v1.0.0-beta.3 · Model Context Protocol

Reverse Engineering
Meets AI Agents 逆向工程
遇见 AI 智能体

An MCP server that exposes PE triage, Ghidra-backed decompilation, DLL/COM profiling, runtime evidence, and LLM-assisted analysis as reusable tools for any tool-calling LLM. 一个 MCP 服务器,将 PE 分诊、Ghidra 反编译、DLL/COM 分析、运行时证据采集 和 LLM 辅助审查作为可复用工具,提供给任何支持工具调用的大语言模型。

Quick Start 快速开始 Explore → 探索 →
PowerShell
# Ingest a PE sample and run staged analysis sample.ingest --path "C:\samples\target.exe" ✓ sha256:a1b2c3… ingested (PE32+, 1.2 MB) workflow.analyze.start --sample_id sha256:a1b2c3… --goal reverse ✓ run_id: run_0042 fast_profile completed ⧗ enrich_static → function_map → reconstruct queued workflow.summarize --sample_id sha256:a1b2c3… ✓ 148 functions recovered · 12 crypto APIs flagged 3 C2 indicators extracted · confidence 0.87
0
Analysis Stages分析阶段
0
Plugins插件
0
Runtime Modes运行时模式
0
Docker ProfilesDocker Profile

Built for Depth为深度分析而生

Every tool is designed to be composable, observable, and reusable by any MCP-compatible AI agent. 每一个工具都被设计为可组合、可观测、可复用的,适配任何 MCP 兼容的 AI 智能体。

🔬

Universal PE Coverage全格式 PE 覆盖

EXE, DLL, COM libraries, Rust binaries, .NET assemblies, APK/DEX — all with dedicated profiling paths and automatic format detection. EXE、DLL、COM 库、Rust 二进制、.NET 程序集、APK/DEX — 全部支持专用分析路径和自动格式检测。

🧠

LLM-Assisted ReviewLLM 辅助审查

Function naming, explanation, and module reconstruction review exposed as structured MCP flows — not ad-hoc prompt chains. 函数命名、解释和模块重建审查作为结构化 MCP 流程暴露 — 而不是临时的提示链。

🪟

Split Analyzer / Runtime分析面 / 运行时面拆分

Keep static analysis in Linux Docker, then delegate real sample execution to a Windows Runtime Node or Host Agent when you explicitly opt in. 将静态分析保留在 Linux Docker 中,并在你显式开启时把真实样本执行委派给 Windows Runtime Node 或 Host Agent。

The dynamic runtime roadmap tracks session persistence, Hyper-V debugging, runtime toolkit inventory, deep dynamic planning, persona planning, Frida execution, behavior capture, memory dump workflows, and dashboard runtime views. 动态运行时迭代计划覆盖 session 持久化、Hyper-V 调试、runtime 工具库存、深度动态计划、 persona 规划、Frida 执行、行为捕获、内存转储 workflow 和 Dashboard Runtime 页。

🔄

Staged Pipeline分阶段流水线

Seven analysis stages with preview-first contracts, nonblocking execution, and persisted run state. No more MCP timeouts on large samples. 七个分析阶段,预览优先,非阻塞执行,持久化运行状态。大样本不再超时。

🛡️

Malware Intelligence恶意软件情报

C2 extraction, family classification, config recovery, YARA/Sigma rule generation, and IOC export — all from static and dynamic evidence. C2 提取、家族分类、配置恢复、YARA/Sigma 规则生成和 IOC 导出 — 全部基于静态和动态证据。

Recover-First Design恢复优先设计

When Ghidra extraction fails, the server falls back to .pdata parsing, boundary recovery, symbol recovery, and materialized function-index definitions. 当 Ghidra 提取失败时,服务器会退回到 .pdata 解析、边界恢复、符号恢复,并将结果落入函数索引。

🐳

Full Docker Image全栈 Docker 镜像

Ghidra, Rizin, YARA-X, UPX, Wine, Frida, Qiling, angr, PANDA, RetDec, capa, DIE, FLOSS — everything bundled for instant deployment. Ghidra、Rizin、YARA-X、UPX、Wine、Frida、Qiling、angr、PANDA、RetDec、capa、DIE、FLOSS — 一键部署。

Architecture系统架构

Layered design from MCP transport to native tooling, with observable intermediaries at every level. 从 MCP 传输到原生工具的分层设计,每一层都具备可观测性。

MCP Client Layer
Claude Desktop VS Code Copilot Codex CLI Any MCP Client
Rikune MCP Server
Tool Registry Plugin System (27) Job Queue Cache Manager Workspace Manager HTTP File Server SSE Events Web Dashboard
Execution Surfaces
Linux Analyzer (static-only) Windows-native Analyzer Windows Runtime Node Windows Host Agent Windows Sandbox
Analysis Backends
Ghidra Rizin angr RetDec Qiling PANDA Frida Wine YARA-X UPX capa DIE FLOSS Graphviz
Storage & State
SQLite Database Artifact Store Analysis Runs Evidence Cache

