windows-exe-decompiler-mcp-server 0.1.0

package/dist/tools/code-function-cfg.js

@@ -0,0 +1,102 @@
+/**
+ * code.function.cfg MCP Tool
+ *
+ * Requirements: 11.1, 11.2, 11.3, 11.4
+ *
+ * Extracts control flow graph for a function
+ */
+import { z } from 'zod';
+import { DecompilerWorker, getGhidraDiagnostics, normalizeGhidraError } from '../decompiler-worker.js';
+import { logger } from '../logger.js';
+/**
+ * Input schema for code.function.cfg tool
+ */
+export const codeFunctionCFGInputSchema = z.object({
+    sample_id: z.string().describe('Sample identifier (sha256:<hex>)'),
+    address: z.string().optional().describe('Function address (hex string)'),
+    symbol: z.string().optional().describe('Function symbol name'),
+    timeout: z.number().optional().describe('Timeout in seconds (default: 30)')
+}).refine(data => data.address || data.symbol, {
+    message: 'Either address or symbol must be provided'
+});
+/**
+ * Tool definition for code.function.cfg
+ */
+export const codeFunctionCFGToolDefinition = {
+    name: 'code.function.cfg',
+    description: 'Extract control flow graph (CFG) for a function. Returns nodes (basic blocks) and edges (control flow). Requires prior Ghidra analysis.',
+    inputSchema: codeFunctionCFGInputSchema
+};
+/**
+ * Create handler for code.function.cfg tool
+ */
+export function createCodeFunctionCFGHandler(workspaceManager, database) {
+    return async (args) => {
+        try {
+            const input = codeFunctionCFGInputSchema.parse(args);
+            const addressOrSymbol = input.address || input.symbol;
+            logger.info({
+                sample_id: input.sample_id,
+                address_or_symbol: addressOrSymbol
+            }, 'code.function.cfg tool called');
+            // Check if sample exists
+            const sample = database.findSample(input.sample_id);
+            if (!sample) {
+                return {
+                    content: [{
+                            type: 'text',
+                            text: JSON.stringify({
+                                ok: false,
+                                errors: [`Sample not found: ${input.sample_id}`]
+                            }, null, 2)
+                        }],
+                    isError: true
+                };
+            }
+            // Create decompiler worker
+            const decompilerWorker = new DecompilerWorker(database, workspaceManager);
+            // Convert timeout from seconds to milliseconds
+            const timeoutMs = (input.timeout || 30) * 1000;
+            // Extract CFG
+            const cfg = await decompilerWorker.getFunctionCFG(input.sample_id, addressOrSymbol, timeoutMs);
+            logger.info({
+                sample_id: input.sample_id,
+                function: cfg.function,
+                node_count: cfg.nodes.length,
+                edge_count: cfg.edges.length
+            }, 'Function CFG extracted successfully');
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({
+                            ok: true,
+                            data: cfg
+                        }, null, 2)
+                    }]
+            };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            const diagnostics = getGhidraDiagnostics(error);
+            const normalizedError = normalizeGhidraError(error, 'code.function.cfg');
+            logger.error({
+                error: errorMessage,
+                ghidra_diagnostics: diagnostics,
+                normalized_error: normalizedError,
+            }, 'code.function.cfg tool failed');
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({
+                            ok: false,
+                            errors: [errorMessage],
+                            diagnostics,
+                            normalized_error: normalizedError,
+                        }, null, 2)
+                    }],
+                isError: true
+            };
+        }
+    };
+}
+//# sourceMappingURL=code-function-cfg.js.map

