operant-mcp

Instructions

Implementation Reference

• src/tools/memory.ts:73-97 (handler)

  Handler implementation for the 'volatility_linux' tool which executes the Volatility 2 plugin against a memory dump.

  async ({ dump_path, profile, plugin }) => {
    const volBin = findVolatility2();
    if (!volBin) {
      const result = { error: "Volatility 2 not found. Install it and ensure vol.py is on PATH." };
      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
    }
  
    const dump = validateDump(dump_path);
  
    const res = await runCmd(
      volBin,
      [`--profile=${profile}`, "-f", dump, plugin],
      { timeout: 300 }
    );
  
    const result = {
      plugin,
      profile,
      success: res.success,
      output: res.stdout.slice(0, 5000),
      errors: res.stderr ? res.stderr.slice(0, 1000) : "",
    };
  
    return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
  }

• src/tools/memory.ts:48-72 (registration)

  Registration and schema definition for the 'volatility_linux' tool.

  server.tool(
    "volatility_linux",
    "Run a Volatility 2 Linux plugin against a memory dump. Returns plugin, profile, success, output, and errors. Read-only analysis. Requires volatility2 (vol.py) on PATH.",
    {
      dump_path: z.string().describe("Path to the Linux memory dump file"),
      profile: z
        .string()
        .describe("Volatility 2 profile name, e.g. 'LinuxCentOS7_7_1908x64'"),
      plugin: z
        .enum([
          "linux_banner",
          "linux_bash",
          "linux_pslist",
          "linux_pstree",
          "linux_netstat",
          "linux_enumerate_files",
          "linux_check_syscall",
          "linux_hidden_modules",
          "linux_lsmod",
          "linux_mount",
          "linux_ifconfig",
          "linux_route_cache",
        ])
        .describe("Volatility 2 Linux plugin to run"),
    },