REMnux MCP Server

Official

Overview Schema Related Servers Score Discussions

definitions.ts•33 KiB

/** * Static tool definitions for all REMnux analysis tools. * * Each entry normalizes how a tool is invoked so the invoker doesn't need * to know CLI quirks. Descriptions sourced from REMnux docs. */ import type { ToolDefinition } from "./registry.js"; export const TOOL_DEFINITIONS: ToolDefinition[] = [ // ── PE / .NET analysis ────────────────────────────────────────────────── { name: "peframe", description: "Statically analyze PE and Microsoft Office files.", command: "peframe", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "dotnet", "triage"], tier: "quick", }, { name: "diec", description: "Determine types of files and examine file properties.", command: "diec", inputStyle: "positional", fixedArgs: ["--json"], outputFormat: "json", timeout: 60, tags: ["pe", "dotnet", "packer-detection"], tier: "quick", }, { name: "capa", description: "Identify capabilities in executable files using CAPA rules.", command: "capa", inputStyle: "positional", fixedArgs: ["-j"], outputFormat: "json", timeout: 300, tags: ["pe", "dotnet", "elf", "capabilities"], tier: "standard", exitCodeHints: { 14: "Packed file detected — capabilities analysis may be incomplete. Consider unpacking first." }, }, { name: "capa-vv", description: "Identify capabilities with verbose rule match details (addresses and evidence).", command: "capa", inputStyle: "positional", fixedArgs: ["-vv"], outputFormat: "text", timeout: 300, tags: ["pe", "dotnet", "elf", "capabilities"], tier: "deep", exitCodeHints: { 14: "Packed file detected — capabilities analysis may be incomplete. Consider unpacking first." }, }, { name: "floss", description: "Extract and deobfuscate strings from PE executables.", command: "floss", inputStyle: "positional", outputFormat: "text", timeout: 300, tags: ["pe", "dotnet", "strings"], tier: "deep", // CPU-intensive deobfuscation, use pestr for quick extraction }, { name: "pestr", description: "Extract ASCII and Unicode strings from PE files with section and offset info.", command: "pestr", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "dotnet", "strings"], tier: "quick", }, { name: "portex", description: "Statically analyze PE files for anomalies, structure, and metadata.", command: "portex", inputStyle: "positional", outputFormat: "text", timeout: 90, tags: ["pe"], tier: "standard", }, { name: "yara-forge", description: "Scan for malware family signatures using curated YARA rules from 45+ sources (Malpedia, ReversingLabs, etc.). Matches indicate resemblance to known families, not confirmed attribution.", command: "yara-forge", inputStyle: "positional", outputFormat: "text", timeout: 120, tags: ["pe", "dotnet", "elf", "yara", "family-detection"], tier: "standard", }, { name: "yara-rules", description: "Scan a file with YARA rules to identify capabilities and behaviors (packer detection, anti-debug, networking).", command: "yara-rules", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "dotnet", "elf", "yara"], tier: "deep", // yara-forge (standard) provides better family coverage; yara-rules for deep capability analysis }, { name: "pecheck", description: "Analyze static properties of PE files.", command: "pecheck.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "dotnet"], tier: "standard", }, { name: "disitool", description: "Examine and manipulate embedded Authenticode digital signatures in PE files.", command: "disitool.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe"], tier: "deep", }, { name: "pescan", description: "Scan PE files for anomalies and notable indicators.", command: "pescan", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "dotnet"], tier: "standard", exitCodeHints: { 1: "pescan requires pev plugins — ensure /usr/local/lib/pev/plugins exists" }, }, { name: "signsrch", description: "Find patterns of common encryption, compression, or encoding algorithms.", command: "signsrch", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "dotnet", "crypto"], tier: "standard", }, { name: "ilspycmd", description: "Decompile .NET assemblies to C# source code.", command: "ilspycmd", inputStyle: "positional", outputFormat: "text", timeout: 120, tags: ["dotnet", "decompilation"], tier: "standard", }, { name: "monodis-presources", description: "List embedded manifest resources in a .NET assembly (names and offsets).", command: "monodis", inputStyle: "positional", fixedArgs: ["--presources"], outputFormat: "text", timeout: 60, tags: ["dotnet"], tier: "standard", }, { name: "monodis-mresources", description: "Extract all embedded managed resources from a .NET assembly to the current directory.", command: "monodis", inputStyle: "positional", fixedArgs: ["--mresources"], outputFormat: "text", timeout: 60, tags: ["dotnet"], tier: "deep", requiresUserArgs: true, // Writes to cwd with no output dir flag; use via run_tool }, { name: "autoit-ripper", description: "Extract and decompile AutoIt scripts from compiled executables.", command: "autoit-ripper", inputStyle: "positional", suffixArgs: ["/tmp/autoit-out"], outputFormat: "text", timeout: 60, tags: ["pe", "autoit", "decompilation"], tier: "standard", exitCodeHints: { 1: "Not an AutoIt compiled executable or unsupported version. " + "If diec detected 'AutoIt', the script may be nested inside a wrapper (IExpress, CAB). " + "Extract inner executables first with 7z or cabextract, then re-run autoit-ripper on extracted .exe files.", }, }, { name: "upx-decompress", description: "Decompress UPX-packed executables in-place (keeps backup as .exe~).", command: "upx", inputStyle: "positional", fixedArgs: ["-d", "-k"], outputFormat: "text", timeout: 60, tags: ["pe", "unpacking"], tier: "standard", }, { name: "manalyze", description: "Statically analyze PE files for imports, resources, and anomalies.", command: "manalyze", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe"], tier: "standard", }, // ── Cobalt Strike ────────────────────────────────────────────────────── { name: "1768", description: "Analyze Cobalt Strike beacons and extract configuration details.", command: "1768.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "cobalt-strike", "data-exe"], tier: "standard", }, { name: "cs-decrypt-metadata", description: "Decrypt and analyze Cobalt Strike beacon metadata.", command: "cs-decrypt-metadata.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "cobalt-strike", "data-exe"], tier: "deep", }, { name: "csce", description: "Extract Cobalt Strike beacon configuration from raw shellcode or memory dumps.", command: "csce", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "cobalt-strike", "data-exe", "shellcode"], tier: "standard", }, // ── PE extras from demos ──────────────────────────────────────────────── { name: "pedump", description: "Statically analyze PE files and extract their components.", command: "pedump", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe"], tier: "deep", }, { name: "dotnetfile_dump", description: "Analyze static properties of .NET files.", command: "dotnetfile_dump.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["dotnet"], tier: "deep", }, { name: "brxor", description: "Bruteforce XOR-encoded strings to find English words.", command: "brxor.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "decryption"], tier: "deep", }, // ── PDF analysis ──────────────────────────────────────────────────────── { name: "pdfid", description: "Identify notable elements of a PDF file.", command: "pdfid.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pdf", "triage"], tier: "quick", }, { name: "pdfid-detailed", description: "Identify notable elements of a PDF file (detailed names output).", command: "pdfid.py", inputStyle: "positional", fixedArgs: ["-n"], outputFormat: "text", timeout: 60, tags: ["pdf"], tier: "standard", }, { name: "pdf-parser", description: "Examine elements and structure of a PDF file.", command: "pdf-parser.py", inputStyle: "positional", fixedArgs: ["--stats"], outputFormat: "text", timeout: 60, tags: ["pdf"], tier: "standard", }, { name: "pdftool", description: "Analyze incremental updates in PDF files to detect hidden payload swaps.", command: "pdftool.py", inputStyle: "positional", fixedArgs: ["iu"], outputFormat: "text", timeout: 60, tags: ["pdf"], tier: "standard", }, { name: "pdfresurrect", description: "Extract previous versions of content from PDF files.", command: "pdfresurrect", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pdf"], tier: "standard", }, { name: "peepdf-3", description: "Examine elements of a PDF file for notable content.", command: "peepdf", inputStyle: "positional", fixedArgs: ["-f", "-l"], outputFormat: "text", timeout: 120, tags: ["pdf"], tier: "deep", }, { name: "qpdf", description: "Decrypt password-protected or permission-locked PDF files.", command: "qpdf", inputStyle: "positional", fixedArgs: ["--decrypt"], suffixArgs: ["/tmp/decrypted.pdf"], outputFormat: "text", timeout: 60, tags: ["pdf"], tier: "standard", }, { name: "pdftk", description: "Manipulate PDF files: merge, split, decrypt, repair, and extract metadata.", command: "pdftk", inputStyle: "positional", suffixArgs: ["dump_data"], outputFormat: "text", timeout: 60, tags: ["pdf"], tier: "standard", }, { name: "pdfcop", description: "Detect malicious PDF structures using policy-based heuristics.", command: "pdfcop", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pdf", "triage"], tier: "quick", }, { name: "pdfextract", description: "Extract JavaScript, attachments, fonts, images, and streams from PDF.", command: "pdfextract", inputStyle: "positional", fixedArgs: ["--js", "--attachments", "--streams"], outputFormat: "text", timeout: 60, tags: ["pdf"], tier: "standard", }, { name: "pdfdecompress", description: "Decompress PDF streams to reveal obfuscated content.", command: "pdfdecompress", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pdf"], tier: "standard", }, // ── OLE2 / Office analysis ────────────────────────────────────────────── { name: "oleid", description: "Analyze OLE2 files for risk indicators (macros, encryption, etc.).", command: "oleid", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["ole2", "ooxml", "triage"], tier: "quick", }, { name: "olevba", description: "Extract and analyze VBA macros from Microsoft Office documents.", command: "olevba", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["ole2", "ooxml", "macros"], tier: "standard", exitCodeHints: { 5: "No VBA macros found in document.", 9: "File format not recognized or corrupted.", }, }, { name: "oledump", description: "Analyze OLE2 Structured Storage files.", command: "oledump.py", inputStyle: "positional", fixedArgs: ["-i"], outputFormat: "text", timeout: 60, tags: ["ole2"], tier: "standard", }, { name: "msoffcrypto-crack", description: "Attempt to recover the password of encrypted Microsoft Office documents.", command: "msoffcrypto-crack.py", inputStyle: "positional", outputFormat: "text", timeout: 120, tags: ["ole2", "ooxml"], tier: "standard", exitCodeHints: { 1: "File is not encrypted or uses unsupported encryption.", }, }, { name: "pcodedmp", description: "Disassemble VBA p-code from Office documents.", command: "pcodedmp", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["ole2", "ooxml", "macros"], tier: "standard", exitCodeHints: { 1: "File does not contain VBA p-code. May be a non-macro document or already decompiled.", }, }, { name: "xlmdeobfuscator", description: "Deobfuscate Excel 4.0 (XLM) macros.", command: "xlmdeobfuscator", inputStyle: "flag", inputFlag: "-f", outputFormat: "text", timeout: 120, tags: ["ole2", "ooxml", "macros"], tier: "standard", }, // ── OOXML ─────────────────────────────────────────────────────────────── { name: "zipdump", description: "Analyze zip-compressed files including OOXML and JAR.", command: "zipdump.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["ooxml", "jar"], tier: "standard", }, { name: "xmldump", description: "Format and analyze XML. For OOXML: zipdump.py -s <n> -d file | xmldump.py pretty", command: "xmldump.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["ooxml"], tier: "standard", }, // ── RTF ───────────────────────────────────────────────────────────────── { name: "rtfdump", description: "Analyze RTF files for embedded content.", command: "rtfdump.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["rtf"], tier: "quick", }, { name: "rtfobj", description: "Extract embedded objects from RTF files.", command: "rtfobj", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["rtf"], tier: "standard", }, // ── ELF analysis ──────────────────────────────────────────────────────── { name: "readelf-header", description: "Display ELF file header information.", command: "readelf", inputStyle: "positional", fixedArgs: ["-h"], outputFormat: "text", timeout: 60, tags: ["elf", "triage"], tier: "quick", }, { name: "readelf-sections", description: "Display ELF section headers.", command: "readelf", inputStyle: "positional", fixedArgs: ["-S"], outputFormat: "text", timeout: 60, tags: ["elf"], tier: "standard", }, // ── JavaScript analysis ──────────────────────────────────────────────── { name: "js-beautify", description: "Beautify and deobfuscate JavaScript, CSS, and HTML files.", command: "js-beautify", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["javascript"], tier: "quick", }, { name: "box-js", description: "Analyze and deobfuscate JavaScript in a sandbox.", command: "box-js", inputStyle: "positional", fixedArgs: ["--output-dir", "/tmp/box-js-out"], outputFormat: "text", timeout: 120, tags: ["javascript"], tier: "standard", exitCodeHints: { 1: "Script execution failed — may require specific JS runtime features or have syntax box-js cannot handle." }, }, { name: "jstillery", description: "Deobfuscate JavaScript using AST-based partial evaluation.", command: "jstillery", inputStyle: "positional", outputFormat: "text", timeout: 120, tags: ["javascript"], tier: "deep", }, { name: "spidermonkey", description: "Execute JavaScript with SpiderMonkey engine using browser/PDF object emulation.", command: "js", inputStyle: "positional", fixedArgs: ["-f", "/usr/share/remnux/objects.js"], outputFormat: "text", timeout: 120, tags: ["javascript"], tier: "deep", }, // ── Script / text analysis ────────────────────────────────────────────── { name: "strings", description: "Extract printable ASCII strings from binary files. For Unicode (UTF-16), use 'strings -e l <file>' (little-endian) or 'strings -e b <file>' (big-endian). For PE files, prefer pestr which extracts both automatically.", command: "strings", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["javascript", "script", "fallback", "strings", "data-exe"], tier: "quick", }, { name: "decode-vbe", description: "Decode VBE-encoded VBScript files to readable source.", command: "decode-vbe.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["script"], tier: "quick", exitCodeHints: { 1: "File is not VBE-encoded (requires #@~^ marker). Try other decoders for this script type.", }, }, { name: "base64dump", description: "Locate and decode Base64 and other encoded strings.", command: "base64dump.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["javascript", "script", "fallback", "data-exe"], tier: "standard", }, // ── Python bytecode analysis ────────────────────────────────────────── { name: "pycdc", description: "Decompile Python bytecode (.pyc) to readable source code.", command: "pycdc", inputStyle: "positional", outputFormat: "text", timeout: 120, tags: ["python"], tier: "standard", }, // ── JAR ───────────────────────────────────────────────────────────────── // zipdump already covers JAR (tagged "jar") { name: "cfr", description: "Decompile Java class files and JARs to readable Java source code.", command: "cfr", inputStyle: "positional", outputFormat: "text", timeout: 120, tags: ["jar"], tier: "standard", }, // ── Email ─────────────────────────────────────────────────────────────── { name: "emldump", description: "Analyze and extract content from email (EML) files.", command: "emldump.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["email"], tier: "standard", }, { name: "msgconvert", description: "Convert Outlook MSG files to standard EML format.", command: "msgconvert", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["email"], tier: "quick", }, // ── OneNote ───────────────────────────────────────────────────────────── { name: "onedump", description: "Analyze OneNote documents and extract embedded files.", command: "onedump.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["onenote"], tier: "standard", }, // ── APK ───────────────────────────────────────────────────────────────── { name: "apktool", description: "Reverse-engineer Android APK files.", command: "apktool", inputStyle: "positional", fixedArgs: ["d"], outputFormat: "text", timeout: 120, tags: ["apk"], tier: "standard", }, { name: "droidlysis", description: "Perform static analysis of Android applications.", command: "droidlysis", inputStyle: "positional", outputFormat: "text", timeout: 120, tags: ["apk"], tier: "standard", }, { name: "jadx", description: "Decompile Android APK/DEX files to Java source code.", command: "jadx", inputStyle: "positional", fixedArgs: ["-d", "/tmp/jadx-out", "--no-debug-info"], outputFormat: "text", timeout: 120, tags: ["apk"], tier: "standard", }, // ── Memory forensics (Volatility 3) ───────────────────────────────────── { name: "vol3-info", description: "Display OS and kernel details from a memory image.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.info"], outputFormat: "text", timeout: 120, tags: ["memory", "triage"], tier: "quick", }, { name: "vol3-pslist", description: "List running processes from a memory image.