Reverse Engineering AI Assistant

July 28, 2025 · View on GitHub

This Binary Ninja Plugin is a Model Context Protocol (MCP) Server that provides AI-Powered capabilities by integrating Binary Ninja with Claude Desktop. With this plugin, you can get technical reports from your AI-Powered Assistant on the malware loaded into Binary Ninja, complete with intelligence insights. The goal is to get as much information as possible before delving into the depths of your analysis.

If you what to see how I use, you can watch this demo that I recorded:

Main Features

  • Comprehensive Binary Analysis: Extract detailed information about loaded binaries including functions, Disassembly and HLIL Pseudocode, strings, symbols, and sections. With this information, the LLM Agent (Claude Desktop) can develop a full technical report, with Threat Intelligence insights.
  • Natural Language Interface: Interact with Binary Ninja through conversational AI via Claude Desktop.

Installation

1. Install Binary Ninja Plugin

  1. Clone or download this repository;

  2. Copy the entire project folder to your Binary Ninja plugins directory:

    • Windows: %APPDATA%\Binary Ninja\plugins\
    • macOS: ~/Library/Application Support/Binary Ninja/plugins/
    • Linux: ~/.binaryninja/plugins/

  3. The plugin directory structure should look like:

Binary Ninja/plugins/
└── RE_AI-Assistant/
    ├── mcp_server/
        ├── config.py
        ├── server.py
    ├── __init__.py
    ├── server.py
    ├── ui.py
    ├── config.py
    ├── setup_claude.py
    └── plugin.json

2. Install Python Dependencies

pip install mcp httpx

3. Setup the Claude Desktop

First you must execute the setup_claude.py to configure the MCP Server on Claude. You can easly do it yourself to another LLM Agent.

Executing this script your Claude Desktop will be already configurated to integrate to MCP Server on Binary Ninja.

Usage

Starting the Server

  1. Open Binary Ninja and load the binary you want to analyze.
  2. Start the MCP Server from the menu: Plugins → MCP Server → Start Server.
  3. You should see a confirmation dialog that the server is running on TCP Port 8755.
  4. Open Claude Desktop - it will automatically connect to the MCP Server.

Available Commands in Claude

Once connected, you can ask Claude to perform various analysis tasks. Below you can see some prompt examples:

  • "Analyze the loaded malware" - Comprehensive analysis of the entire binary
  • "Show me the disassembly of the main function" - Get disassembly for specific functions, to analyze through Claude Desktop
  • "Extract all strings from the binary" - Find strings with optional filtering.
  • "List all functions in the binary" - Get a complete function list from Binary Ninja.
  • "Show me the pseudocode for function mal_function" - Get HLIL Pseudocode of the function.
  • "Analyze the loaded malware, and find the main capabilities implemented in the malware. Identify possible obsfucation techniques on the code, and bring a full technical report, with insights about this malware" - Get a full analysis with all available tools, to get all information needed to create a full report.
  • The more you invest in developing your prompt, with structured context, the better the LLM analysis will be..

Below you can see the prompt structure that a use in my activities:

Context: <I describe all the context that a know about the malware that I'll analyze it>. The following is its SHA256: _______________.

Your Task: Produce a single, comprehensive, technical, and explanatory report, describing the remote and local sources used, containing all of the following:

Identify the main characteristics and capabilities of this malware, including:

- What language was used to write this malware?

- Does its current state include code obfuscation? API hashing, etc.?

- Is it packed?

- Does it communicate with the C&C?

- Does it implement any encryption routine? Is it possible to identify the algorithm? If so, provide a suggestion on how to implement the algorithm in Python to decrypt the data.

Furthermore, identify the functions that implement the main capabilities of this malware, for future in-depth analysis by Senior Malware Analysts. Even so, analyze each main function and prepare a report of your analysis that includes:

- The report must include the offset, or the name of the functions where you identify the main capabilities, along with a description of your analysis, so that Senior Malware Analysts can analyze it in more detail later.

- Insights for Threat Hunting and DFIR to detect and track this malware.

- Insights to track campaigns by this adversary, by hunting for malware with the same pattern, or by hunting the same infrastructure used in this case.

- Malware identification, with intelligence information (you can use Web Search)

- Attribution! Which threat actor is behind this malware? Provide a history of this possible threat actor.

- Detailed technical analysis of the malware's capabilities, scoring the functions that implement this capability in detail (with code analysis).

- Analyze each function found, and perform a more in-depth code analysis of those that implement the main capabilities, providing insights for deeper analysis.

- The report must have two tables containing the capabilities you identified that the malware implements, correlated with the Malware Behavior Catalog (MBC), and with the ATT&CK TTPs you identified as implemented in the analyzed malware.

Stopping the Server

To stop the server, use the menu: Plugins → MCP Server → Stop Server.

Architecture

The project consists of three main components:

1. Binary Ninja Plugin (server.py)

  • Implements HTTP API server running on port 8755;
  • Provides direct access to Binary Ninja's analysis capabilities;
  • Handles requests from the MCP server.

2. MCP Server (mcp_server/server.py)

  • Implements the Model Context Protocol;
  • Bridges communication between Claude Desktop and Binary Ninja;
  • Provides tool definitions and handles tool execution.

3. Agent and MCP Server Configuration Scripts

  • __init__.py: Plugin registration and command setup;
  • setup_claude.py: Script to setup the Claude Desktop Integration;
  • ui.py: UI components and settings management for the Binary Ninja plugin;
  • config.py: Configuration management;
  • plugin.json: Plugin metadata.

Available Tools

These tools are necessary for the assistant to successfully complete its task and produce a good report with valuable insights. Below are the tools and their objective descriptions:

1. get_current_function_disassembly

Extract disassembly code from a specific function or the current function.

Parameters:

  • function_name (optional): Name of the function to analyze.

2. get_current_function_hlil

Extract HLIL Pseudocode of the function.

Parameters:

  • function_name (optional): Name of the function to analyze.

3. analyze_entire_binary

Perform comprehensive analysis of the entire loaded binary.

4. list_all_functions

List all functions discovered in the binary with basic information.

5. get_binary_strings

Extract all strings from the binary with optional filtering.

Parameters:

  • min_length (optional, default: 4): Minimum string length to include

6. get_function_details

Get detailed analysis of a specific function including xRefs, variables, and complexity metrics.

Parameters:

  • function_name (required): Name of the function to analyze

Contributing

Contributions are welcome! Please feel free to submit issues or pull requests.

Development Setup

  1. Clone the repository
  2. Create a symbolic link to your Binary Ninja plugins directory
  3. Make changes and test with Binary Ninja
  4. Submit a pull request with your improvements, tests and etc.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Acknowledgments

  • Binary Ninja team for their excellent reverse engineering platform <3
  • Anthropic for the Model Context Protocol specification and Claude Desktop <3
  • The reverse engineering community for inspiration, like Joshua from Invoke RE.

Additional Resources