Rogue Binary MCP

Death to Malware.

rbinmcp is Rogue Binary Model Context Protocol (MCP): a Docker-packaged binary analysis lab for AI agents. It supports reverse engineering, malware triage, and artifact comparison with compact tool responses that start cheap and move into heavier evidence on demand.

Instead of asking an agent to juggle local installs of radare2, Ghidra, ILSpy, binutils, and helper scripts, rbinmcp ships them together behind one MCP server. The tools are shaped for investigation: quick triage first, then focused r2, Ghidra, ILSpy, native, and Rust-backed views.

Public documentation: Rogue Binary Wiki

Contents

• Why Use It
• Quick Start
• Install
• Run From A Terminal
• Use The Tools
• How It Works
• First Analysis
• Supported Analysis
• Common Workflows
• Tool Map
• Cache And Paths

Why Use It

Need	What rbinmcp gives your agent
Unknown binary triage	Hashes, format, imports, strings, functions, and first-pass graph context
Deeper reverse engineering	Focused r2 and Ghidra views without dumping whole projects into context
Managed .NET inspection	ILSpy-backed inventory, search, member views, C#, and focused IL
Repeatable runtime	Docker image with the same backends, scripts, cache paths, and tool versions
Long outputs	Bounded responses with summaries, previews, and cache-backed overflow

• Give agents one repeatable binary analysis runtime through Docker.
• Keep large reverse-engineering outputs bounded and searchable.
• Move from a first-pass triage result into the exact backend view that answers the next question.
• Reuse cache-backed Ghidra imports, r2 sessions, and overflow files across runs.
• Inspect native PE, ELF, Mach-O, firmware-like blobs, binary diffs, and managed .NET assemblies from the same MCP surface.

Quick Start

Rogue Binary MCP runs through Docker. Add the server to your AI agent, mount the folder with your samples, and call the MCP tools.

1. Make sure Docker is installed and running.
2. Add Rogue Binary MCP to your AI agent as an MCP server.
3. Ask your agent to use the rbinmcp tools.

The registry name is:

io.github.kirkderp/rbinmcp

Install

Add Rogue Binary MCP from the MCP registry:

io.github.kirkderp/rbinmcp

For direct MCP configuration, use Docker as the server command. Replace /absolute/path/to/samples with the folder that contains the files for analysis.

The published OCI package is available for linux/amd64 and linux/arm64. Docker pulls the matching image for Intel/AMD Linux hosts, Apple Silicon Docker/Colima, and ARM Linux hosts.

Registry installs use the package version published through the MCP registry. Direct Docker configurations pin the GHCR tag shown below; when you want a newer release, update that tag and restart your MCP client so it launches a fresh container.

Mounts:

Mount	Purpose
/absolute/path/to/samples:/samples:ro	Gives the server read-only access to the sample folder
rbinmcp-cache:/cache/rbinmcp	Keeps Ghidra cache, r2 state, and large-output overflow between runs

Claude Code

claude mcp add rbinmcp -- \
  docker run --rm -i \
  -v /absolute/path/to/samples:/samples:ro \
  -v rbinmcp-cache:/cache/rbinmcp \
  ghcr.io/kirkderp/rbinmcp:1.3.0

Then run /mcp in Claude Code and confirm rbinmcp is connected.

Claude Desktop And JSON MCP Clients

Add this to your MCP server configuration:

{
  "mcpServers": {
    "rbinmcp": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "-v",
        "/absolute/path/to/samples:/samples:ro",
        "-v",
        "rbinmcp-cache:/cache/rbinmcp",
        "ghcr.io/kirkderp/rbinmcp:1.3.0"
      ]
    }
  }
}

TOML MCP Clients

Add this to the MCP server section of your agent config:

[mcp_servers.rbinmcp]
command = "docker"
args = ["run", "--rm", "-i", "-v", "/absolute/path/to/samples:/samples:ro", "-v", "rbinmcp-cache:/cache/rbinmcp", "ghcr.io/kirkderp/rbinmcp:1.3.0"]

Run From A Terminal

Start the MCP server with Docker:

docker run --rm -i \
  -v /absolute/path/to/samples:/samples:ro \
  -v rbinmcp-cache:/cache/rbinmcp \
  ghcr.io/kirkderp/rbinmcp:1.3.0

Replace /absolute/path/to/samples with a real folder on your machine. Inside MCP tool calls, that folder appears as /samples, so a file named app.exe becomes /samples/app.exe.

