@remnux/mcp-server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (220) hide show
  1. package/LICENSE +674 -0
  2. package/README.md +720 -0
  3. package/dist/archive-extractor.d.ts +46 -0
  4. package/dist/archive-extractor.d.ts.map +1 -0
  5. package/dist/archive-extractor.js +268 -0
  6. package/dist/archive-extractor.js.map +1 -0
  7. package/dist/catalog/index.d.ts +40 -0
  8. package/dist/catalog/index.d.ts.map +1 -0
  9. package/dist/catalog/index.js +114 -0
  10. package/dist/catalog/index.js.map +1 -0
  11. package/dist/cli.d.ts +3 -0
  12. package/dist/cli.d.ts.map +1 -0
  13. package/dist/cli.js +154 -0
  14. package/dist/cli.js.map +1 -0
  15. package/dist/config/archive-passwords.txt +3 -0
  16. package/dist/connectors/docker.d.ts +13 -0
  17. package/dist/connectors/docker.d.ts.map +1 -0
  18. package/dist/connectors/docker.js +201 -0
  19. package/dist/connectors/docker.js.map +1 -0
  20. package/dist/connectors/index.d.ts +27 -0
  21. package/dist/connectors/index.d.ts.map +1 -0
  22. package/dist/connectors/index.js +23 -0
  23. package/dist/connectors/index.js.map +1 -0
  24. package/dist/connectors/local.d.ts +10 -0
  25. package/dist/connectors/local.d.ts.map +1 -0
  26. package/dist/connectors/local.js +105 -0
  27. package/dist/connectors/local.js.map +1 -0
  28. package/dist/connectors/ssh.d.ts +21 -0
  29. package/dist/connectors/ssh.d.ts.map +1 -0
  30. package/dist/connectors/ssh.js +237 -0
  31. package/dist/connectors/ssh.js.map +1 -0
  32. package/dist/errors/error-mapper.d.ts +9 -0
  33. package/dist/errors/error-mapper.d.ts.map +1 -0
  34. package/dist/errors/error-mapper.js +24 -0
  35. package/dist/errors/error-mapper.js.map +1 -0
  36. package/dist/errors/remnux-error.d.ts +14 -0
  37. package/dist/errors/remnux-error.d.ts.map +1 -0
  38. package/dist/errors/remnux-error.js +19 -0
  39. package/dist/errors/remnux-error.js.map +1 -0
  40. package/dist/file-type-mappings.d.ts +30 -0
  41. package/dist/file-type-mappings.d.ts.map +1 -0
  42. package/dist/file-type-mappings.js +136 -0
  43. package/dist/file-type-mappings.js.map +1 -0
  44. package/dist/file-upload.d.ts +44 -0
  45. package/dist/file-upload.d.ts.map +1 -0
  46. package/dist/file-upload.js +170 -0
  47. package/dist/file-upload.js.map +1 -0
  48. package/dist/handlers/analyze-file.d.ts +10 -0
  49. package/dist/handlers/analyze-file.d.ts.map +1 -0
  50. package/dist/handlers/analyze-file.js +149 -0
  51. package/dist/handlers/analyze-file.js.map +1 -0
  52. package/dist/handlers/check-tools.d.ts +9 -0
  53. package/dist/handlers/check-tools.d.ts.map +1 -0
  54. package/dist/handlers/check-tools.js +47 -0
  55. package/dist/handlers/check-tools.js.map +1 -0
  56. package/dist/handlers/download-file.d.ts +10 -0
  57. package/dist/handlers/download-file.d.ts.map +1 -0
  58. package/dist/handlers/download-file.js +113 -0
  59. package/dist/handlers/download-file.js.map +1 -0
  60. package/dist/handlers/download-from-url.d.ts +30 -0
  61. package/dist/handlers/download-from-url.d.ts.map +1 -0
  62. package/dist/handlers/download-from-url.js +295 -0
  63. package/dist/handlers/download-from-url.js.map +1 -0
  64. package/dist/handlers/extract-archive.d.ts +10 -0
  65. package/dist/handlers/extract-archive.d.ts.map +1 -0
  66. package/dist/handlers/extract-archive.js +57 -0
  67. package/dist/handlers/extract-archive.js.map +1 -0
  68. package/dist/handlers/extract-iocs.d.ts +10 -0
  69. package/dist/handlers/extract-iocs.d.ts.map +1 -0
  70. package/dist/handlers/extract-iocs.js +21 -0
  71. package/dist/handlers/extract-iocs.js.map +1 -0
  72. package/dist/handlers/get-file-info.d.ts +10 -0
