Skillget

rbinmcp

mcp
Security Audit
Warn
Health Warn
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 9 GitHub stars
Code Pass
  • Code scan — Scanned 9 files during light audit, no dangerous patterns found
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose

This tool is a Model Context Protocol (MCP) server designed to give AI agents the ability to perform static analysis, reverse engineering, and malware triage on binary files. It integrates with established analysis frameworks like radare2 and Ghidra.

Security Assessment

Overall risk: Medium. The server is built to analyze potentially dangerous malware samples, meaning it inherently processes untrusted, risky files. To function properly, it relies heavily on executing external shell commands and system utilities—such as `file`, `strings`, `objdump`, and radare2—on the host machine. The automated code scan found no hardcoded secrets or malicious patterns within the server's own source code, and it does not require dangerous OS permissions. However, running external tools against unknown binaries always carries an inherent execution risk that relies on the host environment's isolation.

Quality Assessment

The project is actively maintained, with its most recent code push occurring today. It is properly licensed under the permissive MIT license. However, it currently has low community visibility with only 9 GitHub stars. Because of this low footprint, the project has not undergone widespread peer review or security auditing by the broader infosec community, so trust is placed primarily in the active maintainer.

Verdict

Use with caution: the server's own code is safe, but because it automatically orchestrates external system tools to analyze potentially malicious files, it should only be run in secure, isolated environments.
SUMMARY

Rogue Binary MCP (rbinmcp) is a Rust MCP server for binary analysis, reverse engineering, and malware triage.

README.md

Rogue Binary MCP

Death to Malware.

rbinmcp is a Rust MCP server for binary analysis, reverse engineering, and malware triage. It is built specifically for AI agents, with compact outputs, focused follow-up tools, and source navigation designed to keep analysis token cost low.

The project is intentionally focused on binary work. The production MCP surface helps an agent inspect binaries, collect evidence, compare artifacts, and navigate the codebase cheaply while maintaining these tools.

Public documentation: Rogue Binary Wiki

What It Provides

  • Fast first-pass binary triage through triage_binary
  • Static PE, ELF, and Mach-O parsing through static_view
  • radare2-backed sessions, metadata, search, disassembly, decompilation, xrefs, traces, and compact function projections
  • Ghidra-backed import, cached project inspection, decompilation, CFGs, xrefs, P-code, callsite facts, and targeted analysis slices
  • Native wrappers for file, strings, objdump, radiff2, and the Rust binwalk crate
  • Pure Rust analysis for hardening/security properties, static call graphs, capability clustering, fuzzable-function suggestions, component evidence, entropy, compiler and packer hints, crypto constants, DLL export shape, MBA simplification, and VM bytecode helpers
  • AI-agent usability helpers for tool discovery, backend status, workflows, error guidance, repo navigation, validation suggestions, and local Ghidra/r2 reference lookup

Run list_tools from an MCP client for the authoritative live tool list. The current server surface is generated from the registered handlers and pinned by tests.

Start Here

Use these tools first when analyzing an unknown binary:

  • get_backend_status - confirm which optional backends are available
  • list_tools or lookup_tool - discover the exact live surface
  • triage_binary - file hashes, format, sections, imports, function stats, strings, xref-heavy functions, and call-graph summary
  • static_view - quick PE/ELF/Mach-O metadata without opening r2
  • binary_security_properties - Rust-native hardening posture with direct evidence and bounded output
  • static_callgraph - Rust-native x86/x64 call graph summary with paged nodes, edges, confidence, and external fanout
  • binary_capabilities - ranked capability families with import/callgraph evidence and source function attachments
  • fuzzable_functions - bounded fuzz target suggestions with evidence and follow-up tool calls
  • binary_component_profile - high-confidence component evidence, imported libraries, and low-confidence runtime hints
  • r2_open then r2_function_view - cheap function triage and compact control-flow context
  • ghidra_import then ghidra_decompiler_calls - import once, then query focused decompiler projections
  • ghidra_callsite_facts - listing-grounded call argument evidence when pseudocode may be misleading

Tool Families

Orchestration

  • triage_binary builds a compact multi-backend overview for one binary.
  • int_convert converts decimal, hex, binary, and octal values with printable ASCII context.

