windows-exe-decompiler-mcp-server 0.1.0

package/dist/tools/code-reconstruct-plan.d.ts

@@ -0,0 +1,274 @@
+/**
+ * code.reconstruct.plan tool implementation
+ * Builds a practical source-reconstruction plan from current static/decompiler signals.
+ */
+import { z } from 'zod';
+import type { ToolDefinition, ToolArgs, WorkerResult } from '../types.js';
+import type { WorkspaceManager } from '../workspace-manager.js';
+import type { DatabaseManager } from '../database.js';
+import type { CacheManager } from '../cache-manager.js';
+export declare const CodeReconstructPlanInputSchema: z.ZodObject<{
+    sample_id: z.ZodString;
+    target_language: z.ZodDefault<z.ZodEnum<["auto", "csharp", "c", "cpp", "rust", "go"]>>;
+    depth: z.ZodDefault<z.ZodEnum<["quick", "standard", "deep"]>>;
+    include_decompiler: z.ZodDefault<z.ZodBoolean>;
+    include_strings: z.ZodDefault<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    sample_id: string;
+    target_language: "rust" | "go" | "auto" | "csharp" | "c" | "cpp";
+    depth: "quick" | "standard" | "deep";
+    include_decompiler: boolean;
+    include_strings: boolean;
+}, {
+    sample_id: string;
+    target_language?: "rust" | "go" | "auto" | "csharp" | "c" | "cpp" | undefined;
+    depth?: "quick" | "standard" | "deep" | undefined;
+    include_decompiler?: boolean | undefined;
+    include_strings?: boolean | undefined;
+}>;
+export type CodeReconstructPlanInput = z.infer<typeof CodeReconstructPlanInputSchema>;
+export declare const CodeReconstructPlanOutputSchema: z.ZodObject<{
+    ok: z.ZodBoolean;
+    data: z.ZodOptional<z.ZodObject<{
+        feasibility: z.ZodEnum<["high", "medium", "low"]>;
+        confidence: z.ZodNumber;
+        restoration_expectation: z.ZodString;
+        runtime_summary: z.ZodObject<{
+            primary_runtime: z.ZodString;
+            suspected: z.ZodArray<z.ZodObject<{
+                runtime: z.ZodString;
+                confidence: z.ZodNumber;
+                evidence: z.ZodArray<z.ZodString, "many">;
+            }, "strip", z.ZodTypeAny, {
+                confidence: number;
+                evidence: string[];
+                runtime: string;
+            }, {
+                confidence: number;
+                evidence: string[];
+                runtime: string;
+            }>, "many">;
+        }, "strip", z.ZodTypeAny, {
+            suspected: {
+                confidence: number;
+                evidence: string[];
+                runtime: string;
+            }[];
+            primary_runtime: string;
+        }, {
+            suspected: {
+                confidence: number;
+                evidence: string[];
+                runtime: string;
+            }[];
+            primary_runtime: string;
+        }>;
+        packing_summary: z.ZodObject<{
+            packed: z.ZodBoolean;
+            confidence: z.ZodNumber;
+        }, "strip", z.ZodTypeAny, {
+            confidence: number;
+            packed: boolean;
+        }, {
+            confidence: number;
+            packed: boolean;
+        }>;
+        blockers: z.ZodArray<z.ZodString, "many">;
+        recommendations: z.ZodArray<z.ZodString, "many">;
+        phases: z.ZodArray<z.ZodObject<{
+            phase: z.ZodString;
+            title: z.ZodString;
+            objective: z.ZodString;
+            actions: z.ZodArray<z.ZodString, "many">;
+            estimated_effort: z.ZodEnum<["low", "medium", "high"]>;
+            confidence: z.ZodNumber;
+        }, "strip", z.ZodTypeAny, {
+            confidence: number;
+            title: string;
+            phase: string;
+            objective: string;
+            actions: string[];
+            estimated_effort: "high" | "low" | "medium";
+        }, {
+            confidence: number;
+            title: string;
+            phase: string;
+            objective: string;
+            actions: string[];
+            estimated_effort: "high" | "low" | "medium";
+        }>, "many">;
+    }, "strip", z.ZodTypeAny, {
+        confidence: number;
+        feasibility: "high" | "low" | "medium";
+        restoration_expectation: string;
+        runtime_summary: {