  73. package/dist/handlers/get-file-info.d.ts.map +1 -0
  74. package/dist/handlers/get-file-info.js +89 -0
  75. package/dist/handlers/get-file-info.js.map +1 -0
  76. package/dist/handlers/list-files.d.ts +10 -0
  77. package/dist/handlers/list-files.d.ts.map +1 -0
  78. package/dist/handlers/list-files.js +60 -0
  79. package/dist/handlers/list-files.js.map +1 -0
  80. package/dist/handlers/run-tool.d.ts +10 -0
  81. package/dist/handlers/run-tool.d.ts.map +1 -0
  82. package/dist/handlers/run-tool.js +99 -0
  83. package/dist/handlers/run-tool.js.map +1 -0
  84. package/dist/handlers/suggest-tools.d.ts +10 -0
  85. package/dist/handlers/suggest-tools.d.ts.map +1 -0
  86. package/dist/handlers/suggest-tools.js +202 -0
  87. package/dist/handlers/suggest-tools.js.map +1 -0
  88. package/dist/handlers/types.d.ts +15 -0
  89. package/dist/handlers/types.d.ts.map +1 -0
  90. package/dist/handlers/types.js +2 -0
  91. package/dist/handlers/types.js.map +1 -0
  92. package/dist/handlers/upload-file.d.ts +10 -0
  93. package/dist/handlers/upload-file.d.ts.map +1 -0
  94. package/dist/handlers/upload-file.js +33 -0
  95. package/dist/handlers/upload-file.js.map +1 -0
  96. package/dist/handlers/upload-from-host.d.ts +10 -0
  97. package/dist/handlers/upload-from-host.d.ts.map +1 -0
  98. package/dist/handlers/upload-from-host.js +33 -0
  99. package/dist/handlers/upload-from-host.js.map +1 -0
  100. package/dist/handlers/upload-sample.d.ts +10 -0
  101. package/dist/handlers/upload-sample.d.ts.map +1 -0
  102. package/dist/handlers/upload-sample.js +26 -0
  103. package/dist/handlers/upload-sample.js.map +1 -0
  104. package/dist/index.d.ts +15 -0
  105. package/dist/index.d.ts.map +1 -0
  106. package/dist/index.js +254 -0
  107. package/dist/index.js.map +1 -0
  108. package/dist/ioc/extractor.d.ts +21 -0
  109. package/dist/ioc/extractor.d.ts.map +1 -0
  110. package/dist/ioc/extractor.js +91 -0
  111. package/dist/ioc/extractor.js.map +1 -0
  112. package/dist/ioc/known-values.d.ts +7 -0
  113. package/dist/ioc/known-values.d.ts.map +1 -0
  114. package/dist/ioc/known-values.js +43 -0
  115. package/dist/ioc/known-values.js.map +1 -0
  116. package/dist/ioc/noise.d.ts +6 -0
  117. package/dist/ioc/noise.d.ts.map +1 -0
  118. package/dist/ioc/noise.js +170 -0
  119. package/dist/ioc/noise.js.map +1 -0
  120. package/dist/ioc/patterns.d.ts +10 -0
  121. package/dist/ioc/patterns.d.ts.map +1 -0
  122. package/dist/ioc/patterns.js +65 -0
  123. package/dist/ioc/patterns.js.map +1 -0
  124. package/dist/ioc/scoring.d.ts +6 -0
  125. package/dist/ioc/scoring.d.ts.map +1 -0
  126. package/dist/ioc/scoring.js +69 -0
  127. package/dist/ioc/scoring.js.map +1 -0
  128. package/dist/parsers/capa.d.ts +9 -0
  129. package/dist/parsers/capa.d.ts.map +1 -0
  130. package/dist/parsers/capa.js +55 -0
  131. package/dist/parsers/capa.js.map +1 -0
  132. package/dist/parsers/diec.d.ts +9 -0
  133. package/dist/parsers/diec.d.ts.map +1 -0
  134. package/dist/parsers/diec.js +53 -0
  135. package/dist/parsers/diec.js.map +1 -0
  136. package/dist/parsers/floss.d.ts +14 -0
  137. package/dist/parsers/floss.d.ts.map +1 -0
  138. package/dist/parsers/floss.js +89 -0
  139. package/dist/parsers/floss.js.map +1 -0
  140. package/dist/parsers/index.d.ts +16 -0
  141. package/dist/parsers/index.d.ts.map +1 -0
  142. package/dist/parsers/index.js +46 -0
  143. package/dist/parsers/index.js.map +1 -0
  144. package/dist/parsers/oleid.d.ts +8 -0
  145. package/dist/parsers/oleid.d.ts.map +1 -0
  146. package/dist/parsers/oleid.js +94 -0
  147. package/dist/parsers/oleid.js.map +1 -0
  148. package/dist/parsers/olevba.d.ts +8 -0
  149. package/dist/parsers/olevba.d.ts.map +1 -0