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.pslist"], outputFormat: "text", timeout: 120, tags: ["memory", "triage"], tier: "quick", }, { name: "vol3-pstree", description: "Display process tree from a memory image.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.pstree"], outputFormat: "text", timeout: 120, tags: ["memory"], tier: "standard", }, { name: "vol3-netscan", description: "Scan for network connections and sockets in a memory image.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.netscan"], outputFormat: "text", timeout: 120, tags: ["memory"], tier: "standard", }, { name: "vol3-psscan", description: "Find hidden or unlinked processes via pool tag scanning.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.psscan"], outputFormat: "text", timeout: 120, tags: ["memory"], tier: "standard", }, { name: "vol3-cmdline", description: "Extract command-line arguments for each process.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.cmdline"], outputFormat: "text", timeout: 120, tags: ["memory"], tier: "standard", }, { name: "vol3-dlllist", description: "List loaded DLLs for each process.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.dlllist"], outputFormat: "text", timeout: 120, tags: ["memory"], tier: "standard", }, { name: "vol3-filescan", description: "Scan for file objects in memory.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.filescan"], outputFormat: "text", timeout: 120, tags: ["memory"], tier: "standard", }, { name: "vol3-hivelist", description: "List registry hives found in memory.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.registry.hivelist"], outputFormat: "text", timeout: 120, tags: ["memory"], tier: "standard", }, { name: "vol3-linux-pslist", description: "List running processes from a Linux memory image.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["linux.pslist"], outputFormat: "text", timeout: 120, tags: ["memory"], tier: "standard", }, { name: "vol3-malfind", description: "Detect injected code and notable memory regions.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.malware.malfind"], outputFormat: "text", timeout: 300, tags: ["memory"], tier: "deep", }, { name: "vol3-handles", description: "List open handles for each process.", command: "vol3", inputStyle: "flag", inputFlag: "-f", suffixArgs: ["windows.handles"], outputFormat: "text", timeout: 300, tags: ["memory"], tier: "deep", }, // ── Didier Stevens utilities ────────────────────────────────────────────── { name: "translate", description: "Apply byte-level transforms to files (XOR, reverse, shift, custom expressions).", command: "translate.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["script", "fallback", "decryption"], tier: "standard", requiresUserArgs: true, // Needs expression like 'byte ^ 0x10' }, { name: "numbers-to-string", description: "Convert numeric representations to strings for deobfuscating encoded payloads.", command: "numbers-to-string.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["script", "fallback"], tier: "standard", requiresUserArgs: true, // Needs expression argument or stdin }, { name: "re-search", description: "Search files using regular expressions to extract patterns and data.", command: "re-search.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["script", "fallback"], tier: "standard", requiresUserArgs: true, // Needs regex pattern argument }, { name: "file-magic", description: "Identify file types of data streams using libmagic signatures.", command: "file-magic.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["fallback"], tier: "standard", }, { name: "cut-bytes", description: "Cut out portions of data streams by position or pattern.", command: "cut-bytes.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["fallback"], tier: "standard", }, { name: "format-bytes", description: "Decompose and display structured binary data in readable format.", command: "format-bytes.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["fallback"], tier: "standard", }, { name: "xor-kpa", description: "Perform XOR decryption using known-plaintext attack.", command: "xor-kpa.