windows-exe-decompiler-mcp-server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (190) hide show
  1. package/CODEX_INSTALLATION.md +69 -0
  2. package/COPILOT_INSTALLATION.md +77 -0
  3. package/LICENSE +21 -0
  4. package/README.md +314 -0
  5. package/bin/windows-exe-decompiler-mcp-server.js +3 -0
  6. package/dist/analysis-provenance.d.ts +184 -0
  7. package/dist/analysis-provenance.js +74 -0
  8. package/dist/analysis-task-runner.d.ts +31 -0
  9. package/dist/analysis-task-runner.js +160 -0
  10. package/dist/artifact-inventory.d.ts +23 -0
  11. package/dist/artifact-inventory.js +175 -0
  12. package/dist/cache-manager.d.ts +128 -0
  13. package/dist/cache-manager.js +454 -0
  14. package/dist/confidence-semantics.d.ts +66 -0
  15. package/dist/confidence-semantics.js +122 -0
  16. package/dist/config.d.ts +335 -0
  17. package/dist/config.js +193 -0
  18. package/dist/database.d.ts +227 -0
  19. package/dist/database.js +601 -0
  20. package/dist/decompiler-worker.d.ts +441 -0
  21. package/dist/decompiler-worker.js +1962 -0
  22. package/dist/dynamic-trace.d.ts +95 -0
  23. package/dist/dynamic-trace.js +629 -0
  24. package/dist/env-validator.d.ts +15 -0
  25. package/dist/env-validator.js +249 -0
  26. package/dist/error-handler.d.ts +28 -0
  27. package/dist/error-handler.example.d.ts +22 -0
  28. package/dist/error-handler.example.js +141 -0
  29. package/dist/error-handler.js +139 -0
  30. package/dist/ghidra-analysis-status.d.ts +49 -0
  31. package/dist/ghidra-analysis-status.js +178 -0
  32. package/dist/ghidra-config.d.ts +134 -0
  33. package/dist/ghidra-config.js +464 -0
  34. package/dist/index.d.ts +9 -0
  35. package/dist/index.js +200 -0
  36. package/dist/job-queue.d.ts +169 -0
  37. package/dist/job-queue.js +407 -0
  38. package/dist/logger.d.ts +106 -0
  39. package/dist/logger.js +176 -0
  40. package/dist/policy-guard.d.ts +115 -0
  41. package/dist/policy-guard.js +243 -0
  42. package/dist/process-output.d.ts +15 -0
  43. package/dist/process-output.js +90 -0
  44. package/dist/prompts/function-explanation-review.d.ts +5 -0
  45. package/dist/prompts/function-explanation-review.js +64 -0
  46. package/dist/prompts/semantic-name-review.d.ts +5 -0
  47. package/dist/prompts/semantic-name-review.js +63 -0
  48. package/dist/runtime-correlation.d.ts +34 -0
  49. package/dist/runtime-correlation.js +279 -0
  50. package/dist/runtime-paths.d.ts +3 -0
  51. package/dist/runtime-paths.js +11 -0
  52. package/dist/selection-diff.d.ts +667 -0
  53. package/dist/selection-diff.js +53 -0
  54. package/dist/semantic-name-suggestion-artifacts.d.ts +116 -0
  55. package/dist/semantic-name-suggestion-artifacts.js +314 -0
  56. package/dist/server.d.ts +129 -0
  57. package/dist/server.js +578 -0
  58. package/dist/tools/artifact-read.d.ts +235 -0
  59. package/dist/tools/artifact-read.js +317 -0
  60. package/dist/tools/artifacts-diff.d.ts +728 -0
  61. package/dist/tools/artifacts-diff.js +304 -0
  62. package/dist/tools/artifacts-list.d.ts +515 -0
  63. package/dist/tools/artifacts-list.js +389 -0
  64. package/dist/tools/attack-map.d.ts +290 -0
  65. package/dist/tools/attack-map.js +519 -0
  66. package/dist/tools/cache-observability.d.ts +4 -0
  67. package/dist/tools/cache-observability.js +36 -0
  68. package/dist/tools/code-function-cfg.d.ts +50 -0
  69. package/dist/tools/code-function-cfg.js +102 -0