+            suspected: {
+                confidence: number;
+                evidence: string[];
+                runtime: string;
+            }[];
+            primary_runtime: string;
+        };
+        packing_summary: {
+            confidence: number;
+            packed: boolean;
+        };
+        blockers: string[];
+        recommendations: string[];
+        phases: {
+            confidence: number;
+            title: string;
+            phase: string;
+            objective: string;
+            actions: string[];
+            estimated_effort: "high" | "low" | "medium";
+        }[];
+    }, {
+        confidence: number;
+        feasibility: "high" | "low" | "medium";
+        restoration_expectation: string;
+        runtime_summary: {
+            suspected: {
+                confidence: number;
+                evidence: string[];
+                runtime: string;
+            }[];
+            primary_runtime: string;
+        };
+        packing_summary: {
+            confidence: number;
+            packed: boolean;
+        };
+        blockers: string[];
+        recommendations: string[];
+        phases: {
+            confidence: number;
+            title: string;
+            phase: string;
+            objective: string;
+            actions: string[];
+            estimated_effort: "high" | "low" | "medium";
+        }[];
+    }>>;
+    warnings: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    metrics: z.ZodOptional<z.ZodObject<{
+        elapsed_ms: z.ZodNumber;
+        tool: z.ZodString;
+        cached: z.ZodOptional<z.ZodBoolean>;
+        cache_key: z.ZodOptional<z.ZodString>;
+        cache_tier: z.ZodOptional<z.ZodString>;
+        cache_created_at: z.ZodOptional<z.ZodString>;
+        cache_expires_at: z.ZodOptional<z.ZodString>;
+        cache_hit_at: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        elapsed_ms: number;
+        tool: string;
+        cached?: boolean | undefined;
+        cache_key?: string | undefined;
+        cache_tier?: string | undefined;
+        cache_created_at?: string | undefined;
+        cache_expires_at?: string | undefined;
+        cache_hit_at?: string | undefined;
+    }, {
+        elapsed_ms: number;
+        tool: string;
+        cached?: boolean | undefined;
+        cache_key?: string | undefined;
+        cache_tier?: string | undefined;
+        cache_created_at?: string | undefined;
+        cache_expires_at?: string | undefined;
+        cache_hit_at?: string | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    ok: boolean;
+    metrics?: {
+        elapsed_ms: number;
+        tool: string;
+        cached?: boolean | undefined;
+        cache_key?: string | undefined;
+        cache_tier?: string | undefined;
+        cache_created_at?: string | undefined;
+        cache_expires_at?: string | undefined;
+        cache_hit_at?: string | undefined;
+    } | undefined;
+    data?: {
+        confidence: number;
+        feasibility: "high" | "low" | "medium";
+        restoration_expectation: string;
+        runtime_summary: {
+            suspected: {
+                confidence: number;
+                evidence: string[];
+                runtime: string;
+            }[];
+            primary_runtime: string;
+        };
+        packing_summary: {
+            confidence: number;
+            packed: boolean;
+        };
+        blockers: string[];
+        recommendations: string[];
+        phases: {
+            confidence: number;
+            title: string;
+            phase: string;
+            objective: string;
+            actions: string[];
+            estimated_effort: "high" | "low" | "medium";
+        }[];
+    } | undefined;
+    warnings?: string[] | undefined;
+    errors?: string[] | undefined;
+}, {
+    ok: boolean;
+    metrics?: {
+        elapsed_ms: number;
+        tool: string;
+        cached?: boolean | undefined;
+        cache_key?: string | undefined;
+        cache_tier?: string | undefined;
+        cache_created_at?: string | undefined;
+        cache_expires_at?: string | undefined;
+        cache_hit_at?: string | undefined;