  150. package/dist/parsers/olevba.js +83 -0
  151. package/dist/parsers/olevba.js.map +1 -0
  152. package/dist/parsers/passthrough.d.ts +6 -0
  153. package/dist/parsers/passthrough.d.ts.map +1 -0
  154. package/dist/parsers/passthrough.js +13 -0
  155. package/dist/parsers/passthrough.js.map +1 -0
  156. package/dist/parsers/pdf-parser.d.ts +9 -0
  157. package/dist/parsers/pdf-parser.d.ts.map +1 -0
  158. package/dist/parsers/pdf-parser.js +76 -0
  159. package/dist/parsers/pdf-parser.js.map +1 -0
  160. package/dist/parsers/pdfid.d.ts +9 -0
  161. package/dist/parsers/pdfid.d.ts.map +1 -0
  162. package/dist/parsers/pdfid.js +56 -0
  163. package/dist/parsers/pdfid.js.map +1 -0
  164. package/dist/parsers/peframe.d.ts +8 -0
  165. package/dist/parsers/peframe.d.ts.map +1 -0
  166. package/dist/parsers/peframe.js +76 -0
  167. package/dist/parsers/peframe.js.map +1 -0
  168. package/dist/parsers/readelf.d.ts +8 -0
  169. package/dist/parsers/readelf.d.ts.map +1 -0
  170. package/dist/parsers/readelf.js +50 -0
  171. package/dist/parsers/readelf.js.map +1 -0
  172. package/dist/parsers/types.d.ts +30 -0
  173. package/dist/parsers/types.d.ts.map +1 -0
  174. package/dist/parsers/types.js +5 -0
  175. package/dist/parsers/types.js.map +1 -0
  176. package/dist/parsers/yara.d.ts +8 -0
  177. package/dist/parsers/yara.d.ts.map +1 -0
  178. package/dist/parsers/yara.js +88 -0
  179. package/dist/parsers/yara.js.map +1 -0
  180. package/dist/response.d.ts +44 -0
  181. package/dist/response.d.ts.map +1 -0
  182. package/dist/response.js +48 -0
  183. package/dist/response.js.map +1 -0
  184. package/dist/schemas/tools.d.ts +135 -0
  185. package/dist/schemas/tools.d.ts.map +1 -0
  186. package/dist/schemas/tools.js +53 -0
  187. package/dist/schemas/tools.js.map +1 -0
  188. package/dist/security/blocklist.d.ts +69 -0
  189. package/dist/security/blocklist.d.ts.map +1 -0
  190. package/dist/security/blocklist.js +148 -0
  191. package/dist/security/blocklist.js.map +1 -0
  192. package/dist/state/session.d.ts +35 -0
  193. package/dist/state/session.d.ts.map +1 -0
  194. package/dist/state/session.js +45 -0
  195. package/dist/state/session.js.map +1 -0
  196. package/dist/tools/definitions.d.ts +9 -0
  197. package/dist/tools/definitions.d.ts.map +1 -0
  198. package/dist/tools/definitions.js +708 -0
  199. package/dist/tools/definitions.js.map +1 -0
  200. package/dist/tools/invoker.d.ts +17 -0
  201. package/dist/tools/invoker.d.ts.map +1 -0
  202. package/dist/tools/invoker.js +44 -0
  203. package/dist/tools/invoker.js.map +1 -0
  204. package/dist/tools/registry.d.ts +62 -0
  205. package/dist/tools/registry.d.ts.map +1 -0
  206. package/dist/tools/registry.js +53 -0
  207. package/dist/tools/registry.js.map +1 -0
  208. package/dist/workflows/engine.d.ts +27 -0
  209. package/dist/workflows/engine.d.ts.map +1 -0
  210. package/dist/workflows/engine.js +224 -0
  211. package/dist/workflows/engine.js.map +1 -0
  212. package/dist/workflows/loader.d.ts +33 -0
  213. package/dist/workflows/loader.d.ts.map +1 -0
  214. package/dist/workflows/loader.js +130 -0
  215. package/dist/workflows/loader.js.map +1 -0
  216. package/dist/workflows/types.d.ts +109 -0
  217. package/dist/workflows/types.d.ts.map +1 -0
  218. package/dist/workflows/types.js +5 -0
  219. package/dist/workflows/types.js.map +1 -0
  220. package/package.json +68 -0
package/dist/tools/definitions.js ADDED
@@ -0,0 +1,708 @@
1
+ /**
2
+ * Static tool definitions for all REMnux analysis tools.
3
+ *
4
+ * Each entry normalizes how a tool is invoked so the invoker doesn't need
5
+ * to know CLI quirks. Descriptions sourced from REMnux docs.
