iflow-mcp_developermode-korea_reversecore-mcp 1.0.0__py3-none-any.whl

reversecore_mcp/tools/__init__.py

@@ -0,0 +1,49 @@
+"""
+Tool definitions for Reversecore_MCP.
+
+This package contains tool modules that wrap reverse engineering CLI tools
+and libraries, making them accessible to AI agents through the MCP protocol.
+"""
+
+# Analysis tools
+from reversecore_mcp.tools.analysis import diff_tools, lief_tools, signature_tools, static_analysis
+
+# Common tools
+from reversecore_mcp.tools.common import file_operations, patch_explainer
+
+# Ghidra tools
+from reversecore_mcp.tools.ghidra import decompilation
+
+# Malware tools
+from reversecore_mcp.tools.malware import adaptive_vaccine, dormant_detector, vulnerability_hunter
+
+# Radare2 tools
+from reversecore_mcp.tools.radare2 import r2_analysis
+
+# Report tools
+from reversecore_mcp.tools.report import report_mcp_tools, report_tools
+
+__all__ = [
+    # Analysis tools
+    "static_analysis",
+    "diff_tools",
+    "signature_tools",
+    "lief_tools",
+    # Common tools
+    "file_operations",
+    "patch_explainer",
+    # Radare2 tools
+    "r2_analysis",
+    # Ghidra tools
+    "decompilation",
+    # Malware tools
+    "dormant_detector",
+    "adaptive_vaccine",
+    "vulnerability_hunter",
+    # Report tools
+    "report_tools",
+    "report_mcp_tools",
+]
+
+# NOTE: Legacy alias 'ghost_trace' was removed in v1.0.0
+# Use 'dormant_detector' directly

reversecore_mcp/tools/analysis/__init__.py

@@ -0,0 +1,74 @@
+"""Static analysis tools package.
+
+Provides a unified AnalysisToolsPlugin that registers all analysis-related tools.
+"""
+
+from typing import Any
+
+from reversecore_mcp.core.logging_config import get_logger
+from reversecore_mcp.core.plugin import Plugin
+
+logger = get_logger(__name__)
+
+
+class AnalysisToolsPlugin(Plugin):
+    """Unified plugin for all static analysis tools."""
+
+    @property
+    def name(self) -> str:
+        return "analysis_tools"
+
+    @property
+    def description(self) -> str:
+        return "Unified static analysis tools including diffing, LIEF parsing, signature generation, and string extraction."
+
+    def register(self, mcp_server: Any) -> None:
+        """Register all analysis tools."""
+        # Import tool functions from submodules
+        from reversecore_mcp.tools.analysis.capa_tools import (
+            run_capa,
+            run_capa_quick,
+        )
+        from reversecore_mcp.tools.analysis.die_tools import (
+            detect_packer,
+            detect_packer_deep,
+        )
+        from reversecore_mcp.tools.analysis.diff_tools import (
+            analyze_variant_changes,
+            diff_binaries,
+            match_libraries,
+        )
+        from reversecore_mcp.tools.analysis.lief_tools import parse_binary_with_lief
+        from reversecore_mcp.tools.analysis.signature_tools import (
+            generate_signature,
+            generate_yara_rule,
+        )
+        from reversecore_mcp.tools.analysis.static_analysis import (
+            extract_rtti_info,
+            run_binwalk,
+            run_binwalk_extract,
+            run_strings,
+            scan_for_versions,
+        )
+
+        # Register all tools
+        mcp_server.tool(diff_binaries)
+        mcp_server.tool(analyze_variant_changes)
+        mcp_server.tool(match_libraries)
+        mcp_server.tool(parse_binary_with_lief)
+        mcp_server.tool(generate_signature)
+        mcp_server.tool(generate_yara_rule)
+        mcp_server.tool(run_strings)
+        mcp_server.tool(run_binwalk)
+        mcp_server.tool(run_binwalk_extract)
+        mcp_server.tool(scan_for_versions)
+        mcp_server.tool(extract_rtti_info)
+        mcp_server.tool(detect_packer)
+        mcp_server.tool(detect_packer_deep)
+        mcp_server.tool(run_capa)
+        mcp_server.tool(run_capa_quick)
+
+        logger.info(f"Registered {self.name} plugin with 15 analysis tools (unified)")
+
+
+__all__ = ["AnalysisToolsPlugin"]