  70. package/dist/tools/code-function-decompile.d.ts +55 -0
  71. package/dist/tools/code-function-decompile.js +103 -0
  72. package/dist/tools/code-function-disassemble.d.ts +43 -0
  73. package/dist/tools/code-function-disassemble.js +185 -0
  74. package/dist/tools/code-function-explain-apply.d.ts +255 -0
  75. package/dist/tools/code-function-explain-apply.js +225 -0
  76. package/dist/tools/code-function-explain-prepare.d.ts +535 -0
  77. package/dist/tools/code-function-explain-prepare.js +276 -0
  78. package/dist/tools/code-function-explain-review.d.ts +397 -0
  79. package/dist/tools/code-function-explain-review.js +589 -0
  80. package/dist/tools/code-function-rename-apply.d.ts +248 -0
  81. package/dist/tools/code-function-rename-apply.js +220 -0
  82. package/dist/tools/code-function-rename-prepare.d.ts +506 -0
  83. package/dist/tools/code-function-rename-prepare.js +279 -0
  84. package/dist/tools/code-function-rename-review.d.ts +574 -0
  85. package/dist/tools/code-function-rename-review.js +761 -0
  86. package/dist/tools/code-functions-list.d.ts +37 -0
  87. package/dist/tools/code-functions-list.js +91 -0
  88. package/dist/tools/code-functions-rank.d.ts +34 -0
  89. package/dist/tools/code-functions-rank.js +90 -0
  90. package/dist/tools/code-functions-reconstruct.d.ts +2725 -0
  91. package/dist/tools/code-functions-reconstruct.js +2807 -0
  92. package/dist/tools/code-functions-search.d.ts +39 -0
  93. package/dist/tools/code-functions-search.js +90 -0
  94. package/dist/tools/code-reconstruct-export.d.ts +1212 -0
  95. package/dist/tools/code-reconstruct-export.js +4002 -0
  96. package/dist/tools/code-reconstruct-plan.d.ts +274 -0
  97. package/dist/tools/code-reconstruct-plan.js +342 -0
  98. package/dist/tools/dotnet-metadata-extract.d.ts +541 -0
  99. package/dist/tools/dotnet-metadata-extract.js +355 -0
  100. package/dist/tools/dotnet-reconstruct-export.d.ts +567 -0
  101. package/dist/tools/dotnet-reconstruct-export.js +1151 -0
  102. package/dist/tools/dotnet-types-list.d.ts +325 -0
  103. package/dist/tools/dotnet-types-list.js +201 -0
  104. package/dist/tools/dynamic-dependencies.d.ts +115 -0
  105. package/dist/tools/dynamic-dependencies.js +213 -0
  106. package/dist/tools/dynamic-memory-import.d.ts +10 -0
  107. package/dist/tools/dynamic-memory-import.js +567 -0
  108. package/dist/tools/dynamic-trace-import.d.ts +10 -0
  109. package/dist/tools/dynamic-trace-import.js +235 -0
  110. package/dist/tools/entrypoint-fallback-disasm.d.ts +30 -0
  111. package/dist/tools/entrypoint-fallback-disasm.js +89 -0
  112. package/dist/tools/ghidra-analyze.d.ts +88 -0
  113. package/dist/tools/ghidra-analyze.js +208 -0
  114. package/dist/tools/ghidra-health.d.ts +37 -0
  115. package/dist/tools/ghidra-health.js +212 -0
  116. package/dist/tools/ioc-export.d.ts +209 -0
  117. package/dist/tools/ioc-export.js +542 -0
  118. package/dist/tools/packer-detect.d.ts +165 -0
  119. package/dist/tools/packer-detect.js +284 -0
  120. package/dist/tools/pe-exports-extract.d.ts +175 -0
  121. package/dist/tools/pe-exports-extract.js +253 -0
  122. package/dist/tools/pe-fingerprint.d.ts +234 -0
  123. package/dist/tools/pe-fingerprint.js +269 -0
  124. package/dist/tools/pe-imports-extract.d.ts +105 -0
  125. package/dist/tools/pe-imports-extract.js +245 -0
  126. package/dist/tools/report-generate.d.ts +157 -0