6
+ */
7
+ export const TOOL_DEFINITIONS = [
8
+ // ── PE / .NET analysis ──────────────────────────────────────────────────
9
+ {
10
+ name: "peframe",
11
+ description: "Statically analyze PE and Microsoft Office files.",
12
+ command: "peframe",
13
+ inputStyle: "positional",
14
+ outputFormat: "text",
15
+ timeout: 60,
16
+ tags: ["pe", "dotnet", "triage"],
17
+ tier: "quick",
18
+ },
19
+ {
20
+ name: "pecheck",
21
+ description: "Analyze static properties of PE files.",
22
+ command: "pecheck",
23
+ inputStyle: "positional",
24
+ outputFormat: "text",
25
+ timeout: 60,
26
+ tags: ["pe", "dotnet"],
27
+ tier: "standard",
28
+ },
29
+ {
30
+ name: "pescan",
31
+ description: "Scan PE files for anomalies and suspicious indicators.",
32
+ command: "pescan",
33
+ inputStyle: "positional",
34
+ outputFormat: "text",
35
+ timeout: 60,
36
+ tags: ["pe", "dotnet"],
37
+ tier: "standard",
38
+ },
39
+ {
40
+ name: "diec",
41
+ description: "Determine types of files and examine file properties.",
42
+ command: "diec",
43
+ inputStyle: "positional",
44
+ fixedArgs: ["--json"],
45
+ outputFormat: "json",
46
+ timeout: 60,
47
+ tags: ["pe", "dotnet", "packer-detection"],
48
+ tier: "quick",
49
+ },
50
+ {
51
+ name: "capa",
52
+ description: "Detect suspicious capabilities in executable files using CAPA rules.",
53
+ command: "capa",
54
+ inputStyle: "positional",
55
+ outputFormat: "text",
56
+ timeout: 300,
57
+ tags: ["pe", "dotnet", "elf", "capabilities"],
58
+ tier: "standard",
59
+ },
60
+ {
61
+ name: "capa-json",
62
+ description: "Detect suspicious capabilities in executable files (JSON output).",
63
+ command: "capa",
64
+ inputStyle: "positional",
65
+ fixedArgs: ["-j"],
66
+ outputFormat: "json",
67
+ timeout: 300,
68
+ tags: ["pe", "dotnet", "elf", "capabilities"],
69
+ tier: "deep",
70
+ },
71
+ {
72
+ name: "floss",
73
+ description: "Extract and deobfuscate strings from PE executables.",
74
+ command: "floss",
75
+ inputStyle: "positional",
76
+ outputFormat: "text",
77
+ timeout: 300,
78
+ tags: ["pe", "dotnet", "strings"],
79
+ tier: "standard",
80
+ },
81
+ {
82
+ name: "signsrch",
83
+ description: "Find patterns of common encryption, compression, or encoding algorithms.",
84
+ command: "signsrch",
85
+ inputStyle: "positional",
86
+ outputFormat: "text",
87
+ timeout: 60,
88
+ tags: ["pe", "dotnet", "crypto"],
89
+ tier: "standard",
90
+ },
91
+ {
92
+ name: "yara-rules",
93
+ description: "Scan a file with YARA rules to identify common malicious capabilities.",
94
+ command: "yara-rules",
95
+ inputStyle: "positional",
96
+ outputFormat: "text",
97
+ timeout: 60,
98
+ tags: ["pe", "dotnet", "yara"],
99
+ tier: "standard",
100
+ },
101
+ {
102
+ name: "ilspycmd",
103
+ description: "Decompile .NET assemblies to C# source code.",
104
+ command: "ilspycmd",
105
+ inputStyle: "positional",
106
+ outputFormat: "text",
107
+ timeout: 120,
108
+ tags: ["dotnet", "decompilation"],
109
+ tier: "standard",
110
+ },
111
+ {
112
+ name: "upx-decompress",
113
+ description: "Decompress UPX-packed executables.",
114
+ command: "upx",
115
+ inputStyle: "positional",
116
+ fixedArgs: ["-d"],
117
+ suffixArgs: ["-o", "/tmp/unpacked"],
118
+ outputFormat: "text",
119
+ timeout: 60,
120
+ tags: ["pe", "unpacking"],
121
+ tier: "standard",
122
+ },
123
+ // ── PE extras from demos ────────────────────────────────────────────────
124
+ {
125
+ name: "pedump",
126
+ description: "Statically analyze PE files and extract their components.",
127
+ command: "pedump",
128
+ inputStyle: "positional",
129
+ outputFormat: "text",
130
+ timeout: 60,
131
+ tags: ["pe"],
132
+ tier: "deep",
133
+ },
134
+ {
135
+ name: "dotnetfile_dump",
136
+ description: "Analyze static properties of .NET files.",
137
+ command: "dotnetfile_dump.py",
138
+ inputStyle: "positional",
139
+ outputFormat: "text",
140
+ timeout: 60,
141
+ tags: ["dotnet"],
142
+ tier: "deep",
143
+ },
144
+ {
145
+ name: "brxor",
146
+ description: "Bruteforce XOR-encoded strings to find English words.",
147
+ command: "brxor.py",
148
+ inputStyle: "positional",
149