reversecore_mcp/tools/analysis/capa_tools.py

@@ -0,0 +1,215 @@
+"""
+CAPA integration for capability detection.
+
+CAPA (by Mandiant FLARE) identifies capabilities in executable files,
+providing high-level behavioral information like encryption, file deletion, etc.
+"""
+
+from reversecore_mcp.core.decorators import log_execution
+from reversecore_mcp.core.logging_config import get_logger
+from reversecore_mcp.core.result import success, failure, ToolSuccess
+from reversecore_mcp.core.security import validate_file_path
+
+logger = get_logger(__name__)
+
+
+def _is_capa_available() -> bool:
+    """Check if CAPA library is available."""
+    try:
+        import capa  # noqa: F401
+
+        return True
+    except ImportError:
+        return False
+
+
+@log_execution()
+async def run_capa(file_path: str, output_format: str = "summary"):
+    """
+    Analyze binary capabilities using CAPA (Mandiant FLARE).
+
+    CAPA identifies capabilities in executable files and provides high-level
+    behavioral information such as:
+    - "encrypt data using AES"
+    - "delete files"
+    - "communicate via HTTP"
+    - "create persistence via registry"
+
+    Args:
+        file_path: Path to the binary file to analyze
+        output_format: Output format - "summary" (default), "detailed", or "json"
+
+    Returns:
+        ToolResult with capability analysis including:
+        - capabilities: List of detected capabilities
+        - mitre_attack: MITRE ATT&CK technique mappings
+        - mbc: Malware Behavior Catalog mappings
+    """
+    validated_path = validate_file_path(file_path)
+
+    if not _is_capa_available():
+        return failure(
+            error_code="CAPA_NOT_INSTALLED",
+            message="CAPA is not installed. Install with: pip install flare-capa",
+        )
+
+    try:
+        import capa.loader
+        import capa.main
+        import capa.rules
+
+        # Get default rules path
+        rules_path = capa.main.get_default_root()
+
+        # Load rules
+        try:
+            rules, _ = capa.rules.get_rules([rules_path])
+        except Exception as e:
+            # Falls back to no rules if default path fails
+            logger.warning(f"Failed to load CAPA rules: {e}")
+            return failure(
+                error_code="CAPA_RULES_LOAD_FAILED",
+                message=f"Failed to load CAPA rules. Run: capa --update-rules\nError: {e}",
+            )
+
+        # Analyze the file
+        try:
+            extractor = capa.loader.get_extractor(
+                str(validated_path),
+                "auto",  # Auto-detect format
+                capa.main.BACKEND_VIV,  # Use vivisect backend
+                [],  # No signatures
+                False,  # Disable progress
+            )
+        except Exception as e:
+            logger.error(f"CAPA failed to load file: {e}")
+            return failure(
+                error_code="CAPA_LOAD_FILE_FAILED",
+                message=f"CAPA cannot analyze this file: {e}",
+            )
+
+        # Get capabilities
+        capabilities, counts = capa.main.find_capabilities(rules, extractor)
+
+        # Format results
+        result = {
+            "capabilities": [],
+            "mitre_attack": [],
+            "mbc": [],
+            "summary": {
+                "total_capabilities": len(capabilities),
+                "namespaces": {},
+            },
+        }
+
+        for rule_name, matches in capabilities.items():