  127. package/dist/tools/report-generate.js +457 -0
  128. package/dist/tools/report-summarize.d.ts +2131 -0
  129. package/dist/tools/report-summarize.js +596 -0
  130. package/dist/tools/runtime-detect.d.ts +135 -0
  131. package/dist/tools/runtime-detect.js +247 -0
  132. package/dist/tools/sample-ingest.d.ts +94 -0
  133. package/dist/tools/sample-ingest.js +327 -0
  134. package/dist/tools/sample-profile-get.d.ts +183 -0
  135. package/dist/tools/sample-profile-get.js +121 -0
  136. package/dist/tools/sandbox-execute.d.ts +441 -0
  137. package/dist/tools/sandbox-execute.js +392 -0
  138. package/dist/tools/strings-extract.d.ts +375 -0
  139. package/dist/tools/strings-extract.js +314 -0
  140. package/dist/tools/strings-floss-decode.d.ts +143 -0
  141. package/dist/tools/strings-floss-decode.js +259 -0
  142. package/dist/tools/system-health.d.ts +434 -0
  143. package/dist/tools/system-health.js +446 -0
  144. package/dist/tools/task-cancel.d.ts +21 -0
  145. package/dist/tools/task-cancel.js +70 -0
  146. package/dist/tools/task-status.d.ts +27 -0
  147. package/dist/tools/task-status.js +106 -0
  148. package/dist/tools/task-sweep.d.ts +22 -0
  149. package/dist/tools/task-sweep.js +77 -0
  150. package/dist/tools/tool-help.d.ts +340 -0
  151. package/dist/tools/tool-help.js +261 -0
  152. package/dist/tools/yara-scan.d.ts +554 -0
  153. package/dist/tools/yara-scan.js +313 -0
  154. package/dist/types.d.ts +266 -0
  155. package/dist/types.js +41 -0
  156. package/dist/worker-pool.d.ts +204 -0
  157. package/dist/worker-pool.js +650 -0
  158. package/dist/workflows/deep-static.d.ts +104 -0
  159. package/dist/workflows/deep-static.js +276 -0
  160. package/dist/workflows/function-explanation-review.d.ts +655 -0
  161. package/dist/workflows/function-explanation-review.js +440 -0
  162. package/dist/workflows/reconstruct.d.ts +2053 -0
  163. package/dist/workflows/reconstruct.js +666 -0
  164. package/dist/workflows/semantic-name-review.d.ts +2418 -0
  165. package/dist/workflows/semantic-name-review.js +521 -0
  166. package/dist/workflows/triage.d.ts +659 -0
  167. package/dist/workflows/triage.js +1374 -0
  168. package/dist/workspace-manager.d.ts +150 -0
  169. package/dist/workspace-manager.js +411 -0
  170. package/ghidra_scripts/DecompileFunction.java +487 -0
  171. package/ghidra_scripts/DecompileFunction.py +150 -0
  172. package/ghidra_scripts/ExtractCFG.java +256 -0
  173. package/ghidra_scripts/ExtractCFG.py +233 -0
  174. package/ghidra_scripts/ExtractFunctions.java +442 -0
  175. package/ghidra_scripts/ExtractFunctions.py +101 -0
  176. package/ghidra_scripts/README.md +125 -0
  177. package/ghidra_scripts/SearchFunctionReferences.java +380 -0
  178. package/helpers/DotNetMetadataProbe/DotNetMetadataProbe.csproj +9 -0
  179. package/helpers/DotNetMetadataProbe/Program.cs +566 -0
  180. package/install-to-codex.ps1 +178 -0
  181. package/install-to-copilot.ps1 +303 -0
  182. package/package.json +101 -0
  183. package/requirements.txt +9 -0
  184. package/workers/requirements-dynamic.txt +11 -0
  185. package/workers/requirements.txt +8 -0
  186. package/workers/speakeasy_compat.py +175 -0
  187. package/workers/static_worker.py +5183 -0
  188. package/workers/yara_rules/default.yar +33 -0
  189. package/workers/yara_rules/malware_families.yar +93 -0
  190. package/workers/yara_rules/packers.yar +80 -0
