MalwareAnalyzerMCP
A specialized MCP server for Claude Desktop that allows executing terminal commands for malware analysis with support for common analysis tools like file, strings, hexdump, objdump, and xxd.
README Documentation
MalwareAnalyzerMCP
A specialized MCP server for Claude Desktop that allows executing terminal commands for malware analysis.
Features
- Execute terminal commands with configurable timeouts
- Read output from running or completed processes
- Specialized malware analysis commands (
file
,strings
,hexdump
,objdump
,xxd
) - Clean process management with graceful shutdowns
- Pure JavaScript implementation - no build step required
Installation
# Install dependencies
npm install
Usage
Running the Server
# Start the server directly
node index.js
# Or use npm script
npm start
# With debugging proxy (logs all communications)
npm run debug
Integration with Claude Desktop
To integrate this MCP server with Claude Desktop:
- Open Claude Desktop's settings (Claude menu → Settings)
- Click on "Developer" and then "Edit Config"
- Update your configuration to include:
{
"mcpServers": {
"MalwareAnalysisMCP": {
"command": "node",
"args": [
"/path/to/MalwareAnalysisMCP/index.js"
]
}
}
}
Note: Replace
/path/to/MalwareAnalysisMCP
with the actual path to your project directory.
- Restart Claude Desktop
Debugging
To see all communication between Claude Desktop and the MCP server:
- Update your Claude Desktop configuration to use the debug proxy:
{
"mcpServers": {
"MalwareAnalysisMCP": {
"command": "node",
"args": [
"/path/to/MalwareAnalysisMCP/mcp-debug-proxy.js"
]
}
}
}
- Check the logs in the
logs
directory
Compatibility Notes
- Requires Node.js 18 or higher
- Compatible with Node.js v22+ using ESM modules
API
Basic Tools
shell_command
Executes a terminal command and returns its process ID, output, and blocked status.
Parameters:
command
(string): The command to execute in the terminaltimeout_ms
(number, optional): Timeout in milliseconds (default: 30000)
Returns:
pid
(number): Process IDoutput
(string): Command outputisBlocked
(boolean): Whether the command execution is blocked/timed out
read_output
Reads output from a running or completed process.
Parameters:
pid
(number): The process ID to read output from
Returns:
output
(string | null): The process output, or null if the process is not found
Specialized Malware Analysis Tools
The following specialized tools are available for malware analysis:
file
Analyze a file and determine its type.
Parameters:
target
(string): Target file to analyzeoptions
(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"options": "-b"
}
strings
Extract printable strings from a file.
Parameters:
target
(string): Target file to analyzeminLength
(number, optional): Minimum string length to displayencoding
(string, optional): String encoding (s=7-bit, S=8-bit, b=16-bit big-endian, l=16-bit little-endian, etc.)options
(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"minLength": 10,
"encoding": "l"
}
hexdump
Display file contents in hexadecimal format.
Parameters:
target
(string): Target file to analyzelength
(number, optional): Number of bytes to displayoffset
(number, optional): Starting offset in the fileoptions
(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"length": 256,
"offset": 1024
}
objdump
Display information from object files.
Parameters:
target
(string): Target file to analyzedisassemble
(boolean, optional): Disassemble executable sectionsheaders
(boolean, optional): Display the contents of the section headersoptions
(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"disassemble": true
}
xxd
Create a hexdump with ASCII representation.
Parameters:
target
(string): Target file to analyzelength
(number, optional): Number of bytes to displayoffset
(number, optional): Starting offset in the filecols
(number, optional): Format output into specified number of columnsbits
(boolean, optional): Switch to bits (binary) dumpoptions
(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"cols": 16,
"bits": true
}
License
ISC