Static Parsing

  • static_view reads PE, ELF, and Mach-O metadata through goblin.
  • Supported static modes include format info, sections, imports, exports, relocations, libraries, and entry points.
  • Universal/fat Mach-O containers are projected through a selected architecture slice so agents can inspect real sections, imports, libraries, and entry points without a separate preprocessing step.
  • export_hash_resolve resolves API/export hashes against local PE/DLL export corpora and optional candidates.

Native Tools

  • file_identify wraps file(1) for human file type and MIME type.
  • strings_extract wraps strings(1) with structured limits and offsets.
  • objdump_view exposes mode-driven headers, disassembly, section dumps, and archive-member views.
  • objdump_search_disasm searches objdump disassembly and returns contextual matches.
  • binary_diff wraps radiff2 for code, graph, and byte-oriented binary diffs.
  • binwalk_scan uses the Rust binwalk crate for embedded signature scans.

radare2 Tools

  • Session lifecycle: r2_open, r2_close, r2_sessions, and r2_cmd.
  • Metadata and inventory: r2_metadata, r2_find, r2_classes, r2_imports_grouped, and r2_lookup_address.
  • Code views: r2_disassemble, r2_decompile, and r2_function_view.
  • References and flow: r2_xrefs, r2_trace_data_flow, r2_value_trace, and r2_var_xrefs.
  • Focused binary projections: r2_path_digest, r2_artifact_summary, r2_field_xrefs, r2_jump_table_slices, and r2_esil_accesses.
  • Byte and expression helpers: r2_get_bytes and r2_calculate.

Prefer r2_function_view mode analyze for first-pass function triage, then use mode cfg, refs, vars, profile, or strings when narrowing the question.

Ghidra Tools

  • Availability and cache: ghidra_check, ghidra_import, ghidra_project_binaries, ghidra_binary_metadata, and ghidra_delete_binary.
  • Inventory and search: ghidra_inventory, ghidra_xrefs, ghidra_search_bytes, ghidra_read_bytes, and symbol/string/data modes through inventory.
  • Code views: ghidra_decompile, ghidra_decompile_meta, ghidra_disassemble, ghidra_pcode, ghidra_cfg, and ghidra_decompiler_cfg.
  • Decompiler projections: ghidra_decompiler_calls, ghidra_decompiler_block_behavior, ghidra_decompiler_memory, and ghidra_decompiler_divergence.
  • Function evidence: ghidra_callsite_slices, ghidra_callsite_facts, ghidra_function_checkpoints, ghidra_function_dossier, ghidra_path_digest, ghidra_variables, and ghidra_thunk_target.
  • Specialized reverse-engineering views: ghidra_dynamic_dispatch_table, ghidra_context_api_slots, ghidra_jump_table_field_summary, ghidra_field_flow, ghidra_field_lineage, ghidra_indirect_jump_slices, and ghidra_local_buffer_slices.
  • Persistent project edits: ghidra_rename_function, ghidra_set_function_prototype, ghidra_set_bookmark, ghidra_set_comment, ghidra_create_label, and ghidra_create_function.

Import is cache-backed by SHA-256. Most read tools use the warm path with analyzeHeadless -process <name> -noanalysis, so the expensive import and analysis work happens once per binary.

For large targets, use ghidra_decompiler_calls first, then narrow with ghidra_decompiler_block_behavior, ghidra_decompiler_memory, or ghidra_callsite_facts.

Analysis Tools

  • binary_security_properties reports Rust-native loader and hardening properties for PE, ELF, and Mach-O: NX/DEP, PIE/ASLR, RELRO/bind-now, executable stack, RPATH/RUNPATH, PE CFG/SafeSEH/Authenticode indicators, and Mach-O code signature/hardened-runtime hints.
  • static_callgraph builds a bounded Rust-native x86/x64 graph from PE, ELF, and Mach-O executable sections using iced-x86, with function seeds from entry points, exports, symbols, PE unwind ranges, section starts, and direct call targets. It resolves static import thunks and stubs where evidence is available, then reports direct calls, tailcalls, import/API fanout, top connected functions, and per-edge confidence.
  • binary_capabilities clusters imports, symbols, and static-callgraph external calls into capability families such as network, file I/O, process/thread, registry, crypto, compression, anti-debug, dynamic loading, and memory allocation/protection.
  • fuzzable_functions ranks functions by parser/decoder/input-handling names, proximity to file/network/compression APIs, callgraph position, and thunk/runtime penalties. Results are fuzzing-interest suggestions with evidence, not vulnerability claims.
  • binary_component_profile separates high-confidence components, imported shared libraries, and low-confidence runtime/package hints. The first pass supports Go build info, Rust cargo-auditable .dep-v0 sections when decodable, imported library inventory, and .NET runtime hints.
  • entropy_profile scores section entropy and packer likelihood.
  • compiler_packer_detect identifies compiler, runtime, packer, and protector hints.
  • crypto_detect scans bytes for common crypto constants.
  • dll_export_profile analyzes DLL exports, dispatch shape, lifecycle hints, and plugin/host indicators.

