Run Rikune directly on your machine — install only the tools you need, add more later. 直接在你的机器上运行 Rikune — 只安装需要的工具,后续随时添加。
Rikune can run without Docker — directly on Windows, Linux, or macOS.
The core engine (Node.js + Python workers) requires only Node.js and Python. All
external analysis tools (Ghidra, Rizin, capa, Frida, etc.) are optional —
Rikune auto-detects what is available at startup via the plugin
systemDeps mechanism and only enables the tools it finds.
Rikune 可以不依赖 Docker运行 — 直接在 Windows、Linux 或 macOS
上运行。 核心引擎(Node.js + Python worker)只需要 Node.js 和 Python。
所有外部分析工具(Ghidra、Rizin、capa、Frida 等)都是可选的 — Rikune
启动时通过插件 systemDeps 机制自动检测可用工具, 只启用检测到的工具。
| Requirement要求 | Version版本 | Notes备注 |
|---|---|---|
| Node.js | 22+ | nodejs.org |
| Python | 3.11+ | python.org — venv module required需要 venv 模块 |
| npm | Bundled with Node.js随 Node.js 捆绑 | |
| Git | Any任意 | To clone the repository用于克隆仓库 |
The easiest way to get started locally — the install script handles everything: 本地上手最简单的方式 — 安装脚本自动处理一切:
git clone https://github.com/Last-emo-boy/rikune.git
cd rikune
.\install-local.ps1
# Windows-native analyzer with local Windows Sandbox execution
.\install-local.ps1 -RuntimeMode auto-sandbox
git clone https://github.com/Last-emo-boy/rikune.git
cd rikune
chmod +x install-local.sh
./install-local.sh
# Split analyzer/runtime configuration
./install-local.sh -r remote-sandbox
The script will:脚本会:
npm install + npm run build运行 npm install + npm run build
.env file生成 .env 文件
If you prefer to set up step by step: 如果你更喜欢逐步安装:
git clone https://github.com/Last-emo-boy/rikune.git cd rikune npm install npm run build
# Create venv cd workers python3 -m venv venv source venv/bin/activate # Linux/macOS # .\venv\Scripts\Activate.ps1 # Windows # Install base requirements pip install -r ../requirements.txt pip install -r requirements.txt # Optional: dynamic analysis (frida, speakeasy, pandare) pip install -r requirements-dynamic.txt # Optional: Qiling (isolated venv due to unicorn conflicts) cd .. python3 -m venv qiling-venv ./qiling-venv/bin/pip install -r workers/requirements-qiling.txt # Optional: angr (isolated venv, large ~1.5 GB) python3 -m venv angr-venv ./angr-venv/bin/pip install angr
mkdir -p ~/.rikune/{workspaces,data,cache,ghidra-projects,ghidra-logs,logs,storage,samples}
WORKSPACE_ROOT=~/.rikune/workspaces \ DB_PATH=~/.rikune/data/database.db \ CACHE_ROOT=~/.rikune/cache \ SANDBOX_PYTHON_PATH=./workers/venv/bin/python \ node dist/index.js
Install any of these to unlock additional MCP tools. Rikune auto-detects them at startup — just install the tool, set the environment variable if needed, and restart. 安装以下任何工具以解锁更多 MCP 工具。 Rikune 启动时自动检测 — 只需安装工具,必要时设置环境变量,然后重启。
| Tool工具 | Unlocks解锁能力 | Env Var环境变量 | Install安装方式 |
|---|---|---|---|
| Ghidra | Decompilation, CFG, cross-references, function analysis反编译、CFG、交叉引用、函数分析 | GHIDRA_INSTALL_DIR |
Download ZIP下载 ZIP + Java 21+ |
| Rizin | Disassembly, binary diffing, preview反汇编、二进制diff、预览 | RIZIN_PATH |
brew install rizin /
rizin.re
|
| capa + rules | Malware capability detection恶意软件能力检测 | CAPA_PATH CAPA_RULES_PATH |
GitHub Releases |
| Frida | Dynamic instrumentation, hooking, tracing动态插桩、Hook、跟踪 | FRIDA_PATH |
pip install frida-tools |
| angr | Symbolic execution, constraint solving符号执行、约束求解 | ANGR_PYTHON |
Isolated venv隔离虚拟环境:
pip install angr
|
| Qiling | Binary emulation二进制仿真 | QILING_PYTHON |
Isolated venv隔离虚拟环境:
pip install qiling
|
| UPX | Executable unpacking可执行文件脱壳 | UPX_PATH |
apt install upx /
upx.github.io
|
| RetDec | Retargetable decompiler可重定目标反编译 | RETDEC_PATH |
GitHub Releases |
| JADX | Android APK/DEX decompilationAndroid APK/DEX 反编译 | JADX_PATH |
GitHub Releases |
| Graphviz | CFG / call-graph visualizationCFG / 调用图可视化 | GRAPHVIZ_DOT_PATH |
apt install graphviz / brew install graphviz |
| Wine | Windows PE execution on LinuxLinux 上运行 Windows PE | WINE_PATH |