+    } | undefined;
+    data?: {
+        confidence: number;
+        feasibility: "high" | "low" | "medium";
+        restoration_expectation: string;
+        runtime_summary: {
+            suspected: {
+                confidence: number;
+                evidence: string[];
+                runtime: string;
+            }[];
+            primary_runtime: string;
+        };
+        packing_summary: {
+            confidence: number;
+            packed: boolean;
+        };
+        blockers: string[];
+        recommendations: string[];
+        phases: {
+            confidence: number;
+            title: string;
+            phase: string;
+            objective: string;
+            actions: string[];
+            estimated_effort: "high" | "low" | "medium";
+        }[];
+    } | undefined;
+    warnings?: string[] | undefined;
+    errors?: string[] | undefined;
+}>;
+export type CodeReconstructPlanOutput = z.infer<typeof CodeReconstructPlanOutputSchema>;
+export declare const codeReconstructPlanToolDefinition: ToolDefinition;
+interface ReconstructPlanDependencies {
+    runtimeDetectHandler?: (args: ToolArgs) => Promise<WorkerResult>;
+    packerDetectHandler?: (args: ToolArgs) => Promise<WorkerResult>;
+}
+export declare function createCodeReconstructPlanHandler(workspaceManager: WorkspaceManager, database: DatabaseManager, cacheManager: CacheManager, dependencies?: ReconstructPlanDependencies): (args: ToolArgs) => Promise<WorkerResult>;
+export {};
+//# sourceMappingURL=code-reconstruct-plan.d.ts.map

package/dist/tools/code-reconstruct-plan.js

@@ -0,0 +1,342 @@
+/**
+ * code.reconstruct.plan tool implementation
+ * Builds a practical source-reconstruction plan from current static/decompiler signals.
+ */
+import { z } from 'zod';
+import { generateCacheKey } from '../cache-manager.js';
+import { lookupCachedResult, formatCacheWarning } from './cache-observability.js';
+import { createRuntimeDetectHandler } from './runtime-detect.js';
+import { createPackerDetectHandler } from './packer-detect.js';
+const TOOL_NAME = 'code.reconstruct.plan';
+const TOOL_VERSION = '0.1.0';
+const CACHE_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+export const CodeReconstructPlanInputSchema = z.object({
+    sample_id: z.string().describe('Sample ID (format: sha256:<hex>)'),
+    target_language: z
+        .enum(['auto', 'csharp', 'c', 'cpp', 'rust', 'go'])
+        .default('auto')
+        .describe('Preferred reconstruction language'),
+    depth: z
+        .enum(['quick', 'standard', 'deep'])
+        .default('standard')
+        .describe('Planning depth'),
+    include_decompiler: z
+        .boolean()
+        .default(true)
+        .describe('Whether to include decompiler-based phases'),
+    include_strings: z
+        .boolean()
+        .default(true)
+        .describe('Whether to include string/IOC enrichment phases'),
+});
+const ReconstructionPhaseSchema = z.object({
+    phase: z.string(),
+    title: z.string(),
+    objective: z.string(),
+    actions: z.array(z.string()),
+    estimated_effort: z.enum(['low', 'medium', 'high']),
+    confidence: z.number().min(0).max(1),
+});
+export const CodeReconstructPlanOutputSchema = z.object({
+    ok: z.boolean(),
+    data: z
+        .object({
+        feasibility: z.enum(['high', 'medium', 'low']),
+        confidence: z.number().min(0).max(1),
+        restoration_expectation: z.string(),
+        runtime_summary: z.object({
+            primary_runtime: z.string(),
+            suspected: z.array(z.object({
+                runtime: z.string(),
+                confidence: z.number(),
+                evidence: z.array(z.string()),
+            })),
+        }),
+        packing_summary: z.object({
+            packed: z.boolean(),
+            confidence: z.number(),
+        }),
+        blockers: z.array(z.string()),
+        recommendations: z.array(z.string()),
+        phases: z.array(ReconstructionPhaseSchema),
+    })
+        .optional(),
+    warnings: z.array(z.string()).optional(),
+    errors: z.array(z.string()).optional(),
+    metrics: z
+        .object({
+        elapsed_ms: z.number(),
