Rikune / FAQ

Frequently Asked Questions常见问题

Common questions about installation, configuration, and troubleshooting. 关于安装、配置和问题排查的常见问题。

General通用

Which operating systems are supported? 支持哪些操作系统?

Rikune runs on Linux, macOS, and Windows. The Docker image provides the most complete toolchain and is recommended for production use. Native mode works on all three platforms with reduced backend coverage.

Rikune 支持 LinuxmacOSWindows。Docker 镜像提供最完整的工具链,推荐用于生产环境。原生模式在三个平台上都可以运行,但后端覆盖范围较少。

Do I need Ghidra installed locally? 需要本地安装 Ghidra 吗?

For native mode, yes — set GHIDRA_INSTALL_DIR to your Ghidra installation path. With Docker, Ghidra is pre-installed in the container image.

原生模式下需要 — 将 GHIDRA_INSTALL_DIR 设为你的 Ghidra 安装路径。使用 Docker 时,Ghidra 已预装在容器镜像中。

What MCP clients are supported? 支持哪些 MCP 客户端?

Any MCP-compatible client works. We provide install scripts for Claude Desktop, VS Code Copilot, and Codex CLI. Other clients (Qwen, etc.) can connect via standard MCP configuration.

任何 MCP 兼容客户端均可使用。我们提供了 Claude DesktopVS Code CopilotCodex CLI 的安装脚本。其他客户端(通义千问等)可通过标准 MCP 配置连接。

Installation安装

Python dependency installation fails — what should I do? Python 依赖安装失败怎么办?

Common Python packages like pefile, lief, and yara-python may fail on some platforms. Try:

pefileliefyara-python 这样的 Python 包在某些平台上可能安装失败。尝试:

bash
# Install with specific versions
pip install pefile==2024.8.26
pip install lief==0.15.1

# For YARA, use yara-python binary wheels
pip install yara-python

If you're on Windows without a C compiler, use the Docker image instead. 如果你在 Windows 上没有 C 编译器,建议使用 Docker 镜像。

Where does Rikune store its database? Rikune 的数据库存储在哪里?

By default, the SQLite database is stored at DB_PATH (defaults to ./data/database.db in native mode, /app/data/database.db in Docker). You can override this with the DB_PATH environment variable.

默认情况下,SQLite 数据库存储在 DB_PATH(原生模式默认 ./data/database.db,Docker 中默认 /app/data/database.db)。你可以通过 DB_PATH 环境变量覆盖。

Analysis分析

Where should I put custom YARA rules? 自定义 YARA 规则应该放在哪里?

Place your rules under the yara_rules/ directory in your workspace root. The directory structure is:

将规则放在工作空间根目录的 yara_rules/ 目录下。目录结构为:

Structure
yara_rules/
├── custom/          # Your custom rules
├── community/       # Community rule sets
└── index.yar        # Auto-generated index
Why does Ghidra analysis take so long? 为什么 Ghidra 分析需要这么长时间?

Ghidra's headless analyzer performs deep binary analysis including decompilation, which is CPU-intensive. The staged pipeline runs it asynchronously to avoid MCP timeouts. Large binaries (50MB+) may take several minutes. Use workflow.stage.preview to check estimated time before running.

Ghidra 的无头分析器执行深度二进制分析(包括反编译),是 CPU 密集型操作。分阶段流水线异步执行以避免 MCP 超时。大型二进制文件(50MB+)可能需要几分钟。使用 workflow.stage.preview 在运行前检查预计时间。

Can I analyze .NET assemblies? 可以分析 .NET 程序集吗?

Yes. Rikune auto-detects .NET assemblies and uses specialized profiling paths. The dotnet.metadata tool extracts CLR metadata, type definitions, and method signatures without Ghidra.

支持。Rikune 自动检测 .NET 程序集并使用专用分析路径。dotnet.metadata 工具可提取 CLR 元数据、类型定义和方法签名,无需 Ghidra。

DockerDocker

How much disk space does the Docker image need? Docker 镜像需要多少磁盘空间?

The full image is approximately 8-10 GB due to the bundled toolchain (Ghidra, Rizin, angr, RetDec, etc.). Ensure at least 10 GB of free disk space before building.

由于包含完整工具链(Ghidra、Rizin、angr、RetDec 等),完整镜像约 8-10 GB。构建前请确保至少 10 GB 可用磁盘空间。

How do I pass samples to the Docker container? 如何将样本传递给 Docker 容器?

Mount a local directory as a volume with -v ./samples:/samples:ro, or use the HTTP API at POST /api/v1/samples to upload files directly.

通过 -v ./samples:/samples:ro 挂载本地目录,或使用 HTTP API POST /api/v1/samples 直接上传文件。

Performance性能

How can I speed up repeated analysis of the same sample? 如何加速对同一样本的重复分析?

Rikune uses cache prewarming — the L1 (memory) and L2 (filesystem) caches automatically persist results. On restart, the cache manager can prewarm with the most recently accessed entries, reducing cache misses by 60-80% and improving response time 2-5x for common operations.

Rikune 使用缓存预热 — L1(内存)和 L2(文件系统)缓存自动持久化结果。重启时缓存管理器可以预热最近访问的条目,缓存未命中率降低 60-80%,常见操作响应时间提升 2-5 倍。

How do I optimize batch analysis performance? 如何优化批量分析性能?

Use budget lanes to control concurrency. Increase MAX_PYTHON_WORKERS for parallel Python tasks. The runtime reuses warm compatible workers instead of cold-starting — static Python helpers and Rizin preview paths are pooled, while Ghidra remains scheduler-governed for isolation. Database batch inserts are 10-50x faster than individual operations.

使用预算通道控制并发。增加 MAX_PYTHON_WORKERS 以并行化 Python 任务。运行时复用兼容的热工作进程而非冷启动 — 静态 Python 辅助程序和 Rizin 预览路径使用池化,Ghidra 保持调度隔离。数据库批量插入比逐条操作快 10-50 倍。

What does "bounded" or "partial" coverage mean? "bounded" 或 "partial" 覆盖是什么意思?

Large samples may receive intentionally limited analysis depth. Check the coverage_level and completion_state fields in results. A bounded state means the result is intentionally partial — use the returned upgrade_paths to deepen analysis safely. See the Analysis Coverage docs for full details.

大型样本可能会获得有意限制的分析深度。检查结果中的 coverage_levelcompletion_state 字段。bounded 状态表示结果是有意的部分结果 — 使用返回的 upgrade_paths 安全加深分析。详见分析覆盖文档。