CLI analysis recipes

This page focuses on practical flag combinations for common analysis outputs.

In-report memory snapshots (`--snapshot-memory-regions`)

Command:

speakeasy -t sample.exe --snapshot-memory-regions -o report.json

Expected artifact:

entry_points[*].memory.layout[*].data_ref populated with SHA-256 refs
top-level data populated with base64(zlib(raw_bytes)) entries

Quick verification:

jq '.entry_points[].memory.layout[] | select(.data_ref != null) | .tag' report.json

Tradeoff:

report size increases, but repeated payloads deduplicate across runs

Coverage collection (`--analysis-coverage`)

Command:

speakeasy -t sample.exe --analysis-coverage -o report.json

Expected artifact:

entry_points[*].coverage contains executed instruction addresses

Quick verification:

jq '.entry_points[] | {start_addr, coverage_count: (.coverage // [] | length)}' report.json

Tradeoff:

extra tracing overhead increases runtime

Memory tracing (`--analysis-memory-tracing`)

Command:

speakeasy -t sample.exe --analysis-memory-tracing -o report.json

Expected artifact:

per-region access counters in memory.layout[*].accesses
symbol access summaries in sym_accesses

Quick verification:

jq '.entry_points[] | {start_addr, sym_accesses: (.sym_accesses // [] | length)}' report.json

Tradeoff:

substantial runtime impact on memory-heavy samples

String extraction controls (`--analysis-strings` / `--no-analysis-strings`)

Enable:

speakeasy -t sample.exe --analysis-strings -o report.json

Disable:

speakeasy -t sample.exe --no-analysis-strings -o report.json

Quick verification:

jq '.strings' report.json

Tradeoff:

disabling strings reduces report size and post-processing time

Dropped files archive (`--dropped-files-path`)

Command:

speakeasy -t sample.exe --dropped-files-path dropped.zip

Expected artifact:

dropped.zip with files written during emulation and a manifest

Quick verification:

unzip -l dropped.zip

Tradeoff:

captures useful payload artifacts but adds archive creation overhead

Combined triage profile

Command:

speakeasy -t sample.exe \
  --timeout 30 \
  --analysis-coverage \
  --analysis-memory-tracing \
  --snapshot-memory-regions \
  --dropped-files-path dropped.zip \
  -o report.json

Use this profile when you want broad telemetry and artifact capture in one run.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CLI analysis recipes

In-report memory snapshots (`--snapshot-memory-regions`)

Coverage collection (`--analysis-coverage`)

Memory tracing (`--analysis-memory-tracing`)

String extraction controls (`--analysis-strings` / `--no-analysis-strings`)

Dropped files archive (`--dropped-files-path`)

Combined triage profile

Related docs

FilesExpand file tree

cli-analysis-recipes.md

Latest commit

History

cli-analysis-recipes.md

File metadata and controls

CLI analysis recipes

In-report memory snapshots (--snapshot-memory-regions)

Coverage collection (--analysis-coverage)

Memory tracing (--analysis-memory-tracing)

String extraction controls (--analysis-strings / --no-analysis-strings)

Dropped files archive (--dropped-files-path)

Combined triage profile

Related docs

In-report memory snapshots (`--snapshot-memory-regions`)

Coverage collection (`--analysis-coverage`)

Memory tracing (`--analysis-memory-tracing`)

String extraction controls (`--analysis-strings` / `--no-analysis-strings`)

Dropped files archive (`--dropped-files-path`)