+            rule = rules[rule_name]
+
+            capability = {
+                "name": rule_name,
+                "namespace": rule.meta.get("namespace", ""),
+                "description": rule.meta.get("description", ""),
+                "scope": rule.meta.get("scope", "function"),
+                "match_count": len(matches),
+            }
+
+            # Extract MITRE ATT&CK
+            if "att&ck" in rule.meta:
+                for attack in rule.meta["att&ck"]:
+                    if attack not in result["mitre_attack"]:
+                        result["mitre_attack"].append(attack)
+
+            # Extract MBC (Malware Behavior Catalog)
+            if "mbc" in rule.meta:
+                for mbc in rule.meta["mbc"]:
+                    if mbc not in result["mbc"]:
+                        result["mbc"].append(mbc)
+
+            result["capabilities"].append(capability)
+
+            # Count by namespace
+            ns = capability["namespace"]
+            result["summary"]["namespaces"][ns] = result["summary"]["namespaces"].get(ns, 0) + 1
+
+        # Create summary message
+        high_risk_namespaces = [
+            "anti-analysis",
+            "collection",
+            "command-and-control",
+            "defense-evasion",
+            "exfiltration",
+            "impact",
+            "persistence",
+        ]
+
+        high_risk_count = sum(
+            result["summary"]["namespaces"].get(ns, 0) for ns in high_risk_namespaces
+        )
+
+        message = f"Detected {len(capabilities)} capabilities"
+        if high_risk_count > 0:
+            message += f" ({high_risk_count} high-risk)"
+        if result["mitre_attack"]:
+            message += f", {len(result['mitre_attack'])} MITRE ATT&CK techniques"
+
+        return success(
+            data=result,
+            message=message,
+            high_risk_count=high_risk_count,
+            mitre_count=len(result["mitre_attack"]),
+        )
+
+    except Exception as e:
+        logger.error(f"CAPA analysis failed: {e}")
+        return failure(error_code="CAPA_ANALYSIS_FAILED", message=f"CAPA analysis failed: {e}")
+
+
+@log_execution()
+async def run_capa_quick(file_path: str):
+    """
+    Quick CAPA scan returning only high-risk capabilities.
+
+    Faster than full run_capa, focuses on:
+    - Anti-analysis techniques
+    - Persistence mechanisms
+    - C2 communication
+    - Data exfiltration
+    - Impact capabilities
+
+    Args:
+        file_path: Path to the binary file
+
+    Returns:
+        ToolResult with high-risk capabilities only
+    """
+    result = await run_capa(file_path)
+
+    if not isinstance(result, ToolSuccess):
+        return result
+
+    # Filter to high-risk only
+    high_risk_namespaces = {
+        "anti-analysis",
+        "collection",
+        "command-and-control",
+        "defense-evasion",
+        "exfiltration",
+        "impact",
+        "persistence",
+        "execution",
+    }
+
+    filtered_caps = [
+        cap
+        for cap in result.data["capabilities"]
+        if any(ns in cap["namespace"] for ns in high_risk_namespaces)
+    ]
+
+    return success(
+        data={
+            "high_risk_capabilities": filtered_caps,
+            "mitre_attack": result.data["mitre_attack"],
+            "total_filtered": len(filtered_caps),
+        },
+        message=f"{len(filtered_caps)} high-risk capabilities detected",
+    )

