windows-exe-decompiler-mcp-server 0.1.0

package/dist/tools/ghidra-health.js

@@ -0,0 +1,212 @@
+/**
+ * ghidra.health MCP Tool
+ *
+ * Performs both environment validation and an optional downstream live probe
+ * against a real analyzed sample/project to verify end-to-end usability.
+ */
+import { z } from 'zod';
+import { checkGhidraHealth, } from '../ghidra-config.js';
+import { findBestGhidraAnalysis, getGhidraReadiness, parseGhidraAnalysisMetadata, } from '../ghidra-analysis-status.js';
+import { DecompilerWorker } from '../decompiler-worker.js';
+export const ghidraHealthInputSchema = z.object({
+    timeout_ms: z
+        .number()
+        .int()
+        .min(1000)
+        .max(60000)
+        .optional()
+        .default(8000)
+        .describe('Timeout for launch probe and downstream live probes in milliseconds'),
+    sample_id: z
+        .string()
+        .optional()
+        .describe('Optional sample ID to use for the end-to-end downstream probe'),
+    include_end_to_end: z
+        .boolean()
+        .optional()
+        .default(true)
+        .describe('Attempt decompile/CFG live probes against a reusable analyzed sample'),
+    stale_running_ms: z
+        .number()
+        .int()
+        .min(1000)
+        .nullable()
+        .optional()
+        .describe('Optional stale-analysis reap threshold in milliseconds. Omit or null to disable auto-reaping.'),
+});
+export const ghidraHealthToolDefinition = {
+    name: 'ghidra.health',
+    description: 'Run a Ghidra environment health check plus optional end-to-end downstream probes using a real analyzed sample/project.',
+    inputSchema: ghidraHealthInputSchema,
+};
+function jsonResult(payload, isError) {
+    return {
+        content: [
+            {
+                type: 'text',
+                text: JSON.stringify(payload, null, 2),
+            },
+        ],
+        isError,
+    };
+}
+function normalizeProbeError(error) {
+    return error instanceof Error ? error.message : String(error);
+}
+function selectProbeAnalysis(database, sampleId) {
+    if (!database) {
+        return null;
+    }
+    if (sampleId) {
+        const selected = findBestGhidraAnalysis(database.findAnalysesBySample(sampleId), 'function_index');
+        return selected ? { sampleId, analysis: selected } : null;
+    }
+    for (const sample of database.findRecentSamples(50)) {
+        const selected = findBestGhidraAnalysis(database.findAnalysesBySample(sample.id), 'function_index');
+        if (selected) {
+            return { sampleId: sample.id, analysis: selected };
+        }
+    }
+    return null;
+}
+function selectProbeTarget(database, sampleId, analysis) {
+    const readiness = getGhidraReadiness(analysis);
+    const metadata = parseGhidraAnalysisMetadata(analysis.output_json);
+    return (readiness.decompile.target ||
+        readiness.cfg.target ||
+        metadata.end_to_end_probe?.target ||
+        database.findFunctions(sampleId).find((func) => typeof func.address === 'string' && func.address.length > 0)
+            ?.address);
+}
+export function createGhidraHealthHandler(workspaceManager, database, dependencies) {
+    const runHealthCheck = dependencies?.checkGhidra || checkGhidraHealth;
+    const decompilerWorker = dependencies?.decompilerWorker ||
+        (workspaceManager && database ? new DecompilerWorker(database, workspaceManager) : undefined);
+    return async (args) => {
+        try {
+            const input = ghidraHealthInputSchema.parse(args);
+            const result = runHealthCheck(input.timeout_ms);
+            const warnings = [...result.warnings];
+            const errors = [...result.errors];
+            let reapedAnalyses = [];
+            if (database && typeof input.stale_running_ms === 'number') {
+                reapedAnalyses = database
+                    .reapStaleAnalyses(input.stale_running_ms, input.sample_id)
+                    .map((analysis) => analysis.id);
+                if (reapedAnalyses.length > 0) {
+                    warnings.push(`Reaped ${reapedAnalyses.length} stale persisted running analysis record(s) before probing downstream capabilities.`);
+                }
+            }
+            const probeSelection = selectProbeAnalysis(database, input.sample_id);
+            let downstream;
+            let downstreamOk = true;
+            if (input.include_end_to_end) {
+                if (!database || !workspaceManager || !decompilerWorker) {
+                    warnings.push('End-to-end probe skipped because workspace/database dependencies are unavailable in this handler.');
+                    downstream = {
+                        attempted: false,
+                        available: false,
+                        reason: 'missing_handler_dependencies',
+                    };
+                }
+                else if (input.sample_id && !probeSelection) {
+                    downstream = {
+                        attempted: false,
+                        available: false,
+                        sample_id: input.sample_id,