package/dist/tools/yara-scan.d.ts ADDED
@@ -0,0 +1,554 @@
1
+ /**
2
+ * yara.scan tool implementation
3
+ * Scans PE files using YARA rules to identify malware families and packers
4
+ * Requirements: 5.1, 5.2, 5.3
5
+ */
6
+ import { z } from 'zod';
7
+ import type { ToolDefinition, ToolArgs, WorkerResult } from '../types.js';
8
+ import type { WorkspaceManager } from '../workspace-manager.js';
9
+ import type { DatabaseManager } from '../database.js';
10
+ import type { CacheManager } from '../cache-manager.js';
11
+ /**
12
+ * Input schema for yara.scan tool
13
+ * Requirements: 5.1, 5.2
14
+ */
15
+ export declare const YaraScanInputSchema: z.ZodObject<{
16
+ sample_id: z.ZodString;
17
+ rule_set: z.ZodString;
18
+ timeout_ms: z.ZodDefault<z.ZodOptional<z.ZodNumber>>;
19
+ rule_tier: z.ZodDefault<z.ZodOptional<z.ZodEnum<["production", "experimental", "test", "all"]>>>;
20
+ force_refresh: z.ZodDefault<z.ZodOptional<z.ZodBoolean>>;
21
+ }, "strip", z.ZodTypeAny, {
22
+ sample_id: string;
23
+ force_refresh: boolean;
24
+ rule_set: string;
25
+ timeout_ms: number;
26
+ rule_tier: "all" | "production" | "experimental" | "test";
27
+ }, {
28
+ sample_id: string;
29
+ rule_set: string;
30
+ force_refresh?: boolean | undefined;
31
+ timeout_ms?: number | undefined;
32
+ rule_tier?: "all" | "production" | "experimental" | "test" | undefined;
33
+ }>;
34
+ export type YaraScanInput = z.infer<typeof YaraScanInputSchema>;
35
+ /**
36
+ * Output schema for yara.scan tool
37
+ * Requirements: 5.2, 5.3
38
+ */
39
+ export declare const YaraScanOutputSchema: z.ZodObject<{
40
+ ok: z.ZodBoolean;
41
+ data: z.ZodOptional<z.ZodObject<{
42
+ matches: z.ZodArray<z.ZodObject<{
43
+ rule: z.ZodString;
44
+ tags: z.ZodArray<z.ZodString, "many">;
45
+ meta: z.ZodRecord<z.ZodString, z.ZodAny>;
46
+ strings: z.ZodArray<z.ZodObject<{
47
+ identifier: z.ZodString;
48
+ offset: z.ZodNumber;
49
+ matched_data: z.ZodString;
50
+ location: z.ZodOptional<z.ZodObject<{
51
+ section: z.ZodOptional<z.ZodNullable<z.ZodString>>;
52
+ offset_in_section: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
53
+ rva: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
54
+ distance_to_entrypoint: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
55
+ function_hint: z.ZodOptional<z.ZodNullable<z.ZodObject<{
56
+ name: z.ZodString;
57
+ address: z.ZodString;
58
+ proximity: z.ZodString;
59
+ }, "strip", z.ZodTypeAny, {
60
+ address: string;
61
+ name: string;
62
+ proximity: string;
63
+ }, {
64
+ address: string;
65
+ name: string;
66
+ proximity: string;
67
+ }>>>;
68
+ }, "strip", z.ZodTypeAny, {
69
+ section?: string | null | undefined;
70
+ offset_in_section?: number | null | undefined;
71
+ rva?: number | null | undefined;
72
+ distance_to_entrypoint?: number | null | undefined;
73
+ function_hint?: {
74
+ address: string;
75
+ name: string;
76
+ proximity: string;
77
+ } | null | undefined;
78
+ }, {
79
+ section?: string | null | undefined;
80
+ offset_in_section?: number | null | undefined;
81
+ rva?: number | null | undefined;
82
+ distance_to_entrypoint?: number | null | undefined;
83
+ function_hint?: {
84
+ address: string;
85
+ name: string;
86
+ proximity: string;
87
+ } | null | undefined;
88
+ }>>;
89
+ }, "strip", z.ZodTypeAny, {
90
+ offset: number;
91
+ identifier: string;
92
+ matched_data: string;
93
+ location?: {
94
+ section?: string | null | undefined;