package/dist/tools/code-function-decompile.d.ts

@@ -0,0 +1,55 @@
+/**
+ * code.function.decompile MCP Tool
+ *
+ * Requirements: 10.1, 10.2, 10.3, 10.4
+ *
+ * Decompiles a specific function to pseudocode
+ */
+import { z } from 'zod';
+import type { ToolDefinition, ToolHandler } from '../types.js';
+import type { DatabaseManager } from '../database.js';
+import type { WorkspaceManager } from '../workspace-manager.js';
+/**
+ * Input schema for code.function.decompile tool
+ */
+export declare const codeFunctionDecompileInputSchema: z.ZodEffects<z.ZodObject<{
+    sample_id: z.ZodString;
+    address: z.ZodOptional<z.ZodString>;
+    symbol: z.ZodOptional<z.ZodString>;
+    include_xrefs: z.ZodOptional<z.ZodBoolean>;
+    timeout: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    sample_id: string;
+    symbol?: string | undefined;
+    timeout?: number | undefined;
+    address?: string | undefined;
+    include_xrefs?: boolean | undefined;
+}, {
+    sample_id: string;
+    symbol?: string | undefined;
+    timeout?: number | undefined;
+    address?: string | undefined;
+    include_xrefs?: boolean | undefined;
+}>, {
+    sample_id: string;
+    symbol?: string | undefined;
+    timeout?: number | undefined;
+    address?: string | undefined;
+    include_xrefs?: boolean | undefined;
+}, {
+    sample_id: string;
+    symbol?: string | undefined;
+    timeout?: number | undefined;
+    address?: string | undefined;
+    include_xrefs?: boolean | undefined;
+}>;
+export type CodeFunctionDecompileInput = z.infer<typeof codeFunctionDecompileInputSchema>;
+/**
+ * Tool definition for code.function.decompile
+ */
+export declare const codeFunctionDecompileToolDefinition: ToolDefinition;
+/**
+ * Create handler for code.function.decompile tool
+ */
+export declare function createCodeFunctionDecompileHandler(workspaceManager: WorkspaceManager, database: DatabaseManager): ToolHandler;
+//# sourceMappingURL=code-function-decompile.d.ts.map

package/dist/tools/code-function-decompile.js

@@ -0,0 +1,103 @@
+/**
+ * code.function.decompile MCP Tool
+ *
+ * Requirements: 10.1, 10.2, 10.3, 10.4
+ *
+ * Decompiles a specific function to pseudocode
+ */
+import { z } from 'zod';
+import { DecompilerWorker, getGhidraDiagnostics, normalizeGhidraError } from '../decompiler-worker.js';
+import { logger } from '../logger.js';
+/**
+ * Input schema for code.function.decompile tool
+ */
+export const codeFunctionDecompileInputSchema = z.object({
+    sample_id: z.string().describe('Sample identifier (sha256:<hex>)'),
+    address: z.string().optional().describe('Function address (hex string, e.g., "0x00401000")'),
+    symbol: z.string().optional().describe('Function symbol name'),
+    include_xrefs: z.boolean().optional().describe('Include cross-references (default: false)'),
+    timeout: z.number().optional().describe('Timeout in seconds (default: 30)')
+}).refine(data => data.address || data.symbol, {
+    message: 'Either address or symbol must be provided'
+});
+/**
+ * Tool definition for code.function.decompile
+ */
+export const codeFunctionDecompileToolDefinition = {
+    name: 'code.function.decompile',
+    description: 'Decompile a specific function to pseudocode. Requires prior Ghidra analysis. Provide either address or symbol name.',
+    inputSchema: codeFunctionDecompileInputSchema
+};
+/**
+ * Create handler for code.function.decompile tool
+ */
+export function createCodeFunctionDecompileHandler(workspaceManager, database) {
+    return async (args) => {
+        try {
+            const input = codeFunctionDecompileInputSchema.parse(args);
+            const addressOrSymbol = input.address || input.symbol;
+            logger.info({
+                sample_id: input.sample_id,
+                address_or_symbol: addressOrSymbol,
+                include_xrefs: input.include_xrefs
+            }, 'code.function.decompile tool called');
+            // Check if sample exists
+            const sample = database.findSample(input.sample_id);
+            if (!sample) {
+                return {
+                    content: [{
+                            type: 'text',
+                            text: JSON.stringify({
+                                ok: false,
+                                errors: [`Sample not found: ${input.sample_id}`]
+                            }, null, 2)
+                        }],
+                    isError: true
+                };
+            }
+            // Create decompiler worker
+            const decompilerWorker = new DecompilerWorker(database, workspaceManager);
+            // Convert timeout from seconds to milliseconds
+            const timeoutMs = (input.timeout || 30) * 1000;
+            // Decompile function
+            const result = await decompilerWorker.decompileFunction(input.sample_id, addressOrSymbol, input.include_xrefs || false, timeoutMs);
+            logger.info({
+                sample_id: input.sample_id,
+                function: result.function,
+                address: result.address
+            }, 'Function decompiled successfully');
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({
+                            ok: true,
+                            data: result
+                        }, null, 2)
+                    }]
+            };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            const diagnostics = getGhidraDiagnostics(error);
+            const normalizedError = normalizeGhidraError(error, 'code.function.decompile');
+            logger.error({
+                error: errorMessage,
+                ghidra_diagnostics: diagnostics,
+                normalized_error: normalizedError,
+            }, 'code.function.decompile tool failed');
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({
+                            ok: false,
+                            errors: [errorMessage],
+                            diagnostics,
+                            normalized_error: normalizedError,
+                        }, null, 2)
+                    }],
+                isError: true
+            };
+        }
+    };
+}
+//# sourceMappingURL=code-function-decompile.js.map