+ outputFormat: "text",
150
+ timeout: 60,
151
+ tags: ["pe", "decryption"],
152
+ tier: "deep",
153
+ },
154
+ // ── PDF analysis ────────────────────────────────────────────────────────
155
+ {
156
+ name: "pdfid",
157
+ description: "Identify suspicious elements of a PDF file.",
158
+ command: "pdfid.py",
159
+ inputStyle: "positional",
160
+ outputFormat: "text",
161
+ timeout: 60,
162
+ tags: ["pdf", "triage"],
163
+ tier: "quick",
164
+ },
165
+ {
166
+ name: "pdfid-detailed",
167
+ description: "Identify suspicious elements of a PDF file (detailed names output).",
168
+ command: "pdfid.py",
169
+ inputStyle: "positional",
170
+ fixedArgs: ["-n"],
171
+ outputFormat: "text",
172
+ timeout: 60,
173
+ tags: ["pdf"],
174
+ tier: "standard",
175
+ },
176
+ {
177
+ name: "pdf-parser",
178
+ description: "Examine elements and structure of a PDF file.",
179
+ command: "pdf-parser.py",
180
+ inputStyle: "positional",
181
+ fixedArgs: ["--stats"],
182
+ outputFormat: "text",
183
+ timeout: 60,
184
+ tags: ["pdf"],
185
+ tier: "standard",
186
+ },
187
+ {
188
+ name: "peepdf-3",
189
+ description: "Examine elements of a PDF file for malicious content.",
190
+ command: "peepdf-3",
191
+ inputStyle: "positional",
192
+ fixedArgs: ["-f", "-l"],
193
+ outputFormat: "text",
194
+ timeout: 120,
195
+ tags: ["pdf"],
196
+ tier: "deep",
197
+ },
198
+ {
199
+ name: "qpdf",
200
+ description: "Decrypt password-protected or permission-locked PDF files.",
201
+ command: "qpdf",
202
+ inputStyle: "positional",
203
+ fixedArgs: ["--decrypt"],
204
+ suffixArgs: ["/tmp/decrypted.pdf"],
205
+ outputFormat: "text",
206
+ timeout: 60,
207
+ tags: ["pdf"],
208
+ tier: "standard",
209
+ },
210
+ {
211
+ name: "pdftk",
212
+ description: "Manipulate PDF files: merge, split, decrypt, repair, and extract metadata.",
213
+ command: "pdftk",
214
+ inputStyle: "positional",
215
+ suffixArgs: ["dump_data"],
216
+ outputFormat: "text",
217
+ timeout: 60,
218
+ tags: ["pdf"],
219
+ tier: "standard",
220
+ },
221
+ // ── OLE2 / Office analysis ──────────────────────────────────────────────
222
+ {
223
+ name: "oleid",
224
+ description: "Analyze OLE2 files for risk indicators (macros, encryption, etc.).",
225
+ command: "oleid",
226
+ inputStyle: "positional",
227
+ outputFormat: "text",
228
+ timeout: 60,
229
+ tags: ["ole2", "ooxml", "triage"],
230
+ tier: "quick",
231
+ },
232
+ {
233
+ name: "olevba",
234
+ description: "Extract and analyze VBA macros from Microsoft Office documents.",
235
+ command: "olevba",
236
+ inputStyle: "positional",
237
+ outputFormat: "text",
238
+ timeout: 60,
239
+ tags: ["ole2", "ooxml", "macros"],
240
+ tier: "standard",
241
+ },
242
+ {
243
+ name: "oledump",
244
+ description: "Analyze OLE2 Structured Storage files.",
245
+ command: "oledump.py",
246
+ inputStyle: "positional",
247
+ fixedArgs: ["-i"],
248
+ outputFormat: "text",
249
+ timeout: 60,
250
+ tags: ["ole2"],
251
+ tier: "standard",
252
+ },
253
+ {
254
+ name: "pcodedmp",
255
+ description: "Disassemble VBA p-code from Office documents.",
256
+ command: "pcodedmp",
257
+ inputStyle: "positional",
258
+ outputFormat: "text",
259
+ timeout: 60,
260
+ tags: ["ole2", "ooxml", "macros"],
261
+ tier: "standard",
262
+ },
263
+ {
264
+ name: "xlmdeobfuscator",
265
+ description: "Deobfuscate Excel 4.0 (XLM) macros.",
266
+ command: "xlmdeobfuscator",
267
+ inputStyle: "flag",
268
+ inputFlag: "-f",
269
+ outputFormat: "text",
270
+ timeout: 120,
271
+ tags: ["ole2", "ooxml", "macros"],
272
+ tier: "standard",
273
+ },
274
+ // ── OOXML ───────────────────────────────────────────────────────────────
275
+ {
276
+ name: "zipdump",
277
+ description: "Analyze zip-compressed files including OOXML and JAR.",
278
+ command: "zipdump.py",
279
+ inputStyle: "positional",
280
+ outputFormat: "text",
281
+ timeout: 60,
282
+ tags: ["ooxml", "jar"],
283
+ tier: "standard",
284
+ },
285
+ // ── RTF ─────────────────────────────────────────────────────────────────
286
+ {
287
+ name: "rtfobj",
288
+ description: "Extract embedded objects from RTF files.",
289