Staged Analysis Pipeline分阶段分析流水线

Nonblocking execution with seven stages. Preview-first, queue-friendly, no timeouts. 七阶段非阻塞执行。预览优先,队列友好,无超时。

01
Fast Profile快速画像
PE headers, imports, heuristicsPE 头、导入表、启发式
02
Enrich Static静态增强
capa, strings, entropy, YARAcapa、字符串、熵值、YARA
03
Function Map函数映射
Ghidra decompile + recoveryGhidra 反编译 + 恢复
04
Reconstruct重建
Source-like code export类源码导出
05
Dynamic Plan动态规划
Hook scripts, breakpointsHook 脚本、断点
06
Dynamic Exec动态执行
Traces, memory, sandbox追踪、内存、沙箱
07
Summarize总结
Report, IOC, YARA/Sigma报告、IOC、YARA/Sigma

Powered By技术栈

🦎 Ghidra
🔧 Rizin
🐍 angr
🔄 RetDec
🐉 Qiling
🐼 PANDA
🪝 Frida
🍷 Wine
🛡️ YARA-X
📦 UPX
🔍 capa
🧬 FLOSS
🐳 Docker
📐 Graphviz

Get Started开始使用

Choose the deployment shape that matches your risk model: static-only Linux Docker, Windows-native auto-sandbox, or split analyzer/runtime. 根据你的风险模型选择部署形态:纯静态 Linux Docker、Windows 原生 auto-sandbox,或拆分式 analyzer/runtime。

Best-practice runtime split: install the static Docker profile for safe offline analysis, use hybrid when a Windows Host Agent / Windows Sandbox or Hyper-V VM runtime is ready, and reserve auto-sandbox for Windows-native analyzers. Runtime execution starts through explicit runtime.debug.session.* tools, and runtime-side tool readiness is checked with dynamic.toolkit.status; connecting an MCP client alone does not execute samples. sandbox.execute reports execution_semantics for live Sandbox, live Hyper-V, safe simulation, or emulation. 推荐实践:使用 static Docker profile 进行安全离线分析; 只有在 Windows Host Agent / Windows Sandbox 或 Hyper-V VM 运行时就绪时才使用 hybridauto-sandbox 仅适用于 Windows 原生 analyzer。运行时执行由显式 runtime.debug.session.* 工具触发,runtime 内工具就绪状态由 dynamic.toolkit.status 查询;不会因为 MCP 客户端连接而自动执行样本。 sandbox.execute 会用 execution_semantics 标明 live Sandbox、live Hyper-V、safe simulation 或 emulation。

claude_desktop_config.json 
{
  "mcpServers": {
    "rikune": {
      "command": "npx",
      "args": ["-y", "rikune"],
      "env": {
        "GHIDRA_INSTALL_DIR": "C:\\ghidra",
        "RIKUNE_WORKSPACE": "D:\\rikune-workspace"
      }
    }
  }
}
.vscode/mcp.json 
{
  "servers": {
    "rikune": {
      "command": "npx",
      "args": ["-y", "rikune"],
      "env": {
        "GHIDRA_INSTALL_DIR": "C:\\ghidra",
        "RIKUNE_WORKSPACE": "D:\\rikune-workspace"
      }
    }
  }
}
%USERPROFILE%\.codex\config.toml 
# Docker static/hybrid profile
[mcp_servers.rikune]
command = "docker"
startup_timeout_sec = 180
args = [
  "exec",
  "-i",
  "-e", "API_ENABLED=false",
  "-e", "NODE_ENV=production",
  "-e", "PYTHONUNBUFFERED=1",
  "rikune-analyzer",
  "node",
  "dist/index.js"
]

[mcp_servers.rikune.env]
NODE_ENV = "production"
PYTHONUNBUFFERED = "1"
Terminal 
# Static-only Linux analyzer (safe default)
.\rikune.ps1

# Automation-friendly explicit static profile
.\rikune.ps1 install -Profile static -DataRoot "D:\Docker\rikune"

# Single Windows host hybrid
.\rikune.ps1 install -Profile hybrid -InstallRuntime

# Hybrid with Hyper-V VM runtime backend
.\rikune.ps1 install -Profile hybrid -InstallRuntime `
  -RuntimeBackend hyperv-vm `
  -HyperVVmName "rikune-runtime" `
  -HyperVSnapshotName "clean-runtime" `
  -HyperVRuntimeEndpoint "http://192.168.1.50:18081" `
  -HyperVRestoreOnRelease

# Linux analyzer + remote Windows Host Agent
./rikune.sh install --profile hybrid --windows-host <windows-host> --windows-user <windows-user>

# Full Linux toolchain image
.\rikune.ps1 install -Profile full
Terminal 
# Install globally
npm install -g rikune

# Or run directly with npx
npx -y rikune

Ready to Reverse?准备好逆向了吗?

Start analyzing Windows binaries with the power of AI agents and professional reverse engineering tools. 借助 AI 智能体和专业逆向工程工具的力量,开始分析 Windows 二进制文件。

Star on GitHub Read the Docs → 阅读文档 →