Which integrations are available for this server?

Allows hash lookups, file submission, and retrieval of detection reports from VirusTotal.

How do I use Binary MCP Server?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@Binary MCP Server Analyze sample.exe for malicious behavior" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

Binary MCP Server

by Sarks0

Overview Schema Related Servers Score Discussions

Python

Local

Binary MCP Server

Python 3.12+ License

MCP server that gives AI assistants the ability to analyze binaries, debug processes, and inspect kernel state. Supports static analysis via Ghidra, user-mode debugging via x64dbg, kernel debugging via WinDbg, and .NET decompilation via ILSpyCmd.

Quick Start

Install

# Windows (as Administrator)
irm https://raw.githubusercontent.com/Sarks0/binary-mcp/main/install.ps1 | iex

# Linux / macOS
curl -sSL https://raw.githubusercontent.com/Sarks0/binary-mcp/main/install.py | python3 -

# Manual
git clone https://github.com/Sarks0/binary-mcp.git
cd binary-mcp && uv sync

Connect to Claude

claude mcp add binary-analysis -- uv --directory /path/to/binary-mcp run python -m src.server

Or add to your MCP config (Claude Code ~/.claude/settings.json or Claude Desktop config):

{
  "mcpServers": {
    "binary-analysis": {
      "command": "uv",
      "args": ["--directory", "/path/to/binary-mcp", "run", "python", "-m", "src.server"],
      "env": {"GHIDRA_HOME": "/path/to/ghidra"}
    }
  }
}

What You Can Do

Static Analysis - Analyze any binary without running it.

Analyze the binary at /path/to/malware.exe
Decompile the function at 0x401000
Find all suspicious API calls and crypto constants

Live Debugging - Control x64dbg from Claude.

Connect to x64dbg and set breakpoints on BCryptEncrypt
Trace execution until EAX contains a decrypted pointer
Find the OEP of this packed binary

Kernel Debugging - Inspect drivers and crash dumps.

Connect to the kernel debugger on port 50000
Show the dispatch table for \\Driver\\MyDriver
Analyze the crash dump at C:\Windows\MEMORY.DMP

.NET Analysis - Decompile managed assemblies.

Decompile the type MyNamespace.MyClass to C#

Capabilities (245 tools)

Static Analysis (Ghidra) - 35 tools

Analysis, decompilation, cross-references, memory maps, byte pattern search, function renaming, call graphs, API pattern detection (100+ Windows APIs), crypto constant identification, IOC extraction, and binary compatibility checking.

Dynamic Analysis (x64dbg) - 159 tools

Category	What It Does
Execution Control	Run, pause, step into/over/out, run to user code, instruction undo
Breakpoints	Software, hardware, memory, DLL load, exception, and conditional breakpoints with logging
Tracing	Conditional tracing (ticnd/tocnd), trace recording, OEP finder for packed binaries
Memory	Read, write, dump, allocate, protect, pattern scan, string search, memory watch with diff
Registers & Stack	Read/write registers, stack trace with raw fallback, expression evaluation
Analysis	Control flow analysis, cross-references, function boundaries, disassembly with capstone fallback
Type System	Define structs/unions, overlay on memory (VisitType), parse C headers, enumerate types
Search	Find assembly patterns, GUIDs, module calls, string references, reference ranges
Anti-Debug	Detect and bypass anti-debug techniques (PEB, NtGlobalFlag, heap flags)
Watch & Logging	Watch expressions with watchdog triggers, API call logging, breakpoint hit logging
Annotations	Comments, labels, bookmarks, function boundaries, variables
Thread Control	Switch, suspend, resume threads individually or all at once
Process	Attach/detach, minidump creation, module listing with exports
Navigation	Navigate disassembly/dump/graph views, generic command execution

Kernel Debugging (WinDbg) - 20 tools

Connection (KDNET, local kernel, crash dumps), execution control, breakpoints, register and memory inspection, driver object analysis, IOCTL decoding, process listing, and raw WinDbg command execution.

.NET Analysis (ILSpyCmd) - 7 tools

Type listing, C# decompilation, IL disassembly, type search, and full assembly decompilation.

PE Structure (pefile) - 1 tool

Comprehensive PE header, section, import, export, resource, debug, TLS, and Rich header analysis in a single fast call (<500ms). Three detail levels (basic/standard/full) with decoded characteristic flags, compiler attribution, and malware indicators.

Other - 23 tools

Triage (3) - Quick file type detection, packer identification, entropy analysis
Malware Analysis (4) - Behavior detection, threat chain identification, IOC extraction
Control Flow (4) - CFG generation, cyclomatic complexity, loop detection, dead code
Function Hashing (4) - Cross-binary function matching and similarity scoring
VirusTotal (4) - Hash lookups, file submission, detection reports
Session Management - Persistent analysis tracking across conversations
Reporting (2) - Generate structured analysis reports
YARA (2) - Rule scanning (optional yara-python dependency)

Supported Formats

Format	Engine
PE (.exe, .dll, .sys)	Ghidra + x64dbg
.NET Assembly	ILSpyCmd
ELF (Linux)	Ghidra
Mach-O (macOS)	Ghidra
Kernel Drivers (.sys)	Ghidra + WinDbg
Crash Dumps (.dmp)	WinDbg

Architecture

                    MCP Client (Claude Desktop / Claude Code)
                                    |
                            FastMCP Server (stdio)
                           /        |        \         \
                  Static Analysis  Dynamic    Kernel    .NET
                   /       \       Analysis  Debugging  Analysis
               Ghidra    Python   x64dbg     WinDbg/KD  ILSpyCmd
             (headless)  bytecode (HTTP)    (Pybag COM)
                                    |           |
                               C++ Plugin   DbgEng COM
                                    |           |
                              User Process  Kernel Target

Environment Variables

Variable	Description	Default
`GHIDRA_HOME`	Ghidra installation path	Auto-detected
`GHIDRA_TIMEOUT`	Analysis timeout (seconds)	600
`X64DBG_PATH`	x64dbg installation path	Auto-detected
`WINDBG_PATH`	WinDbg/CDB installation path	Auto-detected
`WINDBG_MODE`	Operating mode: `kernel`, `user`, `dump`	`kernel`

Development

uv run pytest              # Run tests
uv run pytest --cov=src    # With coverage
uv run ruff check src/     # Lint

Resources

License

Apache 2.0 - See LICENSE for details.

This server cannot be installed

license - permissive license

quality - not tested

maintenance

How are these scores calculated?

Maintenance

–Maintainers

19hResponse time

–Release cycle

1Releases (12mo)

Issues opened vs closed

Resources

GitHub Repository

Need Help?

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sarks0/binary-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server