+ command: "rtfobj.py",
290
+ inputStyle: "positional",
291
+ outputFormat: "text",
292
+ timeout: 60,
293
+ tags: ["rtf"],
294
+ tier: "standard",
295
+ },
296
+ {
297
+ name: "rtfdump",
298
+ description: "Analyze suspicious RTF files for embedded content.",
299
+ command: "rtfdump.py",
300
+ inputStyle: "positional",
301
+ outputFormat: "text",
302
+ timeout: 60,
303
+ tags: ["rtf"],
304
+ tier: "quick",
305
+ },
306
+ // ── ELF analysis ────────────────────────────────────────────────────────
307
+ {
308
+ name: "readelf-header",
309
+ description: "Display ELF file header information.",
310
+ command: "readelf",
311
+ inputStyle: "positional",
312
+ fixedArgs: ["-h"],
313
+ outputFormat: "text",
314
+ timeout: 60,
315
+ tags: ["elf", "triage"],
316
+ tier: "quick",
317
+ },
318
+ {
319
+ name: "readelf-sections",
320
+ description: "Display ELF section headers.",
321
+ command: "readelf",
322
+ inputStyle: "positional",
323
+ fixedArgs: ["-S"],
324
+ outputFormat: "text",
325
+ timeout: 60,
326
+ tags: ["elf"],
327
+ tier: "standard",
328
+ },
329
+ // ── Script / text analysis ──────────────────────────────────────────────
330
+ {
331
+ name: "js-beautify",
332
+ description: "Beautify and deobfuscate JavaScript, CSS, and HTML files.",
333
+ command: "js-beautify",
334
+ inputStyle: "positional",
335
+ outputFormat: "text",
336
+ timeout: 60,
337
+ tags: ["script"],
338
+ tier: "quick",
339
+ },
340
+ {
341
+ name: "strings",
342
+ description: "Extract printable strings from binary files.",
343
+ command: "strings",
344
+ inputStyle: "positional",
345
+ outputFormat: "text",
346
+ timeout: 60,
347
+ tags: ["script", "fallback", "strings"],
348
+ tier: "quick",
349
+ },
350
+ {
351
+ name: "box-js",
352
+ description: "Analyze and deobfuscate JavaScript malware in a sandbox.",
353
+ command: "box-js",
354
+ inputStyle: "positional",
355
+ fixedArgs: ["--output-dir", "/tmp/box-js-out"],
356
+ outputFormat: "text",
357
+ timeout: 120,
358
+ tags: ["script"],
359
+ tier: "standard",
360
+ },
361
+ {
362
+ name: "base64dump",
363
+ description: "Locate and decode Base64 and other encoded strings.",
364
+ command: "base64dump.py",
365
+ inputStyle: "positional",
366
+ outputFormat: "text",
367
+ timeout: 60,
368
+ tags: ["script", "fallback"],
369
+ tier: "standard",
370
+ },
371
+ // ── JAR ─────────────────────────────────────────────────────────────────
372
+ // zipdump already covers JAR (tagged "jar")
373
+ // ── Email ───────────────────────────────────────────────────────────────
374
+ {
375
+ name: "emldump",
376
+ description: "Analyze and extract content from email (EML) files.",
377
+ command: "emldump.py",
378
+ inputStyle: "positional",
379
+ outputFormat: "text",
380
+ timeout: 60,
381
+ tags: ["email"],
382
+ tier: "standard",
383
+ },
384
+ {
385
+ name: "msgconvert",
386
+ description: "Convert Outlook MSG files to standard EML format.",
387
+ command: "msgconvert",
388
+ inputStyle: "positional",
389
+ outputFormat: "text",
390
+ timeout: 60,
391
+ tags: ["email"],
392
+ tier: "quick",
393
+ },
394
+ // ── APK ─────────────────────────────────────────────────────────────────
395
+ {
396
+ name: "apktool",
397
+ description: "Reverse-engineer Android APK files.",
398
+ command: "apktool",
399
+ inputStyle: "positional",
400
+ fixedArgs: ["d"],
401
+ outputFormat: "text",
402
+ timeout: 120,
403
+ tags: ["apk"],
404
+ tier: "standard",
405
+ },
406
+ {
407
+ name: "droidlysis",
408
+ description: "Perform static analysis of Android applications.",
409
+ command: "droidlysis",
410
+ inputStyle: "positional",
411
+ outputFormat: "text",
412
+ timeout: 120,
413
+ tags: ["apk"],
414
+ tier: "standard",
415
+ },
416
+ // ── Memory forensics (Volatility 3) ─────────────────────────────────────
417
+ {
418
+ name: "vol3-info",
419
+ description: "Display OS and kernel details from a memory image.",
420
+ command: "vol3",
421
+ inputStyle: "flag",
422
+ inputFlag: "-f",
423
+ suffixArgs: ["windows.info"],
424
+ outputFormat: "text",
425
+ timeout: 120,
426
+ tags: ["memory", "triage"],
427
+ tier: "quick",
428
