MalwareAnalyzerMCP
A specialized MCP server for Claude Desktop that allows executing terminal commands for malware analysis.
Features
- Execute terminal commands with configurable timeouts
- Read output from running or completed processes
- Specialized malware analysis commands (
file,strings,hexdump,objdump,xxd) - Clean process management with graceful shutdowns
- Pure JavaScript implementation - no build step required
Installation
# Install dependencies
npm install
Usage
Running the Server
# Start the server directly
node index.js
# Or use npm script
npm start
# With debugging proxy (logs all communications)
npm run debug
Integration with Claude Desktop
To integrate this MCP server with Claude Desktop:
- Open Claude Desktop's settings (Claude menu → Settings)
- Click on "Developer" and then "Edit Config"
- Update your configuration to include:
{
"mcpServers": {
"MalwareAnalysisMCP": {
"command": "node",
"args": [
"/path/to/MalwareAnalysisMCP/index.js"
]
}
}
}
Note: Replace
/path/to/MalwareAnalysisMCPwith the actual path to your project directory.
- Restart Claude Desktop
Debugging
To see all communication between Claude Desktop and the MCP server:
- Update your Claude Desktop configuration to use the debug proxy:
{
"mcpServers": {
"MalwareAnalysisMCP": {
"command": "node",
"args": [
"/path/to/MalwareAnalysisMCP/mcp-debug-proxy.js"
]
}
}
}
- Check the logs in the
logsdirectory
Compatibility Notes
- Requires Node.js 18 or higher
- Compatible with Node.js v22+ using ESM modules
API
Basic Tools
shell_command
Executes a terminal command and returns its process ID, output, and blocked status.
Parameters:
command(string): The command to execute in the terminaltimeout_ms(number, optional): Timeout in milliseconds (default: 30000)
Returns:
pid(number): Process IDoutput(string): Command outputisBlocked(boolean): Whether the command execution is blocked/timed out
read_output
Reads output from a running or completed process.
Parameters:
pid(number): The process ID to read output from
Returns:
output(string | null): The process output, or null if the process is not found
Specialized Malware Analysis Tools
The following specialized tools are available for malware analysis:
file
Analyze a file and determine its type.
Parameters:
target(string): Target file to analyzeoptions(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"options": "-b"
}
strings
Extract printable strings from a file.
Parameters:
target(string): Target file to analyzeminLength(number, optional): Minimum string length to displayencoding(string, optional): String encoding (s=7-bit, S=8-bit, b=16-bit big-endian, l=16-bit little-endian, etc.)options(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"minLength": 10,
"encoding": "l"
}
hexdump
Display file contents in hexadecimal format.
Parameters:
target(string): Target file to analyzelength(number, optional): Number of bytes to displayoffset(number, optional): Starting offset in the fileoptions(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"length": 256,
"offset": 1024
}
objdump
Display information from object files.
Parameters:
target(string): Target file to analyzedisassemble(boolean, optional): Disassemble executable sectionsheaders(boolean, optional): Display the contents of the section headersoptions(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"disassemble": true
}
xxd
Create a hexdump with ASCII representation.
Parameters:
target(string): Target file to analyzelength(number, optional): Number of bytes to displayoffset(number, optional): Starting offset in the filecols(number, optional): Format output into specified number of columnsbits(boolean, optional): Switch to bits (binary) dumpoptions(string, optional): Additional command-line options
Example:
{
"target": "suspicious.exe",
"cols": 16,
"bits": true
}
License
ISC