Use The Tools

After connection, your AI agent shows tools named like:

• triage_binary
• static_view
• dotnet_inventory
• r2_function_view
• ghidra_import

Use those MCP tools from the agent. Normal analysis happens through the tool list.

Use container paths in tool calls. A mounted file at /absolute/path/to/samples/app.exe appears as /samples/app.exe.

Example prompt:

Use rbinmcp to triage /samples/app.exe. Start with get_backend_status and triage_binary, then use static_view and binary_capabilities to decide where to look next.

The image includes rbm-server, Ghidra, bundled Ghidra postScripts, radare2, radiff2, file, strings, objdump, ilspycmd, Rust-native analysis code, and the default cache layout.

How It Works

AI agent
  -> rbinmcp tools exposed through MCP
  -> Docker starts the rbinmcp server
  -> bundled backends inspect your mounted samples
  -> compact JSON results return to the agent

Docker is the runtime boundary. The agent interface is the MCP tool list.

First Analysis

For an unknown binary, start here:

1. get_backend_status to confirm the bundled backends are available.
2. triage_binary for hashes, format, sections, imports, strings, function stats, and callgraph summary.
3. static_view with mode=info for cheap PE, ELF, or Mach-O metadata.
4. binary_security_properties for loader and hardening evidence.
5. binary_capabilities for ranked API and behavior families.
6. static_callgraph for calls, fanout, and function neighborhoods.

Then narrow:

• Use r2_lookup_address only to identify the containing symbol or function.
• Use r2_function_view for fast function-level context.
• Use ghidra_import once, then query focused Ghidra decompiler views from the cache.
• Use dotnet_inventory, dotnet_search, dotnet_token_view, dotnet_il_view, and dotnet_decompile for managed .NET assemblies.
• Use binary_diff to compare related artifacts.

Run list_tools from an MCP client for the live tool list.

Supported Analysis

Native Binaries

rbinmcp inspects PE, ELF, Mach-O, universal Mach-O slices, archives, and raw byte blobs. Static parsers cover headers, sections, imports, exports, relocations, libraries, entry points, security properties, entropy, compiler and packer hints, crypto constants, and component evidence.

r2 And Ghidra

Use radare2 for quick sessions, function lists, search, disassembly, decompilation, references, variable xrefs, ESIL access summaries, and compact function views.

Use Ghidra for decompiler-backed evidence: function inventory, xrefs, decompiler calls, callsite facts, P-code, CFGs, variables, memory behavior, targeted slices, and persistent project annotations.

Ghidra imports are cache-backed by SHA-256. Import once, then use warm-path tools for later queries.

.NET Assemblies

The ILSpy-backed tools are designed around a focused workflow:

1. dotnet_inventory lists managed classes, interfaces, structs, delegates, and enums. Use format=names for a compact type-name list.
2. dotnet_search finds types, member signatures, DllImports, string references, and literal lines.
3. dotnet_type_outline gives a compact view of fields, properties, methods, delegates, nested types, DllImports, and string tokens.
4. dotnet_member_view extracts one method, property, field, DllImport, or IL method block.
5. dotnet_token_view resolves exact CLR metadata tokens such as MethodDef, FieldDef, MemberRef, MethodSpec, TypeRef/TypeDef, TypeSpec, and UserString. Set include_il=true for MethodDef tokens when exact instruction rows are needed.
6. dotnet_il_view returns structured IL rows, offsets, token operand displays, call references, and field references by MethodDef token or by type_name plus member_name.
7. dotnet_decompile returns one type as C# or focused IL. It defaults to a compact source preview; raise max_code_chars when full source is needed.

Use binary_component_profile or compiler_packer_detect to identify managed PE files. Non-.NET PE files return a short error instead of an ILSpy stack trace.

Native Tool Wrappers

The server also wraps file, strings, objdump, radiff2, and the Rust binwalk crate. These are useful for file typing, bounded string extraction, section and disassembly views, binary comparison, and embedded signature scans.

Runtime Artifacts

When a sandbox, debugger, emulator, or trace workflow already produced runtime maps, rbinmcp can turn those artifacts into static pivots without owning the tracer. Use runtime_maps_profile for /proc/<pid>/maps, TraceAnalysis-style maps.out / maps.jsonl, or debugger module lists. Use runtime_address_map to map a runtime VA to a module, module offset, probable local file path, and next r2 or Ghidra calls.