package/dist/tools/code-function-disassemble.d.ts

@@ -0,0 +1,43 @@
+/**
+ * code.function.disassemble MCP Tool
+ *
+ * Returns assembly code for a function
+ */
+import { z } from 'zod';
+import type { ToolDefinition, ToolHandler } from '../types.js';
+import type { DatabaseManager } from '../database.js';
+import type { WorkspaceManager } from '../workspace-manager.js';
+/**
+ * Input schema for code.function.disassemble tool
+ */
+export declare const codeFunctionDisassembleInputSchema: z.ZodEffects<z.ZodObject<{
+    sample_id: z.ZodString;
+    address: z.ZodOptional<z.ZodString>;
+    symbol: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    sample_id: string;
+    symbol?: string | undefined;
+    address?: string | undefined;
+}, {
+    sample_id: string;
+    symbol?: string | undefined;
+    address?: string | undefined;
+}>, {
+    sample_id: string;
+    symbol?: string | undefined;
+    address?: string | undefined;
+}, {
+    sample_id: string;
+    symbol?: string | undefined;
+    address?: string | undefined;
+}>;
+export type CodeFunctionDisassembleInput = z.infer<typeof codeFunctionDisassembleInputSchema>;
+/**
+ * Tool definition for code.function.disassemble
+ */
+export declare const codeFunctionDisassembleToolDefinition: ToolDefinition;
+/**
+ * Create handler for code.function.disassemble tool
+ */
+export declare function createCodeFunctionDisassembleHandler(workspaceManager: WorkspaceManager, database: DatabaseManager): ToolHandler;
+//# sourceMappingURL=code-function-disassemble.d.ts.map