+                        reason: 'no_reusable_ghidra_analysis_for_sample',
+                    };
+                    warnings.push(`No reusable Ghidra analysis with function-index readiness was found for sample ${input.sample_id}.`);
+                }
+                else if (!probeSelection) {
+                    downstream = {
+                        attempted: false,
+                        available: false,
+                        reason: 'no_recent_analyzed_sample_available',
+                    };
+                    warnings.push('No recent analyzed sample was available for an end-to-end downstream probe. Environment-only status may overstate readiness.');
+                }
+                else {
+                    const readiness = getGhidraReadiness(probeSelection.analysis);
+                    const metadata = parseGhidraAnalysisMetadata(probeSelection.analysis.output_json);
+                    const target = selectProbeTarget(database, probeSelection.sampleId, probeSelection.analysis);
+                    downstream = {
+                        attempted: true,
+                        available: true,
+                        sample_id: probeSelection.sampleId,
+                        analysis_id: probeSelection.analysis.id,
+                        analysis_status: probeSelection.analysis.status,
+                        probe_target: target || null,
+                        persisted_capabilities: readiness,
+                        persisted_probe: metadata.end_to_end_probe || null,
+                    };
+                    if (!target) {
+                        downstreamOk = false;
+                        warnings.push(`No probe target function could be selected for sample ${probeSelection.sampleId}; downstream verification is incomplete.`);
+                        downstream.live_probe = {
+                            decompile: { ok: false, error: 'No probe target function available' },
+                            cfg: { ok: false, error: 'No probe target function available' },
+                        };
+                    }
+                    else {
+                        const liveProbe = {
+                            decompile: { ok: false, error: undefined },
+                            cfg: { ok: false, error: undefined },
+                        };
+                        try {
+                            const decompiled = await decompilerWorker.decompileFunction(probeSelection.sampleId, target, false, input.timeout_ms);
+                            liveProbe.decompile = {
+                                ok: true,
+                                pseudocode_length: decompiled.pseudocode.length,
+                                callers: decompiled.callers.length,
+                                callees: decompiled.callees.length,
+                            };
+                        }
+                        catch (error) {
+                            downstreamOk = false;
+                            liveProbe.decompile = {
+                                ok: false,
+                                error: normalizeProbeError(error),
+                            };
+                        }
+                        try {
+                            const cfg = await decompilerWorker.getFunctionCFG(probeSelection.sampleId, target, input.timeout_ms);
+                            liveProbe.cfg = {
+                                ok: true,
+                                node_count: cfg.nodes.length,
+                                edge_count: cfg.edges.length,
+                            };
+                        }
+                        catch (error) {
+                            downstreamOk = false;
+                            liveProbe.cfg = {
+                                ok: false,
+                                error: normalizeProbeError(error),
+                            };
+                        }
+                        downstream.live_probe = liveProbe;
+                    }
+                }
+            }
+            const ok = result.ok && (!input.include_end_to_end || downstreamOk);
+            return jsonResult({
+                ok,
+                data: {
+                    environment: result,
+                    downstream,
+                    reaped_persisted_analysis_ids: reapedAnalyses,
+                    reaped_persisted_analysis_count: reapedAnalyses.length,
+                },
+                errors: errors.length > 0 ? errors : undefined,
+                warnings: warnings.length > 0 ? warnings : undefined,
+            }, !ok);
+        }
+        catch (error) {
+            return jsonResult({
+                ok: false,
+                errors: [normalizeProbeError(error)],
+            }, true);
+        }
+    };
+}
+//# sourceMappingURL=ghidra-health.js.map

package/dist/tools/ioc-export.d.ts

@@ -0,0 +1,209 @@
+/**
+ * ioc.export tool
+ * Export layered IOC data and optional ATT&CK mapping in JSON / CSV / STIX 2.1.