reversecore_mcp/tools/analysis/die_tools.py

@@ -0,0 +1,180 @@
+"""
+Detect It Easy (DIE) integration for packer/compiler detection.
+
+Provides tools to identify binary file characteristics using the DIE CLI (diec).
+"""
+
+import shutil
+
+from reversecore_mcp.core.decorators import log_execution
+from reversecore_mcp.core.execution import execute_subprocess_async
+from reversecore_mcp.core.logging_config import get_logger
+from reversecore_mcp.core.result import success, failure
+from reversecore_mcp.core.security import validate_file_path
+
+logger = get_logger(__name__)
+
+
+def _is_die_available() -> bool:
+    """Check if Detect It Easy CLI (diec) is available."""
+    return shutil.which("diec") is not None
+
+
+def _parse_die_output(output: str) -> dict:
+    """
+    Parse DIE output into structured data.
+
+    DIE output format example:
+    PE32
+    Compiler: Microsoft Visual C/C++(2019 v.16.0-4)[-]
+    Linker: Microsoft Linker(14.26.28805)[EXE32,console]
+    Packer: UPX(3.96)[NRV,brute]
+    """
+    result = {
+        "file_type": None,
+        "arch": None,
+        "compiler": None,
+        "linker": None,
+        "packer": None,
+        "protector": None,
+        "installer": None,
+        "sfx": None,
+        "overlay": False,
+        "raw_output": output,
+        "detections": [],
+    }
+
+    lines = output.strip().split("\n")
+
+    for line in lines:
+        line = line.strip()
+        if not line:
+            continue
+
+        # First line is usually the file type
+        if result["file_type"] is None and ":" not in line:
+            result["file_type"] = line
+            # Extract architecture from file type
+            if "PE32+" in line or "PE64" in line or "ELF64" in line:
+                result["arch"] = "x64"
+            elif "PE32" in line or "ELF32" in line:
+                result["arch"] = "x86"
+            elif "Mach-O" in line:
+                result["arch"] = "arm64" if "arm64" in line.lower() else "x64"
+            continue
+
+        # Parse key: value lines
+        if ":" in line:
+            key, _, value = line.partition(":")
+            key = key.strip().lower()
+            value = value.strip()
+
+            if key == "compiler":
+                result["compiler"] = value
+            elif key == "linker":
+                result["linker"] = value
+            elif key == "packer":
+                result["packer"] = value
+            elif key == "protector":
+                result["protector"] = value
+            elif key == "installer":
+                result["installer"] = value
+            elif key == "sfx":
+                result["sfx"] = value
+            elif "overlay" in key:
+                result["overlay"] = True
+
+            result["detections"].append({"type": key, "value": value})
+
+    return result
+
+
+@log_execution()
+async def detect_packer(file_path: str):
+    """
+    Detect packer, compiler, and protector using Detect It Easy (DIE).
+
+    Args:
+        file_path: Path to the binary file to analyze
+
+    Returns:
+        ToolResult with detection information including:
+        - file_type: PE32, PE64, ELF, Mach-O, etc.
+        - compiler: Detected compiler and version
+        - linker: Detected linker information
+        - packer: Detected packer (UPX, ASPack, etc.)
+        - protector: Detected protector (Themida, VMProtect, etc.)
+    """
+    # Validate file path
+    validated_path = validate_file_path(file_path)
+
+    # Check if DIE is available
+    if not _is_die_available():
+        return failure(
+            error_code="DIE_NOT_INSTALLED",
+            message="Detect It Easy (diec) is not installed. "
+            "Install with: apt install detect-it-easy (Linux) or brew install detect-it-easy (macOS)",
+        )
+
+    # Run DIE
+    try:
+        output, _ = await execute_subprocess_async(
+            ["diec", str(validated_path)],
+            timeout_seconds=30,
+        )
+    except Exception as e:
+        return failure(error_code="DIE_EXECUTION_ERROR", message=f"DIE execution failed: {e}")
+
+    # Parse output
+    result = _parse_die_output(output)
+
+    # Determine if packed
+    is_packed = result["packer"] is not None or result["protector"] is not None
+
+    return success(
+        data=result,
+        message=f"Detected: {result['file_type'] or 'Unknown'}"
+        + (f" | Packer: {result['packer']}" if result["packer"] else "")
+        + (f" | Compiler: {result['compiler']}" if result["compiler"] else ""),
+        is_packed=is_packed,
+        detection_count=len(result["detections"]),
+    )
+
+
+@log_execution()
+async def detect_packer_deep(file_path: str):
+    """
+    Deep scan with DIE for more thorough detection.
+
+    Uses additional DIE options for deeper analysis.
+
+    Args:
+        file_path: Path to the binary file to analyze
+
+    Returns:
+        ToolResult with detailed detection information
+    """
+    validated_path = validate_file_path(file_path)
+
+    if not _is_die_available():
+        return failure(
+            error_code="DIE_NOT_INSTALLED",
+            message="Detect It Easy (diec) is not installed.",
+        )
+
+    try:
+        # Use deep scan option
+        output, _ = await execute_subprocess_async(
+            ["diec", "-d", str(validated_path)],
+            timeout_seconds=60,
+        )
+    except Exception as e:
+        return failure(error_code="DIE_DEEP_SCAN_FAILED", message=f"DIE deep scan failed: {e}")
+
+    result = _parse_die_output(output)
+
+    return success(
+        data=result,
+        message=f"Deep scan complete: {len(result['detections'])} detections",
+        scan_type="deep",
+    )