MalwareAnalyzerMCP

A specialized MCP server for Claude Desktop that allows executing terminal commands for malware analysis.

Features

• Execute terminal commands with configurable timeouts
• Read output from running or completed processes
• Specialized malware analysis commands (file, strings, hexdump, objdump, xxd)
• Clean process management with graceful shutdowns
• Pure JavaScript implementation - no build step required

Installation

# Install dependencies
npm install

Usage

Running the Server

# Start the server directly
node index.js

# Or use npm script
npm start

# With debugging proxy (logs all communications)
npm run debug

Integration with Claude Desktop

To integrate this MCP server with Claude Desktop:

1. Open Claude Desktop's settings (Claude menu → Settings)
2. Click on "Developer" and then "Edit Config"
3. Update your configuration to include:

{
  "mcpServers": {
    "MalwareAnalysisMCP": {
      "command": "node",
      "args": [
        "/path/to/MalwareAnalysisMCP/index.js"
      ]
    }
  }
}

Note: Replace /path/to/MalwareAnalysisMCP with the actual path to your project directory.

1. Restart Claude Desktop

Debugging

To see all communication between Claude Desktop and the MCP server:

1. Update your Claude Desktop configuration to use the debug proxy:

{
  "mcpServers": {
    "MalwareAnalysisMCP": {
      "command": "node",
      "args": [
        "/path/to/MalwareAnalysisMCP/mcp-debug-proxy.js"
      ]
    }
  }
}

1. Check the logs in the logs directory

Compatibility Notes

• Requires Node.js 18 or higher
• Compatible with Node.js v22+ using ESM modules

API

Basic Tools

shell_command

Executes a terminal command and returns its process ID, output, and blocked status.

Parameters:

• command (string): The command to execute in the terminal
• timeout_ms (number, optional): Timeout in milliseconds (default: 30000)

Returns:

• pid (number): Process ID
• output (string): Command output
• isBlocked (boolean): Whether the command execution is blocked/timed out

read_output

Reads output from a running or completed process.

Parameters:

• pid (number): The process ID to read output from

Returns:

• output (string | null): The process output, or null if the process is not found

Specialized Malware Analysis Tools

The following specialized tools are available for malware analysis:

file

Analyze a file and determine its type.

Parameters:

• target (string): Target file to analyze
• options (string, optional): Additional command-line options

Example:

{
  "target": "suspicious.exe",
  "options": "-b"
}

strings

Extract printable strings from a file.

Parameters:

• target (string): Target file to analyze
• minLength (number, optional): Minimum string length to display
• encoding (string, optional): String encoding (s=7-bit, S=8-bit, b=16-bit big-endian, l=16-bit little-endian, etc.)
• options (string, optional): Additional command-line options

Example:

{
  "target": "suspicious.exe",
  "minLength": 10,
  "encoding": "l"
}

hexdump

Display file contents in hexadecimal format.

Parameters:

• target (string): Target file to analyze
• length (number, optional): Number of bytes to display
• offset (number, optional): Starting offset in the file
• options (string, optional): Additional command-line options

Example:

{
  "target": "suspicious.exe",
  "length": 256,
  "offset": 1024
}

objdump

Display information from object files.

Parameters:

• target (string): Target file to analyze
• disassemble (boolean, optional): Disassemble executable sections
• headers (boolean, optional): Display the contents of the section headers
• options (string, optional): Additional command-line options

Example:

{
  "target": "suspicious.exe",
  "disassemble": true
}

xxd

Create a hexdump with ASCII representation.

Parameters:

• target (string): Target file to analyze
• length (number, optional): Number of bytes to display
• offset (number, optional): Starting offset in the file
• cols (number, optional): Format output into specified number of columns
• bits (boolean, optional): Switch to bits (binary) dump
• options (string, optional): Additional command-line options

Example:

{
  "target": "suspicious.exe",
  "cols": 16,
  "bits": true
}

License

ISC