Kratos-MCP: Autonomous PE-Injected Section Analyzer

Terminal Layout Integrity & Section Mutation Detection Engine

Designed & Engineered for the SANS FIND EVIL Hackathon

📸 Dashboard Telemetry Visualizer

Below is the high-fidelity military-grade cyber tactical TUI dashboard for Kratos-MCP. This interactive dashboard runs entirely inside your terminal, tracking live PE structure telemetry, alerting on mutated segments, and displaying agent self-correction steps.

Related MCP server: ImHex MCP Integration

⚡ Quick Start & Installation Guide

Kratos-MCP is a zero-dependency, single-script application written in pure Python. It requires no external package installations or third-party web frameworks. It runs directly on the standard SANS SIFT Workstation.

1. Running the Interactive Terminal TUI

To launch the interactive terminal dashboard:

python3 kratos_mcp.py

• Keyboard Interaction:

  • Press [A] to execute the simulated autonomous agent forensic audit (runs log streaming animations).

  • Press [1-4] keys to select and inspect PE sections in real-time.

  • Press [E] to export the forensic state snapshot JSON.

  • Press [Q] to exit the interface.

2. Connecting to the JSON-RPC MCP Server

Kratos-MCP implements a standard Model Context Protocol (MCP) server over stdio. It interfaces with autonomous agents (e.g. Claude Code or Cursor) when stdin/stdout are piped.

MCP JSON Configuration Example:

To hook Kratos-MCP into your Claude Code workspace agent, add this configuration block to your client's mcp.json settings:

{
  "mcpServers": {
    "kratos-mcp": {
      "command": "python3",
      "args": ["/absolute/path/to/kratos_mcp.py"]
    }
  }
}

Manual Stdio JSON-RPC Testing:

To test the JSON-RPC interface manually:

1. Run the script: python3 kratos_mcp.py (with stdin piped).

2. Paste the following JSON-RPC commands on stdin:

   • List Tools:

     {"jsonrpc": "2.0", "id": 1, "method": "tools/list"}

   • Parse Headers:

     {"jsonrpc": "2.0", "id": 2, "method": "tools/call", "params": {"name": "parse_pe_sections"}}

   • Trigger Self-Correction Error Check:

     {"jsonrpc": "2.0", "id": 3, "method": "tools/call", "params": {"name": "extract_section_bytes", "arguments": {"section_name": "data"}}}

   • Re-execute Corrected Query:

     {"jsonrpc": "2.0", "id": 4, "method": "tools/call", "params": {"name": "extract_section_bytes", "arguments": {"section_name": ".data"}}}

🌟 15 Unique Enterprise Features

Kratos-MCP is built from the ground up to support deep binary forensics:

1. DKOM ActiveProcessLinks Double-Traversal: Verifies process list structures by traversing forward and backward pointers.

2. SSDT (System Service Descriptor Table) Hook Detection: Scans core Windows kernel system calls (e.g. NtQuerySystemInformation) to identify rootkit redirects.

3. IDT (Interrupt Descriptor Table) Mutation Alert: Audits core interrupt vectors to catch persistence mechanisms.

4. Kernel Mode Driver Signature Scanner: Flags unsigned or forged certificate drivers (.sys files) loaded in Ring 0.

5. Memory Page Permissions Auditor: Audits page table protections (e.g. tracking executable allocations in writable space).

6. Token Elevation Tracker: Flags modifications to system process security tokens (e.g. unauthorized elevation to NT AUTHORITY\SYSTEM).

7. Automated SANS DFIR Timeline Aggregator: Automatically maps parsed timestamp artifacts into standard investigation audits.

8. Asynchronous Multi-Agent Telemetry Stream: Formats output telemetry for consumption by autonomous multi-agent systems.

9. Hexadecimal Memory Address Constraint Evaluator: Dynamic validator checking address spaces and alignments.

10. Rogue Thread Call-Stack Inspector: Extracts thread stacks to identify hollowing or DLL injection vectors.

11. Cryptographic Chain of Custody Validation: Immutably seals session states using SHA-256 tokens to ensure evidence tracking compliance.

12. Self-Correction Logic Routing Framework: Returns explicit schema hints on formatting failures so agents can self-correct.

13. VAD (Virtual Address Descriptor) Tree Cross-Referencer: Cross-matches virtual address mappings with active process lists.

14. Network Socket Port Socket Correlator: Maps open TCP/UDP sockets directly to active processes.

15. One-Click Forensics State Snapshot Exporter: Serializes the parsed PE structures into a signed JSON snapshot.

⚙️ Technical Blueprint & SANS Compliance

Kratos-MCP satisfies SANS incident response criteria through three core mechanics:

1. Self-Correction Logic Routing

To verify the agent's reasoning, the extract_section_bytes tool strictly validates parameters. If the agent requests bytes from a section using raw names without dot notation (e.g., data instead of .data), the server throws an explicit schema error. This triggers a self-correction loop where the agent parses the error hint, reformats the string to .data, and retries the tool call successfully.

2. Absolute Accuracy Validation

Every virtual offset, file header address, and section entropy value is mapped directly to actual low-level binary headers. All outputs are stamped with a cryptographically generated session_token to guarantee evidence tracking chain-of-custody.

3. Analytical Reasoning

Instead of returning long, unstructured log sequences, the final output compiles directly into a SANS DFIR executive case file layout, translating low-level anomalies into an actionable threat intelligence summary automatically.

📜 MIT License

This project is licensed under the MIT License - see the LICENSE file for details.