apt install wine |
| GDB | Debug sessions (Linux)调试会话(Linux) | — | apt install gdb |
| Volatility3 | Memory forensics内存取证 | VOLATILITY3_PATH |
pip install volatility3 |
💡 Tip: You don't need to install all tools. Start with the basics and add tools as your workflow demands. Rikune gracefully disables tools whose dependencies are missing. 💡 提示:不需要安装所有工具。从基础开始,按需添加。Rikune 会优雅地禁用缺少依赖的工具。
Runtime note: For local static-only work, keepRUNTIME_MODE=disabled. If you run the analyzer natively on Windows, you can opt intoauto-sandboxto launch Windows Sandbox for real sample execution. Linux or WSL analyzers must usemanualorremote-sandboxto reach a separate Windows Runtime Node / Host Agent. 运行时说明:如果只是本地静态分析,请保持RUNTIME_MODE=disabled。如果 analyzer 原生运行在 Windows 上,可以开启auto-sandbox,通过 Windows Sandbox 执行真实样本。Linux 或 WSL 中的 analyzer 必须使用manual或remote-sandbox连接独立的 Windows Runtime Node / Host Agent。
The install script generates a .env file in the project root. You can
also create one manually:
安装脚本会在项目根目录生成 .env 文件。你也可以手动创建:
# Core (required) WORKSPACE_ROOT=~/.rikune/workspaces DB_PATH=~/.rikune/data/database.db CACHE_ROOT=~/.rikune/cache SANDBOX_PYTHON_PATH=./workers/venv/bin/python LOG_LEVEL=info # API File Server API_ENABLED=true API_PORT=18080 API_STORAGE_ROOT=~/.rikune/storage # Runtime mode (pick one shape) RUNTIME_MODE=disabled # Windows-native single-host execution: # RUNTIME_MODE=auto-sandbox # Split analyzer/runtime deployment: # RUNTIME_MODE=manual # RUNTIME_ENDPOINT=http://windows-vm-ip:18081 # RUNTIME_MODE=remote-sandbox # RUNTIME_HOST_AGENT_ENDPOINT=http://windows-host-ip:18082 # RUNTIME_HOST_AGENT_API_KEY=change-me # Optional if the Windows Runtime Node also requires its own key: # RUNTIME_API_KEY=change-me # On the Windows Host Agent side, Docker/WSL deployments should bind the agent to 0.0.0.0: # HOST_AGENT_BIND_HOST=0.0.0.0 # Ghidra (set if installed) GHIDRA_INSTALL_DIR=/opt/ghidra GHIDRA_PROJECT_ROOT=~/.rikune/ghidra-projects GHIDRA_LOG_ROOT=~/.rikune/ghidra-logs # Tool paths (set for tools you have installed) RIZIN_PATH=/usr/bin/rizin CAPA_PATH=/usr/local/bin/capa CAPA_RULES_PATH=/opt/capa-rules UPX_PATH=/usr/local/bin/upx ANGR_PYTHON=./angr-venv/bin/python QILING_PYTHON=./qiling-venv/bin/python
Key contract:RUNTIME_HOST_AGENT_API_KEYis only for Analyzer → Host Agent control calls.RUNTIME_API_KEYis only for Analyzer → Runtime Node requests (manual runtimes or sandbox runtimes that enforce their own auth). 密钥约定:RUNTIME_HOST_AGENT_API_KEY仅用于 Analyzer → Host Agent 控制调用;RUNTIME_API_KEY仅用于 Analyzer → Runtime Node 请求(包括手工运行时或启用了独立鉴权的沙箱运行时)。
For local mode, the MCP client runs node dist/index.js directly (no
Docker):
本地模式下,MCP 客户端直接运行 node dist/index.js(无需 Docker):
{
"mcpServers": {
"rikune": {
"command": "node",
"args": ["C:/path/to/rikune/dist/index.js"],
"env": {
"WORKSPACE_ROOT": "C:/Users/you/.rikune/workspaces",
"DB_PATH": "C:/Users/you/.rikune/data/database.db",
"CACHE_ROOT": "C:/Users/you/.rikune/cache",
"SANDBOX_PYTHON_PATH": "C:/path/to/rikune/workers/venv/Scripts/python.exe"
}
}
}
}
{
"servers": {
"rikune": {
"command": "node",
"args": ["C:/path/to/rikune/dist/index.js"],
"env": {
"WORKSPACE_ROOT": "C:/Users/you/.rikune/workspaces",
"DB_PATH": "C:/Users/you/.rikune/data/database.db",
"SANDBOX_PYTHON_PATH": "C:/path/to/rikune/workers/venv/Scripts/python.exe"
}
}
}
}
[mcp_servers.rikune] command = "node" args = ["C:/path/to/rikune/dist/index.js"] [mcp_servers.rikune.env] NODE_ENV = "production" PYTHONUNBUFFERED = "1" WORKSPACE_ROOT = "C:/Users/you/.rikune/workspaces" DB_PATH = "C:/Users/you/.rikune/data/database.db" CACHE_ROOT = "C:/Users/you/.rikune/cache" GHIDRA_INSTALL_DIR = "C:/path/to/ghidra"
When Rikune is deployed with static or hybrid, connect MCP
clients through the running rikune-analyzer container instead of running
node dist/index.js on the host.