+        tool: z.string(),
+        cached: z.boolean().optional(),
+        cache_key: z.string().optional(),
+        cache_tier: z.string().optional(),
+        cache_created_at: z.string().optional(),
+        cache_expires_at: z.string().optional(),
+        cache_hit_at: z.string().optional(),
+    })
+        .optional(),
+});
+export const codeReconstructPlanToolDefinition = {
+    name: TOOL_NAME,
+    description: 'Assess source-reconstruction feasibility and produce a phased reverse-engineering plan with confidence.',
+    inputSchema: CodeReconstructPlanInputSchema,
+    outputSchema: CodeReconstructPlanOutputSchema,
+};
+function clamp(value, min, max) {
+    return Math.max(min, Math.min(max, value));
+}
+function pickPrimaryRuntime(runtimeData) {
+    const suspected = runtimeData?.suspected || [];
+    if (suspected.length === 0) {
+        return 'unknown';
+    }
+    const sorted = [...suspected].sort((a, b) => b.confidence - a.confidence);
+    return sorted[0].runtime || 'unknown';
+}
+function assessReconstructability(runtimeData, packerData) {
+    const primaryRuntime = pickPrimaryRuntime(runtimeData).toLowerCase();
+    const isDotNet = runtimeData?.is_dotnet === true || primaryRuntime.includes('dotnet');
+    const packed = packerData?.packed === true;
+    const packingConfidence = clamp(packerData?.confidence ?? 0, 0, 1);
+    let score = 0.5;
+    const blockers = [];
+    if (isDotNet) {
+        score += 0.3;
+    }
+    else if (primaryRuntime.includes('rust')) {
+        score -= 0.15;
+    }
+    else if (primaryRuntime.includes('go')) {
+        score -= 0.1;
+    }
+    else if (primaryRuntime.includes('c++') || primaryRuntime.includes('cpp')) {
+        score -= 0.05;
+    }
+    if (packed) {
+        score -= 0.35 * (packingConfidence || 0.8);
+        blockers.push('Sample appears packed/obfuscated; unpacking is needed before reliable reconstruction.');
+    }
+    if (primaryRuntime === 'unknown') {
+        score -= 0.2;
+        blockers.push('Primary runtime is uncertain; detection confidence is currently low.');
+    }
+    const confidenceSignals = (runtimeData ? 1 : 0) + (packerData ? 1 : 0) + ((runtimeData?.suspected?.length || 0) > 0 ? 1 : 0);
+    const confidence = clamp(0.35 + confidenceSignals * 0.2, 0.35, 0.95);
+    score = clamp(score, 0, 1);
+    let feasibility = 'low';
+    if (score >= 0.75) {
+        feasibility = 'high';
+    }
+    else if (score >= 0.5) {
+        feasibility = 'medium';
+    }
+    let restorationExpectation = 'Behavioral reconstruction is possible; exact original source text is not recoverable.';
+    if (isDotNet && !packed) {
+        restorationExpectation =
+            'High-confidence C# structural restoration is feasible, but comments/symbol intent still requires manual review.';
+    }
+    else if (isDotNet && packed) {
+        restorationExpectation =
+            'Partial C# restoration is feasible after unpacking/deobfuscation; fidelity depends on recovered metadata.';
+    }
+    else if (!isDotNet) {
+        restorationExpectation =
+            'Native binaries support semantic reconstruction (C-like pseudocode), not exact original source restoration.';
+    }
+    return {
+        feasibility,
+        confidence,
+        restorationExpectation,
+        blockers,
+    };
+}
+function buildPhases(input, runtimeData, packerData, confidence) {
+    const primaryRuntime = pickPrimaryRuntime(runtimeData).toLowerCase();
+    const isDotNet = runtimeData?.is_dotnet === true || primaryRuntime.includes('dotnet');
+    const packed = packerData?.packed === true;
+    const phases = [
+        {
+            phase: 'phase_1',
+            title: 'Assess & Baseline',
+            objective: 'Establish runtime profile, packing state, and reconstruction boundary.',
+            actions: [
+                'Run runtime.detect and packer.detect with evidence capture.',
+                'Lock sample hash and workspace snapshot for reproducibility.',
+                'Define target output: semantic reconstruction vs source-like project.',
+            ],
+            estimated_effort: 'low',