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["fallback", "decryption"], tier: "deep", }, { name: "sets", description: "Perform set operations (union, intersection, difference) on text file lines or bytes.", command: "sets.py", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["fallback"], tier: "deep", }, // ── Shellcode analysis ───────────────────────────────────────────────── { name: "speakeasy-sc-x86", description: "Emulate 32-bit shellcode using Speakeasy Windows API emulation.", command: "speakeasy", inputStyle: "flag", inputFlag: "-t", fixedArgs: ["-r", "-a", "x86"], outputFormat: "text", timeout: 120, tags: ["shellcode", "data-exe"], tier: "quick", }, { name: "speakeasy-sc-x64", description: "Emulate 64-bit shellcode using Speakeasy Windows API emulation.", command: "speakeasy", inputStyle: "flag", inputFlag: "-t", fixedArgs: ["-r", "-a", "amd64"], outputFormat: "text", timeout: 120, tags: ["shellcode", "data-exe"], tier: "quick", }, { name: "speakeasy", description: "Emulate Windows PE, DLL, and driver execution using Speakeasy API emulation.", command: "speakeasy", inputStyle: "flag", inputFlag: "-t", outputFormat: "text", timeout: 120, tags: ["pe", "dotnet", "data-exe"], tier: "deep", }, { name: "qltool-sc-x86", description: "Emulate 32-bit Windows shellcode using Qiling framework (requires rootfs).", command: "qltool", inputStyle: "flag", inputFlag: "-f", fixedArgs: ["code", "--os", "windows", "--arch", "x86", "--format", "bin"], outputFormat: "text", timeout: 120, tags: ["shellcode"], tier: "deep", }, { name: "qltool-sc-x64", description: "Emulate 64-bit Windows shellcode using Qiling framework (requires rootfs).", command: "qltool", inputStyle: "flag", inputFlag: "-f", fixedArgs: ["code", "--os", "windows", "--arch", "x8664", "--format", "bin"], outputFormat: "text", timeout: 120, tags: ["shellcode"], tier: "deep", }, { name: "tracesc", description: "Execute and trace shellcode via Wine to log API calls and behavior.", command: "tracesc", inputStyle: "flag", inputFlag: "-f", outputFormat: "text", timeout: 120, tags: ["shellcode"], tier: "deep", }, // ── PCAP / network analysis ───────────────────────────────────────────── { name: "tshark-conversations", description: "Summarize TCP/UDP conversations from a PCAP file.", command: "tshark", inputStyle: "flag", inputFlag: "-r", fixedArgs: ["-q", "-z", "conv,tcp"], outputFormat: "text", timeout: 60, tags: ["pcap", "triage"], tier: "quick", }, { name: "tshark-http", description: "Show HTTP request/response statistics from a PCAP file.", command: "tshark", inputStyle: "flag", inputFlag: "-r", fixedArgs: ["-q", "-z", "http,tree"], outputFormat: "text", timeout: 60, tags: ["pcap"], tier: "standard", }, { name: "tshark-hierarchy", description: "Show protocol hierarchy statistics from a PCAP file.", command: "tshark", inputStyle: "flag", inputFlag: "-r", fixedArgs: ["-q", "-z", "io,phs"], outputFormat: "text", timeout: 60, tags: ["pcap"], tier: "standard", }, { name: "tshark-dns", description: "Extract DNS queries and responses from a PCAP file.", command: "tshark", inputStyle: "flag", inputFlag: "-r", fixedArgs: ["-Y", "dns", "-T", "fields", "-e", "dns.qry.name", "-e", "dns.a", "-e", "dns.resp.type"], outputFormat: "text", timeout: 60, tags: ["pcap"], tier: "standard", }, { name: "tshark-verbose", description: "Full packet decode of first 50 packets from a PCAP file.", command: "tshark", inputStyle: "flag", inputFlag: "-r", fixedArgs: ["-V", "-c", "50"], outputFormat: "text", timeout: 120, tags: ["pcap"], tier: "deep", }, // ── Cross-type / general ──────────────────────────────────────────────── { name: "ssdeep", description: "Compute fuzzy hash (ssdeep) for file similarity comparison.", command: "ssdeep", inputStyle: "positional", outputFormat: "text", timeout: 30, tags: ["pe", "dotnet", "elf", "pdf", "ole2", "ooxml", "rtf", "jar", "apk", "pcap", "fallback"], tier: "quick", }, { name: "exiftool", description: "Read and analyze EXIF metadata from various file types.", command: "exiftool", inputStyle: "positional", outputFormat: "text", timeout: 60, tags: ["pe", "dotnet", "pdf", "ole2", "ooxml", "elf", "jar", "email", "metadata"], tier: "standard", }, { name: "xorsearch", description: "Locate and decode strings obfuscated using XOR and other techniques.", command: "xorsearch", inputStyle: "positional", fixedArgs: ["-W", "-d", "3"], outputFormat: "text", timeout: 60, tags: ["fallback", "data-exe"], tier: "standard", }, { name: "xorsearch.py", description: "Search for XOR/ROL/ROT/SHIFT encoded strings with JSON output and YARA support.", command: "xorsearch.py", inputStyle: "positional", fixedArgs: ["-J"], outputFormat: "json", timeout: 60, tags: ["fallback", "data-exe"], tier: "standard", }, ];

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/REMnux/remnux-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

definitions.ts•33 KiB