The rbm-analysis crate also contains reusable Rust helpers for MBA simplification and VM bytecode/opcode analysis. Those internals are kept behind focused MCP tools unless a projection is useful for active binary work.

AI-Agent Usability And Reference Helpers

These are intentionally allowed even though they are not binary-analysis tools, because they reduce context cost while using and maintaining rbinmcp:

  • Tool discovery: list_tools, lookup_tool, lookup_r2_cmd, and get_workflow
  • Runtime help: get_backend_status, get_architecture, get_ghidra_info, and lookup_error
  • Source navigation: get_repo_overview, get_crate_overview, get_module_overview, get_file_overview, get_test_overview, search_repo_functions, search_repo_types, search_repo_tests, search_tool_handlers, and suggest_validation
  • Reference indexes: get_ghidra_reference_info, refresh_ghidra_reference, lookup_ghidra_reference, get_r2_reference_info, refresh_r2_reference, and lookup_r2_reference

Use the reference helpers before changing Ghidra Java scripts, r2 command projections, or backend-specific assumptions.

Architecture

The repository is a Rust workspace:

  • crates/rbm-server - MCP server, tool registration, thin MCP adapters, and cross-backend services
  • crates/rbm-core - config, cache paths, common errors, output guarding, and shared utility types
  • crates/rbm-r2 - primitive radare2 session, command, metadata, disassembly, search, trace, and projection logic
  • crates/rbm-ghidra - Ghidra project cache, analyzeHeadless orchestration, warm-path extractors, and typed result models
  • crates/rbm-native - wrappers around native tools and subprocess execution
  • crates/rbm-static - static PE/ELF/Mach-O parsing through goblin
  • crates/rbm-analysis - pure Rust analysis helpers and structured binary heuristics
  • ghidra_scripts/ - Java postScripts used by the Ghidra warm-path tools

Within rbm-server, src/tools/*_live.rs should stay thin. Tool handlers adapt MCP parameters and errors. Cross-backend orchestration belongs in src/services/. Backend crates own primitive execution and analysis logic.

Install

Required:

  • Rust stable 1.85 or newer

Optional runtime backends:

  • radare2 for r2_* tools
  • Ghidra for ghidra_* tools
  • file, strings, objdump, and radiff2 for native wrappers

Build a release server:

git clone https://github.com/kirkderp/rbinmcp.git
cd rbinmcp
cargo build --release --bin rbm-server

The built binary is:

target/release/rbm-server

Optional local install:

cargo install --path crates/rbm-server

Run

rbm-server currently supports stdio transport:

target/release/rbm-server --transport stdio --log-level info

For local development:

cargo run --release --bin rbm-server -- --transport stdio --log-level debug

Generic MCP client command:

{
  "command": "/absolute/path/to/rbinmcp/target/release/rbm-server",
  "args": ["--transport", "stdio", "--log-level", "info"]
}

Configuration

Environment variables:

  • RBINMCP_CACHE_DIR - override the cache root
  • GHIDRA_INSTALL_DIR - Ghidra install root
  • RBINMCP_GHIDRA_SCRIPTS_DIR - override bundled script directory
  • RBINMCP_GHIDRA_TIMEOUT - standard Ghidra call timeout in seconds, default 60
  • RBINMCP_GHIDRA_IMPORT_TIMEOUT - Ghidra import timeout in seconds, default 900
  • RBINMCP_R2_OPEN_TIMEOUT - radare2 open timeout in seconds, default 120
  • RBINMCP_NATIVE_TIMEOUT - native tool timeout in seconds, default 60

Default cache root is the platform user cache directory plus rbinmcp, unless RBINMCP_CACHE_DIR is set.

