --json
python .claude/helpers/pipeline_cli.py run config/pipelines/security-sweep.yaml --modules appinfo.dll,consent.exe
python .claude/helpers/pipeline_cli.py run config/pipelines/full-analysis.yaml --output workspace/custom_{timestamp}/For interactive use, the /pipeline slash command wraps the same CLI.
Minimal:
modules: all
steps:
- triage: {}Focused security sweep:
modules:
- appinfo.dll
- consent.exe
steps:
- triage: {}
- security:
top: 10
- scan:
top: 10The sections below show how to chain commands for common analysis goals.
Each step includes a brief annotation explaining what it produces and why
the next step follows. All examples use appinfo.dll as the module and
AiLaunchProcess as the target function.
First-time workflow for a new extraction workspace.
/health # validate workspace: extraction data, DBs, skills, config
/triage appinfo.dll # deep orientation: classify, topology, attack surface ranking
/explain appinfo.dll AiLaunchProcess # structured explanation of top-ranked function
/audit appinfo.dll AiLaunchProcess # full security audit with risk assessment
Progression: /health -> /triage -> /explain -> /audit.
Systematic vulnerability hunting from triage through confirmed findings.
/triage appinfo.dll --with-security # orientation + lightweight taint on top entries
/scan appinfo.dll --top 10 # all 8 scanners + taint + verification + exploitability
/audit appinfo.dll AiLaunchProcess # deep audit on highest-risk finding from /scan
/taint appinfo.dll AiLaunchProcess --depth 5 # focused source-to-sink trace with guard analysis
/compare-scans srvsvc.dll --type logic # compare findings across logic scans
/hunt-plan appinfo.dll # collaborative VR planning: ranked hypotheses
/hunt-execute appinfo.dll # execute plan: per-hypothesis evidence + confidence score
Progression: /triage --with-security -> /scan -> /audit -> /taint -> /compare-scans -> /hunt-plan -> /hunt-execute.
/scan provides breadth (8 scanner types across all functions). /audit provides
depth (backward trace, decompiler verification, call chain) on individual findings.
/hunt-plan + /hunt-execute add hypothesis-driven reasoning on top.
Understanding a function's behavior, context, and data dependencies.
/explain appinfo.dll AiLaunchProcess # purpose, params, key APIs, behavior
/xref appinfo.dll AiLaunchProcess # caller/callee tables with classification
/callgraph appinfo.dll AiLaunchProcess --diagram # visual neighborhood, hub annotations
Progression: /explain -> /xref -> /callgraph.
/explain gives you the "what", /xref + /callgraph give the structural
context.
Producing clean, readable code from decompiled output.
/reconstruct-types appinfo.dll CSecurityDescriptor --validate # struct layout from memory patterns
/lift-class appinfo.dll CSecurityDescriptor # batch-lift all methods (grind loop)
Progression: /reconstruct-types -> /lift-class.
Run type reconstruction first so lifts use correct struct layouts. /lift-class
uses the grind loop to process each method sequentially, producing a single
.cpp file.
Tracing behavior and dependencies across DLL boundaries.
/imports appinfo.dll # PE-level import/export relationships
/compare-modules appinfo.dll consent.exe # side-by-side: shared APIs, topology, deps
Progression: /imports -> /compare-modules.
/imports shows the loader-level dependency picture (PE import tables).
/compare-modules synthesizes the architectural comparison.
Auditing COM, RPC, and WinRT interfaces for privilege escalation.
/com surface appinfo.dll # enumerate COM servers, rank by privilege-boundary risk
/rpc surface appinfo.dll # enumerate RPC interfaces, rank by attack surface score
/winrt surface appinfo.dll # enumerate WinRT servers, rank by privilege-boundary risk
These three are independent and can run in any order. They identify IPC entry points that cross privilege boundaries (e.g., medium-IL caller to SYSTEM server).
/com audit appinfo.dll # deep audit: permissions, elevation, marshalling, DCOM
/com privesc appinfo.dll # filter to EoP targets and UAC bypass candidates
/batch-audit appinfo.dll --privilege-boundary --top 8 # dossier + taint per handler function
Progression: /com surface + /rpc surface + /winrt surface -> /com audit -> /com privesc -> /batch-audit --privilege-boundary.
Processing multiple functions or modules at scale.
/batch-audit appinfo.dll --top 10 # audit top 10 entry points
/batch-audit appinfo.dll --class CSecurityDescriptor # audit all methods of a class
All three use the grind loop (one checkbox per function, auto-continues until done).
Pipeline examples for headless batch processing:
/pipeline run config/pipelines/security-sweep.yaml --modules appinfo.dll,consent.exe
/pipeline run config/pipelines/full-analysis.yaml --dry-run
/pipeline list-steps # show available step types
Pipeline results are written to .claude/workspace/ with per-module summaries and
a manifest for later inspection via /runs.
Managing cached results and workspace health.
/health # pre-flight: extraction data, DBs, skills, config
/cache-manage # cache stats: entries, disk usage, staleness
/cache-manage clear appinfo.dll # clear cached results for a module (recomputes on next use)
/runs # list prior workspace runs with timestamps and goals
/runs latest appinfo.dll # open most recent run, drill into step results
Use /health at the start of every session. Use /cache-manage clear after
re-extraction or when results seem stale. Use /runs to revisit prior analysis
without re-running it.