+ },
429
+ {
430
+ name: "vol3-pslist",
431
+ description: "List running processes from a memory image.",
432
+ command: "vol3",
433
+ inputStyle: "flag",
434
+ inputFlag: "-f",
435
+ suffixArgs: ["windows.pslist"],
436
+ outputFormat: "text",
437
+ timeout: 120,
438
+ tags: ["memory", "triage"],
439
+ tier: "quick",
440
+ },
441
+ {
442
+ name: "vol3-pstree",
443
+ description: "Display process tree from a memory image.",
444
+ command: "vol3",
445
+ inputStyle: "flag",
446
+ inputFlag: "-f",
447
+ suffixArgs: ["windows.pstree"],
448
+ outputFormat: "text",
449
+ timeout: 120,
450
+ tags: ["memory"],
451
+ tier: "standard",
452
+ },
453
+ {
454
+ name: "vol3-netscan",
455
+ description: "Scan for network connections and sockets in a memory image.",
456
+ command: "vol3",
457
+ inputStyle: "flag",
458
+ inputFlag: "-f",
459
+ suffixArgs: ["windows.netscan"],
460
+ outputFormat: "text",
461
+ timeout: 120,
462
+ tags: ["memory"],
463
+ tier: "standard",
464
+ },
465
+ {
466
+ name: "vol3-cmdline",
467
+ description: "Extract command-line arguments for each process.",
468
+ command: "vol3",
469
+ inputStyle: "flag",
470
+ inputFlag: "-f",
471
+ suffixArgs: ["windows.cmdline"],
472
+ outputFormat: "text",
473
+ timeout: 120,
474
+ tags: ["memory"],
475
+ tier: "standard",
476
+ },
477
+ {
478
+ name: "vol3-malfind",
479
+ description: "Detect injected code and suspicious memory regions.",
480
+ command: "vol3",
481
+ inputStyle: "flag",
482
+ inputFlag: "-f",
483
+ suffixArgs: ["windows.malware.malfind"],
484
+ outputFormat: "text",
485
+ timeout: 300,
486
+ tags: ["memory"],
487
+ tier: "deep",
488
+ },
489
+ {
490
+ name: "vol3-psscan",
491
+ description: "Find hidden or unlinked processes via pool tag scanning.",
492
+ command: "vol3",
493
+ inputStyle: "flag",
494
+ inputFlag: "-f",
495
+ suffixArgs: ["windows.psscan"],
496
+ outputFormat: "text",
497
+ timeout: 120,
498
+ tags: ["memory"],
499
+ tier: "standard",
500
+ },
501
+ {
502
+ name: "vol3-dlllist",
503
+ description: "List loaded DLLs for each process.",
504
+ command: "vol3",
505
+ inputStyle: "flag",
506
+ inputFlag: "-f",
507
+ suffixArgs: ["windows.dlllist"],
508
+ outputFormat: "text",
509
+ timeout: 120,
510
+ tags: ["memory"],
511
+ tier: "standard",
512
+ },
513
+ {
514
+ name: "vol3-filescan",
515
+ description: "Scan for file objects in memory.",
516
+ command: "vol3",
517
+ inputStyle: "flag",
518
+ inputFlag: "-f",
519
+ suffixArgs: ["windows.filescan"],
520
+ outputFormat: "text",
521
+ timeout: 120,
522
+ tags: ["memory"],
523
+ tier: "standard",
524
+ },
525
+ {
526
+ name: "vol3-handles",
527
+ description: "List open handles for each process.",
528
+ command: "vol3",
529
+ inputStyle: "flag",
530
+ inputFlag: "-f",
531
+ suffixArgs: ["windows.handles"],
532
+ outputFormat: "text",
533
+ timeout: 300,
534
+ tags: ["memory"],
535
+ tier: "deep",
536
+ },
537
+ {
538
+ name: "vol3-hivelist",
539
+ description: "List registry hives found in memory.",
540
+ command: "vol3",
541
+ inputStyle: "flag",
542
+ inputFlag: "-f",
543
+ suffixArgs: ["windows.registry.hivelist"],
544
+ outputFormat: "text",
545
+ timeout: 120,
546
+ tags: ["memory"],
547
+ tier: "standard",
548
+ },
549
+ {
550
+ name: "vol3-linux-pslist",
551
+ description: "List running processes from a Linux memory image.",
552
+ command: "vol3",
553
+ inputStyle: "flag",
554
+ inputFlag: "-f",
555
+ suffixArgs: ["linux.pslist"],
556
+ outputFormat: "text",
557
+ timeout: 120,
558
+ tags: ["memory"],
559
+ tier: "standard",
560
+ },
561
+ // ── Didier Stevens utilities ──────────────────────────────────────────────
562
+ {
563
+ name: "translate",
564
+ description: "Apply byte-level transforms to files (XOR, reverse, shift, custom expressions).",
565
+ command: "translate.py",
566
+ inputStyle: "positional",
567
+ outputFormat: "text",
568
+ timeout: 60,
569
+ tags: ["script", "fallback", "decryption"],
570
+ tier: "standard",
571
+ },
572
+ {
573
+ name: "numbers-to-string",
574
+ description: "Convert numeric representations to strings for deobfuscating encoded payloads.",
575