95
+ offset_in_section?: number | null | undefined;
96
+ rva?: number | null | undefined;
97
+ distance_to_entrypoint?: number | null | undefined;
98
+ function_hint?: {
99
+ address: string;
100
+ name: string;
101
+ proximity: string;
102
+ } | null | undefined;
103
+ } | undefined;
104
+ }, {
105
+ offset: number;
106
+ identifier: string;
107
+ matched_data: string;
108
+ location?: {
109
+ section?: string | null | undefined;
110
+ offset_in_section?: number | null | undefined;
111
+ rva?: number | null | undefined;
112
+ distance_to_entrypoint?: number | null | undefined;
113
+ function_hint?: {
114
+ address: string;
115
+ name: string;
116
+ proximity: string;
117
+ } | null | undefined;
118
+ } | undefined;
119
+ }>, "many">;
120
+ confidence: z.ZodOptional<z.ZodObject<{
121
+ level: z.ZodEnum<["low", "medium", "high"]>;
122
+ score: z.ZodNumber;
123
+ reason: z.ZodString;
124
+ }, "strip", z.ZodTypeAny, {
125
+ level: "high" | "low" | "medium";
126
+ score: number;
127
+ reason: string;
128
+ }, {
129
+ level: "high" | "low" | "medium";
130
+ score: number;
131
+ reason: string;
132
+ }>>;
133
+ evidence: z.ZodOptional<z.ZodObject<{
134
+ import_dll_hits: z.ZodArray<z.ZodString, "many">;
135
+ import_api_hits: z.ZodArray<z.ZodString, "many">;
136
+ section_hits: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
137
+ near_entrypoint_hits: z.ZodOptional<z.ZodNumber>;
138
+ string_only: z.ZodBoolean;
139
+ }, "strip", z.ZodTypeAny, {
140
+ import_dll_hits: string[];
141
+ import_api_hits: string[];
142
+ string_only: boolean;
143
+ section_hits?: string[] | undefined;
144
+ near_entrypoint_hits?: number | undefined;
145
+ }, {
146
+ import_dll_hits: string[];
147
+ import_api_hits: string[];
148
+ string_only: boolean;
149
+ section_hits?: string[] | undefined;
150
+ near_entrypoint_hits?: number | undefined;
151
+ }>>;
152
+ inference: z.ZodOptional<z.ZodObject<{
153
+ classification: z.ZodString;
154
+ summary: z.ZodString;
155
+ }, "strip", z.ZodTypeAny, {
156
+ summary: string;
157
+ classification: string;
158
+ }, {
159
+ summary: string;
160
+ classification: string;
161
+ }>>;
162
+ }, "strip", z.ZodTypeAny, {
163
+ tags: string[];
164
+ strings: {
165
+ offset: number;
166
+ identifier: string;
167
+ matched_data: string;
168
+ location?: {
169
+ section?: string | null | undefined;
170
+ offset_in_section?: number | null | undefined;
171
+ rva?: number | null | undefined;
172
+ distance_to_entrypoint?: number | null | undefined;
173
+ function_hint?: {
174
+ address: string;
175
+ name: string;
176
+ proximity: string;
177
+ } | null | undefined;
178
+ } | undefined;
179
+ }[];
180
+ rule: string;
181
+ meta: Record<string, any>;
182
+ confidence?: {
183
+ level: "high" | "low" | "medium";
184
+ score: number;
185
+ reason: string;
186
+ } | undefined;
187
+ evidence?: {
188
+ import_dll_hits: string[];
189
+ import_api_hits: string[];
190
+ string_only: boolean;
191
+ section_hits?: string[] | undefined;
192
+ near_entrypoint_hits?: number | undefined;
193
+ } | undefined;
194
+ inference?: {
195
+ summary: string;
196
+ classification: string;
197
+ } | undefined;
198
+ }, {
199
+ tags: string[];
200
+ strings: {
201
+ offset: number;
202
+ identifier: string;
203
+ matched_data: string;
204
+ location?: {
205
+ section?: string | null | undefined;
206
+ offset_in_section?: number | null | undefined;
