MalwareAnalyzerMCP
A specialized MCP server for Claude Desktop that allows executing terminal commands for malware analysis.
Features
- Execute terminal commands with configurable timeouts
- Read output from running or completed processes
- Specialized malware analysis commands (
file,strings,hexdump,objdump,xxd) - Clean process management with graceful shutdowns
- Pure JavaScript implementation - no build step required
Installation
Install dependencies
npm install
Usage
Running the Server
Start the server directly
node index.js
Or use npm script
npm start
With debugging proxy (logs all communications)
npm run debug
Integration with Claude Desktop
To integrate this MCP server with Claude Desktop:
- Open Claude Desktop's settings (Claude menu → Settings)
- Click on "Developer" and then "Edit Config"
- Update your configuration to include:
{ "mcpServers": { "MalwareAnalysisMCP": { "command": "node", "args": [ "/path/to/MalwareAnalysisMCP/index.js" ] } } }
Note: Replace
/path/to/MalwareAnalysisMCPwith the actual path to your project directory.
- Restart Claude Desktop
Debugging
To see all communication between Claude Desktop and the MCP server:
- Update your Claude Desktop configuration to use the debug proxy:
{ "mcpServers": { "MalwareAnalysisMCP": { "command": "node", "args": [ "/path/to/MalwareAnalysisMCP/mcp-debug-proxy.js" ] } } }
- Check the logs in the
logsdirectory
Compatibility Notes
- Requires Node.js 18 or higher
- Compatible with Node.js v22+ using ESM modules
API
Basic Tools
shell_command
Executes a terminal command and returns its process ID, output, and blocked status.
Parameters:
command(string): The command to execute in the terminaltimeout_ms(number, optional): Timeout in milliseconds (default: 30000)
Returns:
pid(number): Process IDoutput(string): Command outputisBlocked(boolean): Whether the command execution is blocked/timed out
read_output
Reads output from a running or completed process.
Parameters:
pid(number): The process ID to read output from
Returns:
output(string | null): The process output, or null if the process is not found
Specialized Malware Analysis Tools
The following specialized tools are available for malware analysis:
file
Analyze a file and determine its type.
Parameters:
target(string): Target file to analyzeoptions(string, optional): Additional command-line options
Example:
{ "target": "suspicious.exe", "options": "-b" }
strings
Extract printable strings from a file.
Parameters:
target(string): Target file to analyzeminLength(number, optional): Minimum string length to displayencoding(string, optional): String encoding (s=7-bit, S=8-bit, b=16-bit big-endian, l=16-bit little-endian, etc.)options(string, optional): Additional command-line options
Example:
{ "target": "suspicious.exe", "minLength": 10, "encoding": "l" }
hexdump
Display file contents in hexadecimal format.
Parameters:
target(string): Target file to analyzelength(number, optional): Number of bytes to displayoffset(number, optional): Starting offset in the fileoptions(string, optional): Additional command-line options
Example:
{ "target": "suspicious.exe", "length": 256, "offset": 1024 }
objdump
Display information from object files.
Parameters:
target(string): Target file to analyzedisassemble(boolean, optional): Disassemble executable sectionsheaders(boolean, optional): Display the contents of the section headersoptions(string, optional): Additional command-line options
Example:
{ "target": "suspicious.exe", "disassemble": true }
xxd
Create a hexdump with ASCII representation.
Parameters:
target(string): Target file to analyzelength(number, optional): Number of bytes to displayoffset(number, optional): Starting offset in the filecols(number, optional): Format output into specified number of columnsbits(boolean, optional): Switch to bits (binary) dumpoptions(string, optional): Additional command-line options
Example:
{ "target": "suspicious.exe", "cols": 16, "bits": true }
License
ISC