v1.0.0-beta.3 · Model Context Protocol

Reverse Engineering
Meets AI Agents 逆向工程
遇见 AI 智能体

An MCP server that exposes PE triage, Ghidra-backed decompilation, DLL/COM profiling, runtime evidence, and LLM-assisted analysis as reusable tools for any tool-calling LLM. 一个 MCP 服务器,将 PE 分诊、Ghidra 反编译、DLL/COM 分析、运行时证据采集 和 LLM 辅助审查作为可复用工具,提供给任何支持工具调用的大语言模型。

Quick Start 快速开始 Explore → 探索 →
PowerShell
# Ingest a PE sample and run staged analysis sample.ingest --path "C:\samples\target.exe" ✓ sha256:a1b2c3… ingested (PE32+, 1.2 MB) workflow.analyze.start --sample_id sha256:a1b2c3… --goal reverse ✓ run_id: run_0042 fast_profile completed ⧗ enrich_static → function_map → reconstruct queued workflow.summarize --sample_id sha256:a1b2c3… ✓ 148 functions recovered · 12 crypto APIs flagged 3 C2 indicators extracted · confidence 0.87
0
MCP ToolsMCP 工具
0
Plugins插件
0
Analysis Stages分析阶段
0
Docker BackendsDocker 后端

Built for Depth为深度分析而生

Every tool is designed to be composable, observable, and reusable by any MCP-compatible AI agent. 每一个工具都被设计为可组合、可观测、可复用的,适配任何 MCP 兼容的 AI 智能体。

🔬

Universal PE Coverage全格式 PE 覆盖

EXE, DLL, COM libraries, Rust binaries, .NET assemblies, APK/DEX — all with dedicated profiling paths and automatic format detection. EXE、DLL、COM 库、Rust 二进制、.NET 程序集、APK/DEX — 全部支持专用分析路径和自动格式检测。

🧠

LLM-Assisted ReviewLLM 辅助审查

Function naming, explanation, and module reconstruction review exposed as structured MCP flows — not ad-hoc prompt chains. 函数命名、解释和模块重建审查作为结构化 MCP 流程暴露 — 而不是临时的提示链。

🔄

Staged Pipeline分阶段流水线

Seven analysis stages with preview-first contracts, nonblocking execution, and persisted run state. No more MCP timeouts on large samples. 七个分析阶段,预览优先,非阻塞执行,持久化运行状态。大样本不再超时。

🛡️

Malware Intelligence恶意软件情报

C2 extraction, family classification, config recovery, YARA/Sigma rule generation, and IOC export — all from static and dynamic evidence. C2 提取、家族分类、配置恢复、YARA/Sigma 规则生成和 IOC 导出 — 全部基于静态和动态证据。

Recover-First Design恢复优先设计

When Ghidra extraction fails, the server falls back to .pdata parsing, boundary recovery, symbol recovery, and imported function definitions. 当 Ghidra 提取失败时,服务器会退回到 .pdata 解析、边界恢复、符号恢复和导入函数定义。

🐳

Full Docker Image全栈 Docker 镜像

Ghidra, Rizin, YARA-X, UPX, Wine, Frida, Qiling, angr, PANDA, RetDec, capa, DIE, FLOSS — everything bundled for instant deployment. Ghidra、Rizin、YARA-X、UPX、Wine、Frida、Qiling、angr、PANDA、RetDec、capa、DIE、FLOSS — 一键部署。

Architecture系统架构

Layered design from MCP transport to native tooling, with observable intermediaries at every level. 从 MCP 传输到原生工具的分层设计,每一层都具备可观测性。

MCP Client Layer
Claude Desktop VS Code Copilot Codex CLI Any MCP Client
Rikune MCP Server
Tool Registry Plugin System (27) Job Queue Cache Manager Workspace Manager HTTP File Server SSE Events Web Dashboard
Analysis Backends
Ghidra Rizin angr RetDec Qiling PANDA Frida Wine YARA-X UPX capa DIE FLOSS Graphviz
Storage & State
SQLite Database Artifact Store Analysis Runs Evidence Cache

Staged Analysis Pipeline分阶段分析流水线

Nonblocking execution with seven stages. Preview-first, queue-friendly, no timeouts. 七阶段非阻塞执行。预览优先,队列友好,无超时。

01
Fast Profile快速画像
PE headers, imports, heuristicsPE 头、导入表、启发式
02
Enrich Static静态增强
capa, strings, entropy, YARAcapa、字符串、熵值、YARA
03
Function Map函数映射
Ghidra decompile + recoveryGhidra 反编译 + 恢复
04
Reconstruct重建
Source-like code export类源码导出
05
Dynamic Plan动态规划
Hook scripts, breakpointsHook 脚本、断点
06
Dynamic Exec动态执行
Traces, memory, sandbox追踪、内存、沙箱
07
Summarize总结
Report, IOC, YARA/Sigma报告、IOC、YARA/Sigma

Powered By技术栈

🦎 Ghidra
🔧 Rizin
🐍 angr
🔄 RetDec
🐉 Qiling
🐼 PANDA
🪝 Frida
🍷 Wine
🛡️ YARA-X
📦 UPX
🔍 capa
🧬 FLOSS
🐳 Docker
📐 Graphviz

Get Started开始使用

Choose your MCP client and start analyzing binaries in minutes. 选择你的 MCP 客户端,几分钟内开始分析二进制文件。

claude_desktop_config.json 
{
  "mcpServers": {
    "rikune": {
      "command": "npx",
      "args": ["-y", "rikune"],
      "env": {
        "GHIDRA_INSTALL_DIR": "C:\\ghidra",
        "RIKUNE_WORKSPACE": "D:\\rikune-workspace"
      }
    }
  }
}
.vscode/mcp.json 
{
  "servers": {
    "rikune": {
      "command": "npx",
      "args": ["-y", "rikune"],
      "env": {
        "GHIDRA_INSTALL_DIR": "C:\\ghidra",
        "RIKUNE_WORKSPACE": "D:\\rikune-workspace"
      }
    }
  }
}
PowerShell 
# Pull and run the full analysis image
docker compose up -d

# Or use the install script
.\install-docker.ps1
Terminal 
# Install globally
npm install -g rikune

# Or run directly with npx
npx -y rikune

Ready to Reverse?准备好逆向了吗?

Start analyzing Windows binaries with the power of AI agents and professional reverse engineering tools. 借助 AI 智能体和专业逆向工程工具的力量,开始分析 Windows 二进制文件。

Star on GitHub Read the Docs → 阅读文档 →