Cache contents:

  • overflow/ for large MCP responses written by the output guard
  • ghidra/ for per-SHA-256 Ghidra projects
  • r2_sessions/ for r2 session state
  • tmp/ for temporary tool files

Recommended Workflows

Quick triage:

  1. get_backend_status
  2. file_identify
  3. triage_binary
  4. static_view with mode=info
  5. binary_security_properties
  6. static_callgraph
  7. binary_capabilities
  8. fuzzable_functions
  9. binary_component_profile
  10. strings_extract

Quick binary posture:

  1. file_identify
  2. static_view with mode=info
  3. binary_security_properties
  4. entropy_profile
  5. compiler_packer_detect
  6. binary_component_profile

Callgraph-first triage:

  1. static_view with mode=info
  2. static_callgraph with default paging
  3. binary_capabilities to rank API families and source functions
  4. Pick a high-signal function from top_connected_functions, external_api_fanout, or capability evidence
  5. r2_function_view with mode=analyze
  6. ghidra_decompiler_calls only after narrowing the function

Capability triage:

  1. static_view with mode=imports
  2. binary_capabilities
  3. Pivot from a ranked capability source function into r2_function_view
  4. Use ghidra_decompiler_calls or ghidra_callsite_facts only for the narrowed function

Fuzz target discovery:

  1. static_callgraph with bounded paging
  2. binary_capabilities to identify input-facing API families
  3. fuzzable_functions to rank parser, decoder, unpacking, and input-handling candidates
  4. r2_function_view on a candidate address before drafting a harness
  5. ghidra_callsite_facts for exact argument setup at selected input API callsites

Component inventory:

  1. static_view with mode=info
  2. binary_component_profile
  3. Review identified_components, imported_libraries, and low_confidence_hints separately
  4. Use strings_extract only when a low-confidence runtime hint needs manual confirmation

r2 function analysis:

  1. r2_open
  2. r2_metadata with mode=functions
  3. r2_function_view with mode=analyze
  4. r2_function_view with mode=cfg or mode=refs
  5. r2_disassemble or r2_decompile only after narrowing the target

Ghidra decompiler workflow:

  1. ghidra_check
  2. ghidra_import
  3. ghidra_project_binaries
  4. ghidra_inventory with mode=functions
  5. ghidra_decompiler_calls
  6. ghidra_callsite_facts for exact listing-grounded call setup
  7. ghidra_cfg when decompiler CFG is invalid, timed out, or too transformed

Packed or staged binary workflow:

  1. entropy_profile
  2. binwalk_scan
  3. compiler_packer_detect
  4. r2_path_digest or ghidra_path_digest
  5. ghidra_dynamic_dispatch_table when a hash/API dispatcher is suspected

Binary comparison workflow:

  1. file_identify for both files
  2. binary_diff with mode=code
  3. binary_diff with mode=graph
  4. binary_diff with mode=bytes

Maintenance workflow:

  1. get_repo_overview
  2. search_tool_handlers for a tool name
  3. get_file_overview before editing
  4. suggest_validation to choose tests
  5. lookup_ghidra_reference or lookup_r2_reference before changing backend-specific APIs

Development

Core checks:

cargo fmt --check
cargo clippy --workspace --all-targets -- -D warnings
cargo test --workspace
RUSTDOCFLAGS="-D warnings" cargo doc --workspace --no-deps

Build all workspace crates:

cargo build --workspace

Run ignored integration suites only when the matching external backend is installed:

cargo test -p rbm-r2 --features integration-r2 -- --ignored
cargo test -p rbm-ghidra --features integration-ghidra -- --ignored

The workspace uses strict linting:

  • Rust edition 2024
  • clippy::all, clippy::pedantic, clippy::nursery, and clippy::cargo denied
  • dbg!, todo!, unimplemented!, undocumented unsafe blocks, and unsafe operations in unsafe functions denied
  • multiple_crate_versions allowed because required tool crates currently pull incompatible transitive dependency lines

Design Principles

The public MCP surface is optimized for binary analysis by AI agents. Tools should produce compact, deterministic evidence that can be chained into follow-up calls without forcing the client to read unbounded payloads.

  • Prefer focused projections over raw backend dumps
  • Keep schemas stable and additive
  • Use summaries, counts, previews, and pagination for large results
  • Preserve escape hatches such as r2_cmd when a backend-specific command is still necessary
  • Keep source navigation and reference lookup cheap enough to use during active maintenance

Security And License

Reviews (0)

No results found