+ */
+import { z } from 'zod';
+import type { ToolDefinition, ToolArgs, WorkerResult } from '../types.js';
+import type { WorkspaceManager } from '../workspace-manager.js';
+import type { DatabaseManager } from '../database.js';
+import type { CacheManager } from '../cache-manager.js';
+export declare const IOCExportInputSchema: z.ZodObject<{
+    sample_id: z.ZodString;
+    format: z.ZodDefault<z.ZodOptional<z.ZodEnum<["json", "csv", "stix2"]>>>;
+    include_attack_map: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    include_low_confidence: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    max_iocs: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
+    persist_artifact: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+    force_refresh: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
+}, "strip", z.ZodTypeAny, {
+    sample_id: string;
+    force_refresh: boolean;
+    persist_artifact: boolean;
+    format: "json" | "csv" | "stix2";
+    include_low_confidence: boolean;
+    include_attack_map: boolean;
+    max_iocs: number;
+}, {
+    sample_id: string;
+    force_refresh?: boolean | undefined;
+    persist_artifact?: boolean | undefined;
+    format?: "json" | "csv" | "stix2" | undefined;
+    include_low_confidence?: boolean | undefined;
+    include_attack_map?: boolean | undefined;
+    max_iocs?: number | undefined;
+}>;
+export type IOCExportInput = z.infer<typeof IOCExportInputSchema>;
+export declare const IOCExportOutputSchema: z.ZodObject<{
+    ok: z.ZodBoolean;
+    data: z.ZodOptional<z.ZodObject<{
+        sample_id: z.ZodString;
+        format: z.ZodEnum<["json", "csv", "stix2"]>;
+        tool_version: z.ZodString;
+        ioc_count: z.ZodNumber;
+        iocs: z.ZodArray<z.ZodObject<{
+            type: z.ZodString;
+            value: z.ZodString;
+            confidence: z.ZodEnum<["high", "medium", "low"]>;
+            source: z.ZodString;
+            tags: z.ZodArray<z.ZodString, "many">;
+        }, "strip", z.ZodTypeAny, {
+            value: string;
+            type: string;
+            tags: string[];
+            source: string;
+            confidence: "high" | "low" | "medium";
+        }, {
+            value: string;
+            type: string;
+            tags: string[];
+            source: string;
+            confidence: "high" | "low" | "medium";
+        }>, "many">;
+        content: z.ZodString;
+        mime_type: z.ZodString;
+        attack_technique_count: z.ZodNumber;
+        artifact: z.ZodOptional<z.ZodObject<{
+            id: z.ZodString;
+            path: z.ZodString;
+            type: z.ZodString;
+            sha256: z.ZodString;
+            mime: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            path: string;
+            type: string;
+            id: string;
+            sha256: string;
+            mime: string;
+        }, {
+            path: string;
+            type: string;
+            id: string;
+            sha256: string;
+            mime: string;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        sample_id: string;
+        tool_version: string;
+        iocs: {
+            value: string;
+            type: string;
+            tags: string[];
+            source: string;
+            confidence: "high" | "low" | "medium";
+        }[];
+        content: string;
+        format: "json" | "csv" | "stix2";
+        ioc_count: number;
+        mime_type: string;
+        attack_technique_count: number;
+        artifact?: {
+            path: string;
+            type: string;
+            id: string;
+            sha256: string;
+            mime: string;
+        } | undefined;
+    }, {
+        sample_id: string;
+        tool_version: string;
+        iocs: {
+            value: string;
+            type: string;
+            tags: string[];
+            source: string;
+            confidence: "high" | "low" | "medium";
+        }[];
+        content: string;
+        format: "json" | "csv" | "stix2";
+        ioc_count: number;
+        mime_type: string;
+        attack_technique_count: number;
+        artifact?: {
+            path: string;
+            type: string;
+            id: string;
+            sha256: string;
+            mime: string;
+        } | undefined;
+    }>>;
+    warnings: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    artifacts: z.ZodOptional<z.ZodArray<z.ZodAny, "many">>;
+    metrics: z.ZodOptional<z.ZodObject<{
+        elapsed_ms: z.ZodNumber;
+        tool: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        elapsed_ms: number;
+        tool: string;
+    }, {
+        elapsed_ms: number;
+        tool: string;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    ok: boolean;
+    metrics?: {
+        elapsed_ms: number;
+        tool: string;
+    } | undefined;
+    data?: {
+        sample_id: string;
+        tool_version: string;
+        iocs: {
+            value: string;
+            type: string;
+            tags: string[];
+            source: string;
+            confidence: "high" | "low" | "medium";
+        }[];
+        content: string;
+        format: "json" | "csv" | "stix2";
+        ioc_count: number;
+        mime_type: string;
+        attack_technique_count: number;
+        artifact?: {
+            path: string;
+            type: string;
+            id: string;
+            sha256: string;
+            mime: string;
+        } | undefined;
+    } | undefined;
+    warnings?: string[] | undefined;
+    errors?: string[] | undefined;
+    artifacts?: any[] | undefined;
+}, {
+    ok: boolean;
+    metrics?: {
+        elapsed_ms: number;
+        tool: string;
+    } | undefined;
+    data?: {
+        sample_id: string;
+        tool_version: string;
+        iocs: {
+            value: string;
+            type: string;
+            tags: string[];
+            source: string;
+            confidence: "high" | "low" | "medium";
+        }[];
+        content: string;
+        format: "json" | "csv" | "stix2";
+        ioc_count: number;
+        mime_type: string;
+        attack_technique_count: number;
+        artifact?: {
+            path: string;
+            type: string;
+            id: string;
+            sha256: string;
+            mime: string;
+        } | undefined;
+    } | undefined;
+    warnings?: string[] | undefined;
+    errors?: string[] | undefined;
+    artifacts?: any[] | undefined;
+}>;
+export declare const iocExportToolDefinition: ToolDefinition;
+export declare function createIOCExportHandler(workspaceManager: WorkspaceManager, database: DatabaseManager, cacheManager: CacheManager): (args: ToolArgs) => Promise<WorkerResult>;
+//# sourceMappingURL=ioc-export.d.ts.map