207
+ rva?: number | null | undefined;
208
+ distance_to_entrypoint?: number | null | undefined;
209
+ function_hint?: {
210
+ address: string;
211
+ name: string;
212
+ proximity: string;
213
+ } | null | undefined;
214
+ } | undefined;
215
+ }[];
216
+ rule: string;
217
+ meta: Record<string, any>;
218
+ confidence?: {
219
+ level: "high" | "low" | "medium";
220
+ score: number;
221
+ reason: string;
222
+ } | undefined;
223
+ evidence?: {
224
+ import_dll_hits: string[];
225
+ import_api_hits: string[];
226
+ string_only: boolean;
227
+ section_hits?: string[] | undefined;
228
+ near_entrypoint_hits?: number | undefined;
229
+ } | undefined;
230
+ inference?: {
231
+ summary: string;
232
+ classification: string;
233
+ } | undefined;
234
+ }>, "many">;
235
+ ruleset_version: z.ZodString;
236
+ timed_out: z.ZodBoolean;
237
+ rule_set: z.ZodString;
238
+ rule_tier: z.ZodOptional<z.ZodString>;
239
+ rule_files: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
240
+ confidence_summary: z.ZodOptional<z.ZodObject<{
241
+ high: z.ZodNumber;
242
+ medium: z.ZodNumber;
243
+ low: z.ZodNumber;
244
+ }, "strip", z.ZodTypeAny, {
245
+ high: number;
246
+ low: number;
247
+ medium: number;
248
+ }, {
249
+ high: number;
250
+ low: number;
251
+ medium: number;
252
+ }>>;
253
+ import_evidence: z.ZodOptional<z.ZodObject<{
254
+ dll_count: z.ZodNumber;
255
+ api_count: z.ZodNumber;
256
+ }, "strip", z.ZodTypeAny, {
257
+ api_count: number;
258
+ dll_count: number;
259
+ }, {
260
+ api_count: number;
261
+ dll_count: number;
262
+ }>>;
263
+ offset_mapping: z.ZodOptional<z.ZodObject<{
264
+ parser: z.ZodOptional<z.ZodNullable<z.ZodString>>;
265
+ sections_count: z.ZodOptional<z.ZodNumber>;
266
+ entry_point: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
267
+ }, "strip", z.ZodTypeAny, {
268
+ entry_point?: Record<string, any> | undefined;
269
+ parser?: string | null | undefined;
270
+ sections_count?: number | undefined;
271
+ }, {
272
+ entry_point?: Record<string, any> | undefined;
273
+ parser?: string | null | undefined;
274
+ sections_count?: number | undefined;
275
+ }>>;
276
+ quality_notes: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
277
+ }, "strip", z.ZodTypeAny, {
278
+ timed_out: boolean;
279
+ matches: {
280
+ tags: string[];
281
+ strings: {
282
+ offset: number;
283
+ identifier: string;
284
+ matched_data: string;
285
+ location?: {
286
+ section?: string | null | undefined;
287
+ offset_in_section?: number | null | undefined;
288
+ rva?: number | null | undefined;
289
+ distance_to_entrypoint?: number | null | undefined;
290
+ function_hint?: {
291
+ address: string;
292
+ name: string;
293
+ proximity: string;
294
+ } | null | undefined;
295
+ } | undefined;
296
+ }[];
297
+ rule: string;
298
+ meta: Record<string, any>;
299
+ confidence?: {
300
+ level: "high" | "low" | "medium";
301
+ score: number;
302
+ reason: string;
303
+ } | undefined;
304
+ evidence?: {
305
+ import_dll_hits: string[];
306
+ import_api_hits: string[];
307
+ string_only: boolean;
308
+ section_hits?: string[] | undefined;
309
+ near_entrypoint_hits?: number | undefined;
310
+ } | undefined;
311
+ inference?: {
312
+ summary: string;
313
+ classification: string;
314
+ } | undefined;
315
+ }[];
316
+ rule_set: string;
317
+ ruleset_version: string;
318
+ rule_tier?: string | undefined;
319
+ rule_files?: string[] | undefined;
320
