PeMCP

PeMCP

3.3

If you are the rightful owner of PeMCP and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

The PeMCP Toolkit is a Python-based script designed for in-depth analysis of Portable Executable (PE) files, offering both command-line and Model-Context-Protocol (MCP) server modes for comprehensive analysis.

The PeMCP Toolkit is a powerful suite for analyzing Portable Executable (PE) files, primarily used in malware analysis, reverse engineering, digital forensics, and software auditing. It provides detailed parsing of PE structures, advanced string analysis, and heuristic-based obfuscation detection. The toolkit can be operated in two modes: a command-line interface for quick static analysis and an MCP server mode for deep, interactive, and programmatic analysis. The MCP server mode pre-analyzes a PE file and enriches the data with advanced context, allowing for a rich set of tools to operate on the pre-loaded file's data. This makes it an invaluable resource for professionals needing to correlate malware behaviors with suspicious indicators, link strings to functions, and rank strings by relevance. The toolkit also integrates with external tools like flare-capa, flare-floss, and yara-python to enhance its capabilities, making it a comprehensive solution for PE file analysis.

Features

  • Detailed PE Structure Parsing: Provides comprehensive parsing of DOS Header, NT Headers, Data Directories, Section Table, and more.
  • Advanced String Analysis: Utilizes flare-floss for string extraction and flare-stringsifter for ranking strings by relevance.
  • Signature & Capability Detection: Integrates with Capa and YARA for identifying program capabilities and scanning with user-provided rules.
  • Enriched Analysis Context: Offers string-to-function linking and disassembly snippets for deeper insights into code usage.
  • Advanced Obfuscation Detection: Includes multi-layer decoding and XOR bruteforcing for uncovering hidden strings.

Tools

  1. get_triage_report

    Runs an automated workflow to find the most suspicious indicators and returns a condensed summary report.

  2. reanalyze_loaded_pe_file

    Re-triggers the full analysis pipeline on the loaded file, with options to skip certain modules.

  3. get_analyzed_file_summary

    Provides a high-level overview of the PE file's characteristics.

  4. get_top_sifted_strings

    Returns a list of the most relevant strings, sorted by their sifter_score, with granular filters.

  5. fuzzy_search_strings

    Performs a fuzzy search to find strings similar to a given query.