+ command: "numbers-to-string.py",
576
+ inputStyle: "positional",
577
+ outputFormat: "text",
578
+ timeout: 60,
579
+ tags: ["script", "fallback"],
580
+ tier: "standard",
581
+ },
582
+ {
583
+ name: "re-search",
584
+ description: "Search files using regular expressions to extract patterns and data.",
585
+ command: "re-search.py",
586
+ inputStyle: "positional",
587
+ outputFormat: "text",
588
+ timeout: 60,
589
+ tags: ["script", "fallback"],
590
+ tier: "standard",
591
+ },
592
+ {
593
+ name: "file-magic",
594
+ description: "Identify file types of data streams using libmagic signatures.",
595
+ command: "file-magic.py",
596
+ inputStyle: "positional",
597
+ outputFormat: "text",
598
+ timeout: 60,
599
+ tags: ["fallback"],
600
+ tier: "standard",
601
+ },
602
+ // ── Shellcode analysis ─────────────────────────────────────────────────
603
+ {
604
+ name: "scdbgc",
605
+ description: "Trace Win32 API calls made by 32-bit shellcode using emulation.",
606
+ command: "scdbgc",
607
+ inputStyle: "flag",
608
+ inputFlag: "-f",
609
+ fixedArgs: ["-s", "-1"],
610
+ outputFormat: "text",
611
+ timeout: 60,
612
+ tags: ["shellcode"],
613
+ tier: "quick",
614
+ },
615
+ {
616
+ name: "speakeasy-sc-x86",
617
+ description: "Emulate 32-bit shellcode using Speakeasy Windows API emulation.",
618
+ command: "speakeasy",
619
+ inputStyle: "flag",
620
+ inputFlag: "-t",
621
+ fixedArgs: ["-r", "-a", "x86"],
622
+ outputFormat: "text",
623
+ timeout: 120,
624
+ tags: ["shellcode"],
625
+ tier: "standard",
626
+ },
627
+ {
628
+ name: "speakeasy-sc-x64",
629
+ description: "Emulate 64-bit shellcode using Speakeasy Windows API emulation.",
630
+ command: "speakeasy",
631
+ inputStyle: "flag",
632
+ inputFlag: "-t",
633
+ fixedArgs: ["-r", "-a", "amd64"],
634
+ outputFormat: "text",
635
+ timeout: 120,
636
+ tags: ["shellcode"],
637
+ tier: "standard",
638
+ },
639
+ {
640
+ name: "speakeasy",
641
+ description: "Emulate Windows PE, DLL, and driver execution using Speakeasy API emulation.",
642
+ command: "speakeasy",
643
+ inputStyle: "flag",
644
+ inputFlag: "-t",
645
+ outputFormat: "text",
646
+ timeout: 120,
647
+ tags: ["pe", "dotnet"],
648
+ tier: "deep",
649
+ },
650
+ {
651
+ name: "qltool-sc-x86",
652
+ description: "Emulate 32-bit Windows shellcode using Qiling framework (requires rootfs).",
653
+ command: "qltool",
654
+ inputStyle: "flag",
655
+ inputFlag: "-f",
656
+ fixedArgs: ["code", "--os", "windows", "--arch", "x86", "--format", "bin"],
657
+ outputFormat: "text",
658
+ timeout: 120,
659
+ tags: ["shellcode"],
660
+ tier: "deep",
661
+ },
662
+ {
663
+ name: "qltool-sc-x64",
664
+ description: "Emulate 64-bit Windows shellcode using Qiling framework (requires rootfs).",
665
+ command: "qltool",
666
+ inputStyle: "flag",
667
+ inputFlag: "-f",
668
+ fixedArgs: ["code", "--os", "windows", "--arch", "x8664", "--format", "bin"],
669
+ outputFormat: "text",
670
+ timeout: 120,
671
+ tags: ["shellcode"],
672
+ tier: "deep",
673
+ },
674
+ {
675
+ name: "tracesc",
676
+ description: "Execute and trace shellcode via Wine to log API calls and behavior.",
677
+ command: "tracesc",
678
+ inputStyle: "flag",
679
+ inputFlag: "-f",
680
+ outputFormat: "text",
681
+ timeout: 120,
682
+ tags: ["shellcode"],
683
+ tier: "deep",
684
+ },
685
+ // ── Cross-type / general ────────────────────────────────────────────────
686
+ {
687
+ name: "exiftool",
688
+ description: "Read and analyze EXIF metadata from various file types.",
689
+ command: "exiftool",
690
+ inputStyle: "positional",
691
+ outputFormat: "text",
692
+ timeout: 60,
693
+ tags: ["pe", "dotnet", "pdf", "ole2", "ooxml", "elf", "jar", "email", "metadata"],
694
+ tier: "standard",
695
+ },
696
+ {
697
+ name: "xorsearch",
698
+ description: "Locate and decode strings obfuscated using XOR and other techniques.",
699
+ command: "xorsearch",
700
+ inputStyle: "positional",
701
+ fixedArgs: ["-W", "-d", "3"],
702
+ outputFormat: "text",
703
+ timeout: 60,
704
+ tags: ["fallback"],
705
+ tier: "standard",
706
+ },
707
+ ];
708
+ //# sourceMappingURL=definitions.js.map