+ confidence_summary?: {
321
+ high: number;
322
+ low: number;
323
+ medium: number;
324
+ } | undefined;
325
+ import_evidence?: {
326
+ api_count: number;
327
+ dll_count: number;
328
+ } | undefined;
329
+ offset_mapping?: {
330
+ entry_point?: Record<string, any> | undefined;
331
+ parser?: string | null | undefined;
332
+ sections_count?: number | undefined;
333
+ } | undefined;
334
+ quality_notes?: string[] | undefined;
335
+ }, {
336
+ timed_out: boolean;
337
+ matches: {
338
+ tags: string[];
339
+ strings: {
340
+ offset: number;
341
+ identifier: string;
342
+ matched_data: string;
343
+ location?: {
344
+ section?: string | null | undefined;
345
+ offset_in_section?: number | null | undefined;
346
+ rva?: number | null | undefined;
347
+ distance_to_entrypoint?: number | null | undefined;
348
+ function_hint?: {
349
+ address: string;
350
+ name: string;
351
+ proximity: string;
352
+ } | null | undefined;
353
+ } | undefined;
354
+ }[];
355
+ rule: string;
356
+ meta: Record<string, any>;
357
+ confidence?: {
358
+ level: "high" | "low" | "medium";
359
+ score: number;
360
+ reason: string;
361
+ } | undefined;
362
+ evidence?: {
363
+ import_dll_hits: string[];
364
+ import_api_hits: string[];
365
+ string_only: boolean;
366
+ section_hits?: string[] | undefined;
367
+ near_entrypoint_hits?: number | undefined;
368
+ } | undefined;
369
+ inference?: {
370
+ summary: string;
371
+ classification: string;
372
+ } | undefined;
373
+ }[];
374
+ rule_set: string;
375
+ ruleset_version: string;
376
+ rule_tier?: string | undefined;
377
+ rule_files?: string[] | undefined;
378
+ confidence_summary?: {
379
+ high: number;
380
+ low: number;
381
+ medium: number;
382
+ } | undefined;
383
+ import_evidence?: {
384
+ api_count: number;
385
+ dll_count: number;
386
+ } | undefined;
387
+ offset_mapping?: {
388
+ entry_point?: Record<string, any> | undefined;
389
+ parser?: string | null | undefined;
390
+ sections_count?: number | undefined;
391
+ } | undefined;
392
+ quality_notes?: string[] | undefined;
393
+ }>>;
394
+ warnings: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
395
+ errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
396
+ artifacts: z.ZodOptional<z.ZodArray<z.ZodAny, "many">>;
397
+ metrics: z.ZodOptional<z.ZodObject<{
398
+ elapsed_ms: z.ZodNumber;
399
+ tool: z.ZodString;
400
+ }, "strip", z.ZodTypeAny, {
401
+ elapsed_ms: number;
402
+ tool: string;
403
+ }, {
404
+ elapsed_ms: number;
405
+ tool: string;
406
+ }>>;
407
+ }, "strip", z.ZodTypeAny, {
408
+ ok: boolean;
409
+ metrics?: {
410
+ elapsed_ms: number;
411
+ tool: string;
412
+ } | undefined;
413
+ data?: {
414
+ timed_out: boolean;
415
+ matches: {
416
+ tags: string[];
417
+ strings: {
418
+ offset: number;
419
+ identifier: string;
420
+ matched_data: string;
421
+ location?: {
422
+ section?: string | null | undefined;
423
+ offset_in_section?: number | null | undefined;
424
+ rva?: number | null | undefined;
425
+ distance_to_entrypoint?: number | null | undefined;
426
+ function_hint?: {
427
+ address: string;
428
+ name: string;
429
+ proximity: string;
430
+ } | null | undefined;
431
+ } | undefined;
432
+ }[];
433
+ rule: string;
434
+ meta: Record<string, any>;
435
+ confidence?: {
436
+ level: "high" | "low" | "medium";
437
+ score: number;
438
+ reason: string;
439
+ } | undefined;
440
+ evidence?: {
441
+ import_dll_hits: string[];
