Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| host | No | SSH host (required for ssh mode) | |
| mode | No | Connection mode: docker, ssh, or local | docker |
| port | No | SSH port (for ssh mode) | 22 |
| user | No | SSH user (for ssh mode) | remnux |
| sandbox | No | Enable path sandboxing (restrict files to samples/output dirs) | off |
| timeout | No | Default command timeout in seconds | 300 |
| password | No | SSH password (for ssh mode; uses SSH agent if omitted) | |
| MCP_TOKEN | No | Bearer token for HTTP auth (environment variable alternative to --http-token) | |
| container | No | Docker container name/ID | remnux |
| http-host | No | HTTP bind address (for http transport) | 127.0.0.1 |
| http-port | No | HTTP server port (for http transport) | 3000 |
| transport | No | Transport mode: stdio or http | stdio |
| http-token | No | Bearer token for HTTP auth | |
| output-dir | No | Output directory path inside REMnux | /home/remnux/files/output |
| samples-dir | No | Samples directory path inside REMnux | /home/remnux/files/samples |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| resources | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| run_tool | Execute a command in REMnux. Supports piped commands (e.g., 'oledump.py sample.doc | grep VBA'). String extraction: For PE files use 'pestr'; for non-PE use 'strings' (ASCII) and 'strings -el' (Unicode). |
| get_file_info | Get file type, hashes, and basic metadata |
| list_files | List files in samples or output directory |
| extract_archive | Extract files from a compressed archive (.zip, .7z, .rar). Automatically tries common malware passwords if the archive is password-protected. Returns list of extracted files. |
| upload_from_host | Upload a file from the host filesystem to the samples directory for analysis. Accepts an absolute host path — the MCP server reads the file locally and transfers it. Maximum file size: 200MB. Files can also be referenced by absolute path in analysis tools, bypassing the need to upload. For files outside the samples directory, pass the full path to get_file_info, analyze_file, or run_tool. |
| download_from_url | Download a file from a URL into the samples directory for analysis. Returns file metadata (hashes, type, size). Supports custom HTTP headers and an optional thug mode for sites requiring JavaScript execution. |
| download_file | Download a file from the output directory (returns base64-encoded content). Use this to retrieve analysis results. Files are wrapped in a password-protected archive by default to prevent AV/EDR triggers. Pass archive: false for harmless files like text reports. Provide output_path to save directly to the host filesystem. |
| analyze_file | Auto-analyze a file using REMnux tools appropriate for the detected file type. Runs |
| suggest_tools | Detect file type and return recommended REMnux analysis tools without executing them. Use this to plan an analysis strategy, then run individual tools with run_tool. Returns tool names, descriptions, depth tiers, and expert analysis hints. |
| extract_iocs | Extract IOCs (IPs, domains, URLs, hashes, registry keys, etc.) from text. Pass output from run_tool or analyze_file to identify indicators. Works well with Volatility 3 plugin output (netscan, cmdline, filescan). Returns deduplicated IOCs with confidence scores. |
| get_tool_help | Get usage help for a REMnux tool. Returns the tool's --help output so you can understand available flags, options, and usage patterns. |
| check_tools | Check which REMnux analysis tools are installed and available. Returns a summary of installed vs missing tools across all file type categories. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| tools | All registered REMnux analysis tools with metadata |
| Tools tagged "apk" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "autoit" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "capabilities" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "cobalt-strike" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "crypto" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "data-exe" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "decompilation" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "decryption" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "dotnet" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "elf" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "email" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "fallback" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "family-detection" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "jar" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "javascript" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "macros" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "memory" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "metadata" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "ole2" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "onenote" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "ooxml" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "packer-detection" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "pcap" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "pdf" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "pe" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "python" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "rtf" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "script" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "shellcode" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "strings" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "triage" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "unpacking" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| Tools tagged "yara" | REMnux tools filtered by tag (pe, pdf, ole2, etc.) |