+            confidence: clamp(confidence, 0.3, 0.95),
+        },
+    ];
+    if (packed) {
+        phases.push({
+            phase: 'phase_2',
+            title: 'Unpack & Normalize',
+            objective: 'Remove packing/obfuscation artifacts before deep reconstruction.',
+            actions: [
+                'Correlate packer signatures with imports/calls to reduce false positives.',
+                'Extract clean image and rerun static fingerprinting.',
+                'Rebuild string corpus with IOC-priority filtering.',
+            ],
+            estimated_effort: 'high',
+            confidence: clamp(confidence - 0.1, 0.2, 0.85),
+        });
+    }
+    if (input.include_decompiler) {
+        phases.push({
+            phase: packed ? 'phase_3' : 'phase_2',
+            title: 'Function Recovery',
+            objective: 'Recover function-level semantics and prioritize high-value logic.',
+            actions: [
+                'Run ghidra.analyze and build per-function confidence map.',
+                'Use code.functions.rank to focus on entry points and sensitive APIs.',
+                'Pair code.function.decompile with disassembly for mismatch review.',
+            ],
+            estimated_effort: input.depth === 'deep' ? 'high' : 'medium',
+            confidence: clamp(confidence - (packed ? 0.15 : 0.05), 0.2, 0.9),
+        });
+    }
+    phases.push({
+        phase: packed ? (input.include_decompiler ? 'phase_4' : 'phase_3') : (input.include_decompiler ? 'phase_3' : 'phase_2'),
+        title: isDotNet ? '.NET Structure Rebuild' : 'Module Recomposition',
+        objective: isDotNet
+            ? 'Recover assembly/type/method structure and generate maintainable C# project skeleton.'
+            : 'Cluster functions into modules and produce source-like pseudocode packages.',
+        actions: isDotNet
+            ? [
+                'Extract namespace/type graph and identify business-critical methods.',
+                'Reconstruct method bodies with IL fallback when C# decompilation is uncertain.',
+                'Export project skeleton with unresolved gaps documented.',
+            ]
+            : [
+                'Group functions by call graph and shared constants/strings.',
+                'Promote stable symbols and infer interfaces/data structures.',
+                'Export source-like files with confidence annotations and TODO gaps.',
+            ],
+        estimated_effort: 'high',
+        confidence: clamp(confidence - 0.1, 0.2, 0.85),
+    });
+    return phases;
+}
+export function createCodeReconstructPlanHandler(workspaceManager, database, cacheManager, dependencies) {
+    const runtimeDetectHandler = dependencies?.runtimeDetectHandler ||
+        createRuntimeDetectHandler(workspaceManager, database, cacheManager);
+    const packerDetectHandler = dependencies?.packerDetectHandler ||
+        createPackerDetectHandler(workspaceManager, database, cacheManager);
+    return async (args) => {
+        const input = args;
+        const startTime = Date.now();
+        try {
+            const sample = database.findSample(input.sample_id);
+            if (!sample) {
+                return {
+                    ok: false,
+                    errors: [`Sample not found: ${input.sample_id}`],
+                };
+            }
+            const cacheKey = generateCacheKey({
+                sampleSha256: sample.sha256,
+                toolName: TOOL_NAME,
+                toolVersion: TOOL_VERSION,
+                args: {
+                    target_language: input.target_language,
+                    depth: input.depth,
+                    include_decompiler: input.include_decompiler,
+                    include_strings: input.include_strings,
+                },
+            });
+            const cachedLookup = await lookupCachedResult(cacheManager, cacheKey);
+            if (cachedLookup) {
+                return {
+                    ok: true,
+                    data: cachedLookup.data,
+                    warnings: ['Result from cache', formatCacheWarning(cachedLookup.metadata)],
+                    metrics: {