442
+ import_api_hits: string[];
443
+ string_only: boolean;
444
+ section_hits?: string[] | undefined;
445
+ near_entrypoint_hits?: number | undefined;
446
+ } | undefined;
447
+ inference?: {
448
+ summary: string;
449
+ classification: string;
450
+ } | undefined;
451
+ }[];
452
+ rule_set: string;
453
+ ruleset_version: string;
454
+ rule_tier?: string | undefined;
455
+ rule_files?: string[] | undefined;
456
+ confidence_summary?: {
457
+ high: number;
458
+ low: number;
459
+ medium: number;
460
+ } | undefined;
461
+ import_evidence?: {
462
+ api_count: number;
463
+ dll_count: number;
464
+ } | undefined;
465
+ offset_mapping?: {
466
+ entry_point?: Record<string, any> | undefined;
467
+ parser?: string | null | undefined;
468
+ sections_count?: number | undefined;
469
+ } | undefined;
470
+ quality_notes?: string[] | undefined;
471
+ } | undefined;
472
+ warnings?: string[] | undefined;
473
+ errors?: string[] | undefined;
474
+ artifacts?: any[] | undefined;
475
+ }, {
476
+ ok: boolean;
477
+ metrics?: {
478
+ elapsed_ms: number;
479
+ tool: string;
480
+ } | undefined;
481
+ data?: {
482
+ timed_out: boolean;
483
+ matches: {
484
+ tags: string[];
485
+ strings: {
486
+ offset: number;
487
+ identifier: string;
488
+ matched_data: string;
489
+ location?: {
490
+ section?: string | null | undefined;
491
+ offset_in_section?: number | null | undefined;
492
+ rva?: number | null | undefined;
493
+ distance_to_entrypoint?: number | null | undefined;
494
+ function_hint?: {
495
+ address: string;
496
+ name: string;
497
+ proximity: string;
498
+ } | null | undefined;
499
+ } | undefined;
500
+ }[];
501
+ rule: string;
502
+ meta: Record<string, any>;
503
+ confidence?: {
504
+ level: "high" | "low" | "medium";
505
+ score: number;
506
+ reason: string;
507
+ } | undefined;
508
+ evidence?: {
509
+ import_dll_hits: string[];
510
+ import_api_hits: string[];
511
+ string_only: boolean;
512
+ section_hits?: string[] | undefined;
513
+ near_entrypoint_hits?: number | undefined;
514
+ } | undefined;
515
+ inference?: {
516
+ summary: string;
517
+ classification: string;
518
+ } | undefined;
519
+ }[];
520
+ rule_set: string;
521
+ ruleset_version: string;
522
+ rule_tier?: string | undefined;
523
+ rule_files?: string[] | undefined;
524
+ confidence_summary?: {
525
+ high: number;
526
+ low: number;
527
+ medium: number;
528
+ } | undefined;
529
+ import_evidence?: {
530
+ api_count: number;
531
+ dll_count: number;
532
+ } | undefined;
533
+ offset_mapping?: {
534
+ entry_point?: Record<string, any> | undefined;
535
+ parser?: string | null | undefined;
536
+ sections_count?: number | undefined;
537
+ } | undefined;
538
+ quality_notes?: string[] | undefined;
539
+ } | undefined;
540
+ warnings?: string[] | undefined;
541
+ errors?: string[] | undefined;
542
+ artifacts?: any[] | undefined;
543
+ }>;
544
+ export type YaraScanOutput = z.infer<typeof YaraScanOutputSchema>;
545
+ /**
546
+ * Tool definition for yara.scan
547
+ */
548
+ export declare const yaraScanToolDefinition: ToolDefinition;
549
+ /**
550
+ * Create yara.scan tool handler
551
+ * Requirements: 5.1, 5.2, 5.3, 5.5
552
+ */
553
+ export declare function createYaraScanHandler(workspaceManager: WorkspaceManager, database: DatabaseManager, cacheManager: CacheManager): (args: ToolArgs) => Promise<WorkerResult>;
554
+ //# sourceMappingURL=yara-scan.d.ts.map