package/dist/tools/code-function-disassemble.js

@@ -0,0 +1,185 @@
+/**
+ * code.function.disassemble MCP Tool
+ *
+ * Returns assembly code for a function
+ */
+import { z } from 'zod';
+import fs from 'fs/promises';
+import path from 'path';
+import { DecompilerWorker, getGhidraDiagnostics, normalizeGhidraError } from '../decompiler-worker.js';
+import { runEntrypointFallbackDisasm } from './entrypoint-fallback-disasm.js';
+import { logger } from '../logger.js';
+/**
+ * Input schema for code.function.disassemble tool
+ */
+export const codeFunctionDisassembleInputSchema = z.object({
+    sample_id: z.string().describe('Sample identifier (sha256:<hex>)'),
+    address: z.string().optional().describe('Function address (hex string)'),
+    symbol: z.string().optional().describe('Function symbol name')
+}).refine(data => data.address || data.symbol, {
+    message: 'Either address or symbol must be provided'
+});
+/**
+ * Tool definition for code.function.disassemble
+ */
+export const codeFunctionDisassembleToolDefinition = {
+    name: 'code.function.disassemble',
+    description: 'Get assembly code for a function. Requires prior Ghidra analysis. Provide either address or symbol name.',
+    inputSchema: codeFunctionDisassembleInputSchema
+};
+function normalizeAddress(address) {
+    if (!address) {
+        return undefined;
+    }
+    const trimmed = address.trim();
+    if (!trimmed) {
+        return undefined;
+    }
+    if (/^0x[0-9a-fA-F]+$/.test(trimmed)) {
+        return `0x${trimmed.slice(2).toLowerCase()}`;
+    }
+    if (/^[0-9a-fA-F]+$/.test(trimmed)) {
+        return `0x${trimmed.toLowerCase()}`;
+    }
+    return undefined;
+}
+async function resolveSamplePath(originalDir) {
+    const entries = await fs.readdir(originalDir, { withFileTypes: true });
+    const files = entries
+        .filter((entry) => entry.isFile())
+        .map((entry) => entry.name)
+        .sort((a, b) => a.localeCompare(b));
+    if (files.length === 0) {
+        throw new Error(`Sample file not found in workspace: ${originalDir}`);
+    }
+    return path.join(originalDir, files[0]);
+}
+/**
+ * Create handler for code.function.disassemble tool
+ */
+export function createCodeFunctionDisassembleHandler(workspaceManager, database) {
+    return async (args) => {
+        try {
+            const input = codeFunctionDisassembleInputSchema.parse(args);
+            const addressOrSymbol = input.address || input.symbol;
+            logger.info({
+                sample_id: input.sample_id,
+                address_or_symbol: addressOrSymbol
+            }, 'code.function.disassemble tool called');
+            // Check if sample exists
+            const sample = database.findSample(input.sample_id);
+            if (!sample) {
+                return {
+                    content: [{
+                            type: 'text',
+                            text: JSON.stringify({
+                                ok: false,
+                                errors: [`Sample not found: ${input.sample_id}`]
+                            }, null, 2)
+                        }],
+                    isError: true
+                };
+            }
+            // For now, return a placeholder indicating this feature uses CFG
+            // In a full implementation, this would extract assembly from Ghidra
+            const decompilerWorker = new DecompilerWorker(database, workspaceManager);
+            let functionName = '';
+            let functionAddress = '';
+            let assemblyText = '';
+            let warnings;
+            let requestedAddress = normalizeAddress(input.address);
+            if (!requestedAddress && input.symbol) {
+                const matched = database
+                    .findFunctions(input.sample_id)
+                    .find((item) => item.name?.toLowerCase() === input.symbol?.toLowerCase());
+                if (matched?.address) {
+                    requestedAddress = normalizeAddress(matched.address) || matched.address;
+                }
+            }
+            let fallbackMetadata;
+            try {
+                // Primary path: use CFG generated by Ghidra
+                const cfg = await decompilerWorker.getFunctionCFG(input.sample_id, addressOrSymbol);
+                const assembly = [];
+                for (const node of cfg.nodes) {
+                    assembly.push(`; Block ${node.id} (${node.type})`);
+                    assembly.push(...node.instructions);
+                    assembly.push('');
+                }
+                functionName = cfg.function;
+                functionAddress = cfg.address;
+                assemblyText = assembly.join('\n');
+            }
+            catch (primaryError) {
+                // Secondary path: fallback disassembly around PE entrypoint
+                const workspace = await workspaceManager.getWorkspace(input.sample_id);
+                const samplePath = await resolveSamplePath(workspace.original);
+                const fallback = await runEntrypointFallbackDisasm(samplePath, {
+                    max_instructions: 140,
+                    max_bytes: 1536,
+                    target_address: requestedAddress,
+                    target_symbol: input.symbol,
+                });
+                functionName = fallback.result.function;
+                functionAddress = fallback.result.address;
+                assemblyText = fallback.result.assembly;
+                fallbackMetadata = {
+                    backend: fallback.result.backend,
+                    parser: fallback.result.parser,
+                    entry_section: fallback.result.entry_section,
+                    resolved_from: fallback.result.resolved_from,
+                    requested_address: fallback.result.requested_address,
+                };
+                warnings = [
+                    `Ghidra disassembly unavailable, fallback used: ${primaryError instanceof Error ? primaryError.message : String(primaryError)}`,
+                    ...(fallback.warnings || []),
+                ];
+            }
+            logger.info({
+                sample_id: input.sample_id,
+                function: functionName,
+                instruction_count: assemblyText.split('\n').filter((line) => line.length > 0).length,
+                fallback: Boolean(fallbackMetadata),
+            }, 'Function disassembled successfully');
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({
+                            ok: true,
+                            data: {
+                                function: functionName,
+                                address: functionAddress,
+                                assembly: assemblyText,
+                                fallback: Boolean(fallbackMetadata),
+                                fallback_metadata: fallbackMetadata,
+                            },
+                            warnings,
+                        }, null, 2)
+                    }]
+            };
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            const diagnostics = getGhidraDiagnostics(error);
+            const normalizedError = normalizeGhidraError(error, 'code.function.disassemble');
+            logger.error({
+                error: errorMessage,
+                ghidra_diagnostics: diagnostics,
+                normalized_error: normalizedError,
+            }, 'code.function.disassemble tool failed');
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({
+                            ok: false,
+                            errors: [errorMessage],
+                            diagnostics,
+                            normalized_error: normalizedError,
+                        }, null, 2)
+                    }],
+                isError: true
+            };
+        }
+    };
+}
+//# sourceMappingURL=code-function-disassemble.js.map