| peframe | Statically analyze PE and Microsoft Office files. |
| diec | Determine types of files and examine file properties. |
| capa | Identify capabilities in executable files using CAPA rules. |
| capa-vv | Identify capabilities with verbose rule match details (addresses and evidence). |
| floss | Extract and deobfuscate strings from PE executables. |
| pestr | Extract ASCII and Unicode strings from PE files with section and offset info. |
| portex | Statically analyze PE files for anomalies, structure, and metadata. |
| yara-forge | Scan for malware family signatures using curated YARA rules from 45+ sources (Malpedia, ReversingLabs, etc.). Matches indicate resemblance to known families, not confirmed attribution. |
| yara-rules | Scan a file with YARA rules to identify capabilities and behaviors (packer detection, anti-debug, networking). |
| pecheck | Analyze static properties of PE files. |
| disitool | Examine and manipulate embedded Authenticode digital signatures in PE files. |
| pescan | Scan PE files for anomalies and notable indicators. |
| signsrch | Find patterns of common encryption, compression, or encoding algorithms. |
| ilspycmd | Decompile .NET assemblies to C# source code. |
| monodis-presources | List embedded manifest resources in a .NET assembly (names and offsets). |
| monodis-mresources | Extract all embedded managed resources from a .NET assembly to the current directory. |
| autoit-ripper | Extract and decompile AutoIt scripts from compiled executables. |
| upx-decompress | Decompress UPX-packed executables in-place (keeps backup as .exe~). |
| manalyze | Statically analyze PE files for imports, resources, and anomalies. |
| 1768 | Analyze Cobalt Strike beacons and extract configuration details. |
| cs-decrypt-metadata | Decrypt and analyze Cobalt Strike beacon metadata. |
| csce | Extract Cobalt Strike beacon configuration from raw shellcode or memory dumps. |
| pedump | Statically analyze PE files and extract their components. |
| dotnetfile_dump | Analyze static properties of .NET files. |
| brxor | Bruteforce XOR-encoded strings to find English words. |
| pdfid | Identify notable elements of a PDF file. |
| pdfid-detailed | Identify notable elements of a PDF file (detailed names output). |
| pdf-parser | Examine elements and structure of a PDF file. |
| pdftool | Analyze incremental updates in PDF files to detect hidden payload swaps. |
| pdfresurrect | Extract previous versions of content from PDF files. |
| peepdf-3 | Examine elements of a PDF file for notable content. |
| qpdf | Decrypt password-protected or permission-locked PDF files. |
| pdftk | Manipulate PDF files: merge, split, decrypt, repair, and extract metadata. |
| pdfcop | Detect malicious PDF structures using policy-based heuristics. |
| pdfextract | Extract JavaScript, attachments, fonts, images, and streams from PDF. |
| pdfdecompress | Decompress PDF streams to reveal obfuscated content. |
| oleid | Analyze OLE2 files for risk indicators (macros, encryption, etc.). |
| olevba | Extract and analyze VBA macros from Microsoft Office documents. |
| oledump | Analyze OLE2 Structured Storage files. |
| msoffcrypto-crack | Attempt to recover the password of encrypted Microsoft Office documents. |
| pcodedmp | Disassemble VBA p-code from Office documents. |
| xlmdeobfuscator | Deobfuscate Excel 4.0 (XLM) macros. |
| zipdump | Analyze zip-compressed files including OOXML and JAR. |
| xmldump | Format and analyze XML. For OOXML: zipdump.py -s <n> -d file | xmldump.py pretty |
| rtfdump | Analyze RTF files for embedded content. |
| rtfobj | Extract embedded objects from RTF files. |
| redress | Analyze Go binaries to recover package names, type definitions, source structure, and compiler version. |
| readelf-header | Display ELF file header information. |
| readelf-sections | Display ELF section headers. |
| js-beautify | Beautify and deobfuscate JavaScript, CSS, and HTML files. |
| box-js | Analyze and deobfuscate JavaScript in a sandbox. |
| jstillery | Deobfuscate JavaScript using AST-based partial evaluation. |
| spidermonkey | Execute JavaScript with SpiderMonkey engine using browser/PDF object emulation. |
| strings | Extract printable ASCII strings from binary files. For Unicode (UTF-16), use 'strings -e l <file>' (little-endian) or 'strings -e b <file>' (big-endian). For PE files, prefer pestr which extracts both automatically. |
| decode-vbe | Decode VBE-encoded VBScript files to readable source. |
| base64dump | Locate and decode Base64 and other encoded strings. |
| pycdc | Decompile Python bytecode (.pyc) to readable source code. |
| uncompyle6 | Decompile Python bytecode (.pyc) to source code. Supports Python 1.0 through 3.8. |
| pyinstxtractor-ng | Extract contents of PyInstaller executables without requiring a matching Python version. |
| cfr | Decompile Java class files and JARs to readable Java source code. |
| emldump | Analyze and extract content from email (EML) files. |
| msgconvert | Convert Outlook MSG files to standard EML format. |
| onedump | Analyze OneNote documents and extract embedded files. |
| apkid | Identify compilers, packers, and obfuscators used to protect Android APK and DEX files. |
| apktool | Reverse-engineer Android APK files. |
| droidlysis | Perform static analysis of Android applications. |