+                        elapsed_ms: Date.now() - startTime,
+                        tool: TOOL_NAME,
+                        cached: true,
+                        cache_key: cachedLookup.metadata.key,
+                        cache_tier: cachedLookup.metadata.tier,
+                        cache_created_at: cachedLookup.metadata.createdAt,
+                        cache_expires_at: cachedLookup.metadata.expiresAt,
+                        cache_hit_at: cachedLookup.metadata.fetchedAt,
+                    },
+                };
+            }
+            const warnings = [];
+            const runtimeResult = await runtimeDetectHandler({ sample_id: input.sample_id });
+            let runtimeData;
+            if (runtimeResult.ok && runtimeResult.data) {
+                runtimeData = runtimeResult.data;
+            }
+            else {
+                warnings.push(`runtime.detect unavailable: ${(runtimeResult.errors || ['unknown error']).join('; ')}`);
+            }
+            const packerResult = await packerDetectHandler({
+                sample_id: input.sample_id,
+                engines: ['yara', 'entropy', 'entrypoint'],
+            });
+            let packerData;
+            if (packerResult.ok && packerResult.data) {
+                packerData = packerResult.data;
+            }
+            else {
+                warnings.push(`packer.detect unavailable: ${(packerResult.errors || ['unknown error']).join('; ')}`);
+            }
+            const assessment = assessReconstructability(runtimeData, packerData);
+            const phases = buildPhases(input, runtimeData, packerData, assessment.confidence);
+            const recommendations = [
+                'Treat reconstruction as semantic recovery, not literal source restoration.',
+                'Prioritize top-ranked functions and entry points before broad decompilation.',
+                'Keep a confidence map and flag low-confidence blocks for manual review.',
+            ];
+            const primaryRuntime = pickPrimaryRuntime(runtimeData).toLowerCase();
+            if (primaryRuntime.includes('dotnet') || runtimeData?.is_dotnet) {
+                recommendations.push('Use .NET-oriented extraction first (types/method metadata) to maximize readable source output.');
+            }
+            else {
+                recommendations.push('For native binaries, export C-like pseudocode modules with explicit TODOs for unresolved semantics.');
+            }
+            if (packerData?.packed) {
+                recommendations.push('Complete unpacking/deobfuscation before claiming source-level conclusions.');
+            }
+            const outputData = {
+                feasibility: assessment.feasibility,
+                confidence: assessment.confidence,
+                restoration_expectation: assessment.restorationExpectation,
+                runtime_summary: {
+                    primary_runtime: pickPrimaryRuntime(runtimeData),
+                    suspected: runtimeData?.suspected || [],
+                },
+                packing_summary: {
+                    packed: packerData?.packed === true,
+                    confidence: clamp(packerData?.confidence ?? 0, 0, 1),
+                },
+                blockers: assessment.blockers,
+                recommendations,
+                phases,
+            };
+            await cacheManager.setCachedResult(cacheKey, outputData, CACHE_TTL_MS, sample.sha256);
+            return {
+                ok: true,
+                data: outputData,
+                warnings: warnings.length > 0 ? warnings : undefined,
+                metrics: {
+                    elapsed_ms: Date.now() - startTime,
+                    tool: TOOL_NAME,
+                },
+            };
+        }
+        catch (error) {
+            return {
+                ok: false,
+                errors: [error.message],
+                metrics: {
+                    elapsed_ms: Date.now() - startTime,
+                    tool: TOOL_NAME,
+                },
+            };
+        }
+    };
+}
+//# sourceMappingURL=code-reconstruct-plan.js.map