当 Rikune 使用 static 或 hybrid 部署时,MCP 客户端应通过已运行的
rikune-analyzer 容器连接,而不是在宿主机上直接运行
node dist/index.js。
[mcp_servers.rikune] command = "docker" startup_timeout_sec = 180 args = [ "exec", "-i", "-e", "API_ENABLED=false", "-e", "NODE_ENV=production", "-e", "PYTHONUNBUFFERED=1", "rikune-analyzer", "node", "dist/index.js" ] [mcp_servers.rikune.env] NODE_ENV = "production" PYTHONUNBUFFERED = "1"
💡 Tip: Theinstall-local.ps1script can auto-generate native configs, andinstall-docker.ps1 -ConfigureClientcan generate Docker JSON configs. Codex users who keep MCP servers inconfig.tomlcan copy the TOML form above. 💡 提示:install-local.ps1可以生成原生运行配置,install-docker.ps1 -ConfigureClient可以生成 Docker JSON 配置。使用config.toml管理 MCP server 的 Codex 用户可以复制上面的 TOML 写法。
# Using npm script npm start # Or directly node dist/index.js
# Auto-reload on source changes npm run dev # Run tests npm test
At startup, Rikune logs a dependency health report showing which tools are available: 启动时,Rikune 会输出依赖健康报告,显示哪些工具可用:
Plugin ghidra: Ghidra ✓ java ✓ Plugin frida: frida ✓ Plugin malware: capa ✓ capa-rules ✓ Plugin crackme: angr ✗ (optional — skipped) Plugin dynamic: frida ✓ ...
Every plugin can declare a systemDeps array describing the system tools
it needs. At startup, Rikune's plugin loader calls checkSystemDeps() for
each plugin, which probes each dependency:
每个插件可以声明 systemDeps 数组描述其所需的系统工具。 启动时,Rikune
的插件加载器对每个插件调用 checkSystemDeps(), 逐个探测每个依赖:
type |
How it's checked检测方式 | Example示例 |
|---|---|---|
binary |
Runs command --version运行 command --version
|
rizin, capa, upx, frida, gdb |
python |
Runs python -c "import module"运行 python -c "import module"
|
pefile, dnfile, pandare |
python-venv |
Checks venv python binary exists检查 venv python 二进制是否存在 | angr, qiling |
directory |
Checks path exists ($ENV_VAR resolved)检查路径是否存在(解析 $ENV_VAR)
|
Ghidra install dir, capa-rules |
file |
Checks file exists检查文件是否存在 | JADX binary, RetDec binary |
env-var |
Checks environment variable is set and non-empty检查环境变量已设置且非空 | API_KEY, custom configs |
If a required dependency is missing, the plugin's tools are disabled. If
an optional dependency is missing, the plugin still loads but with
reduced functionality. This means you can install tools incrementally and restart
Rikune to pick them up.
如果 required 依赖缺失,插件的工具会被禁用。 如果
optional 依赖缺失,插件仍会加载但功能减少。
这意味着你可以增量安装工具,重启 Rikune 即可生效。
Startup Flow: discover plugins → checkSystemDeps() → enable / disable tools │ │ │ scan dist/plugins/ for each dep: if all required deps OK: load plugin modules binary? → exec test → register MCP tools ✓ python? → import test if required dep missing: venv? → file exists → skip plugin tools ✗ dir? → path exists if optional dep missing: → load with reduced features ⚠
| DockerDocker 方案 | Local本地方案 | |
|---|---|---|
| Setup安装 |
rikune.ps1 / rikune.sh — one command— 一条命令
|
install-local.ps1 / .sh
— interactive— 交互式
|
| Tools工具 | Profile-based: static, hybrid, or full按 profile 选择:static、hybrid 或 full | Install what you need按需安装 |
| Isolation隔离性 | Full container isolation完整容器隔离 | Shares host environment共享宿主环境 |
| Performance性能 | Container overhead (~1-5%)容器开销(约 1-5%) | Native speed原生速度 |
| Disk磁盘 | ~8-10 GB image约 8-10 GB 镜像 | Only what you install仅安装的部分 |
| Cross-platform跨平台 | Identical everywhere各处一致 | OS-dependent paths路径依赖 OS |
| Best for适合场景 | Full-stack deployment, CI/CD全栈部署、CI/CD | Development, lightweight usage, custom setups开发、轻量使用、自定义环境 |