Use trace_artifacts_profile on a trace output directory to inventory executable markers, maps, sysroot captures, trace/event files, analyzed outputs, Ghidra projects, memory dumps, and missing pieces before choosing the next focused tool.

Use executed_regions_profile on an existing basic-block, function-hit, or address-hit summary to rank hot, rare, unmapped, or runtime-generated regions and map them back to module offsets when a maps artifact is available.

Use runtime_events_profile on an existing syscall, API, sandbox, debugger, or runtime event log to summarize event categories and map address-bearing events back to static pivots when a maps artifact is available.

Use runtime_memory_dumps_profile on dump files or dump directories to identify executable blobs, string inventories, import-like strings, inferred runtime addresses, and raw-blob import candidates for follow-up analysis.

Common Workflows

Quick triage:

1. get_backend_status
2. file_identify
3. triage_binary
4. static_view with mode=info
5. binary_security_properties
6. binary_capabilities
7. strings_extract

Function investigation:

1. static_callgraph
2. Pick a high-signal function from connected functions, external fanout, or capability evidence.
3. r2_function_view with mode=analyze
4. r2_function_view with mode=cfg or mode=refs
5. ghidra_decompiler_calls or ghidra_callsite_facts after narrowing.

.NET investigation:

1. binary_component_profile
2. dotnet_inventory
3. dotnet_search
4. dotnet_type_outline
5. dotnet_member_view or dotnet_decompile
6. dotnet_token_view and dotnet_il_view when tokens or IL offsets need exact evidence.

Packed or staged binary:

1. entropy_profile
2. compiler_packer_detect
3. binwalk_scan
4. r2_path_digest or r2_field_xrefs with default caps for first-pass path and field evidence.
5. Raise max_events or max_rows only after the compact result shows useful evidence.
6. ghidra_dynamic_dispatch_table for suspected dispatchers.

Binary comparison:

1. file_identify for both files.
2. binary_diff with mode=code.
3. binary_diff with mode=graph.
4. binary_diff with mode=bytes. This defaults to count-only byte evidence; set max_byte_diff_ranges when representative ranges are needed.

Tool Map

• Discovery and help: list_tools, lookup_tool, get_workflow, lookup_error, get_backend_status
• First pass: triage_binary, file_identify, static_view, strings_extract
• Static analysis: binary_security_properties, static_callgraph, binary_capabilities, fuzzable_functions, binary_component_profile
• Detection: entropy_profile, compiler_packer_detect, crypto_detect, dll_export_profile
• Runtime artifacts: trace_artifacts_profile, runtime_maps_profile, runtime_address_map, executed_regions_profile, runtime_events_profile, runtime_memory_dumps_profile
• r2: r2_open, r2_metadata, r2_find, r2_function_view, r2_disassemble, r2_decompile, r2_xrefs, r2_var_xrefs
• Ghidra: ghidra_import, ghidra_inventory, ghidra_decompiler_calls, ghidra_callsite_facts, ghidra_cfg, ghidra_pcode, ghidra_variables
• .NET: dotnet_inventory, dotnet_search, dotnet_type_outline, dotnet_member_view, dotnet_token_view, dotnet_il_view, dotnet_decompile
• Native wrappers: objdump_view, objdump_search_disasm, binary_diff, binwalk_scan

The live MCP registry is the source of truth. Use list_tools for exact schemas and descriptions.

Cache And Paths

The default Docker command above mounts a named cache volume at /cache/rbinmcp.

Cache contents:

• overflow/ for large MCP responses written by the output guard
• ghidra/ for per-SHA-256 Ghidra projects
• r2_sessions/ for r2 session state
• tmp/ for temporary tool files

Useful environment variables:

• RBINMCP_CACHE_DIR sets the cache root.
• GHIDRA_INSTALL_DIR sets the Ghidra install root.
• RBINMCP_GHIDRA_SCRIPTS_DIR sets the Ghidra scripts directory.
• RBINMCP_GHIDRA_TIMEOUT sets the normal Ghidra call timeout in seconds. Default: 60.
• RBINMCP_GHIDRA_IMPORT_TIMEOUT sets the Ghidra import timeout in seconds. Default: 900.
• RBINMCP_R2_OPEN_TIMEOUT sets the radare2 open timeout in seconds. Default: 120.
• RBINMCP_NATIVE_TIMEOUT sets the native tool timeout in seconds. Default: 60.

Security And License

Security reporting: SECURITY.md

License: MIT