Binary Ninja MCP

1# Binary Ninja MCP
2 
3This repository contains a Binary Ninja plugin, MCP server, and bridge that enables seamless integration of Binary Ninja's capabilities with your favorite LLM client.
4 
5![Binary Ninja MCP Logo](images/logo-small.png)
6 
7## Features
8 
9- Seamless, real-time integration between Binary Ninja and MCP clients
10- Enhanced reverse engineering workflow with AI assistance
11- Support for every MCP client (Cline, Claude desktop, Roo Code, etc.)
12- Open multiple binaries and switch the active target automatically
13 
14## Examples
15 
16### Solving a CTF Challenge
17 
18Check out [this demo video on YouTube](https://www.youtube.com/watch?v=0ffMHH39L_M) that uses the extension to solve a CTF challenge.
19 
20## Components
21 
22This repository contains two separate components:
23 
241. A Binary Ninja plugin that provides an MCP server that exposes Binary Ninja's capabilities through HTTP endpoints. This can be used with any client that implements the MCP protocol.
252. A separate MCP bridge component that connects your favorite MCP client to the Binary Ninja MCP server.
26 
27## Prerequisites
28 
29- [Binary Ninja](https://binary.ninja/)
30- Python 3.12+
31- MCP client (those with auto-setup support are listed below)
32 
33## Installation
34 
35### MCP Client
36 
37Please install the MCP client before you install Binary Ninja MCP so that the MCP clients can be auto-setup. We currently support auto-setup for these MCP clients:
38 
39    1. Cline (recommended)
40    2. Roo Code
41    3. Claude Desktop (recommended)
42    4. Cursor
43    5. Windsurf
44    6. Claude Code
45    7. LM Studio
46 
47### Extension Installation
48 
49After the MCP client is installed, you can install the MCP server using the Binary Ninja Plugin Manager or manually. Both methods support auto-setup of MCP clients.
50 
51If your MCP client is not set, you should install it first then try to reinstall the extension.
52 
53#### Binary Ninja Plugin Manager
54 
55You may install the extension through Binary Ninja's Plugin Manager (`Plugins > Manage Plugins`).
56 
57![Plugin Manager](images/plugin-manager-listing.png)
58 
59#### Manual Install
60 
61To manually install the extension, this repository can be copied into the [Binary Ninja plugins folder](https://docs.binary.ninja/guide/plugins.html).
62 
63### [Optional] Manual Setup of the MCP Client
64 
65*You do NOT need to set this up manually if you use a supported MCP client and follow the installation steps before.*
66 
67You can also manage MCP client entries from the command line:
68 
69```bash
70python scripts/mcp_client_installer.py --install    # auto setup supported MCP clients
71python scripts/mcp_client_installer.py --uninstall  # remove entries and delete `.mcp_auto_setup_done`
72python scripts/mcp_client_installer.py --config     # print a generic JSON config snippet
73```
74 
75For other MCP clients, this is an example config:
76 
77```json
78{
79    "mcpServers": {
80        "binary_ninja_mcp": {
81            "command": "/ABSOLUTE/PATH/TO/Binary Ninja/plugins/repositories/community/plugins/fosdickio_binary_ninja_mcp/.venv/bin/python",
82            "args": [
83                "/ABSOLUTE/PATH/TO/Binary Ninja/plugins/repositories/community/plugins/fosdickio_binary_ninja_mcp/bridge/binja_mcp_bridge.py"
84            ]
85        }
86    }
87}
88```
89 
90Note: Replace `/ABSOLUTE/PATH/TO` with the actual absolute path to your project directory. The virtual environment's Python interpreter must be used to access the installed dependencies.
91 
92## Usage
93 
941. Open Binary Ninja and load a binary
952. Click the button shown at left bottom corner
963. Start using it through your MCP client
97 
98You may now start prompting LLMs about the currently open binary (or binaries). Example prompts:
99 
100### CTF Challenges
101 
102```txt
103You're the best CTF player in the world. Please solve this reversing CTF challenge in the <folder_name> folder using Binary Ninja. Rename ALL the function and the variables during your analyzation process (except for main function) so I can better read the code. Write a python solve script if you need. Also, if you need to create struct or anything, please go ahead. Reverse the code like a human reverser so that I can read the decompiled code that analyzed by you.
104```
105 
106### Malware Analysis
107 
108```txt
109Your task is to analyze an unknown file which is currently open in Binary Ninja. You can use the existing MCP server called "binary_ninja_mcp" to interact with the Binary Ninja instance and retrieve information, using the tools made available by this server. In general use the following strategy:
110 
111- Start from the entry point of the code
112- If this function call others, make sure to follow through the calls and analyze these functions as well to understand their context
113- If more details are necessary, disassemble or decompile the function and add comments with your findings
114- Inspect the decompilation and add comments with your findings to important areas of code
115- Add a comment to each function with a brief summary of what it does
116- Rename variables and function parameters to more sensible names
117- Change the variable and argument types if necessary (especially pointer and array types)
118- Change function names to be more descriptive, using mcp_ as prefix.
119- NEVER convert number bases yourself. Use the convert_number MCP tool if needed!
120- When you finish your analysis, report how long the analysis took
121- At the end, create a report with your findings.
122- Based only on these findings, make an assessment on whether the file is malicious or not.
123```
124 
125## Supported Capabilities
126 
127The following table lists the available MCP functions for use:
128 
129| Function                                                             | Description                                                                                                  |
130| -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
131| `decompile_function`                                                 | Decompile a specific function by name and return HLIL-like code with addresses.                              |
132| `get_il(name_or_address, view, ssa)`                                 | Get IL for a function in `hlil`, `mlil`, or `llil` (SSA supported for MLIL/LLIL).                            |
133| `define_types`                                                       | Add type definitions from a C string type definition.                                                        |
134| `delete_comment`                                                     | Delete the comment at a specific address.                                                                    |
135| `delete_function_comment`                                            | Delete the comment for a function.                                                                           |
136| `declare_c_type(c_declaration)`                                      | Create/update a local type from a single C declaration.                                                      |
137| `format_value(address, text, size)`                                  | Convert a value and annotate it at an address in BN (adds a comment).                                        |
138| `function_at`                                                        | Retrieve the name of the function the address belongs to.                                                    |
139| `get_assembly_function`                                              | Get the assembly representation of a function by name or address.                                            |
140| `get_entry_points()`                                                 | List entry point(s) of the loaded binary.                                                                    |
141| `get_binary_status`                                                  | Get the current status of the loaded binary.                                                                 |
142| `get_comment`                                                        | Get the comment at a specific address.                                                                       |
143| `get_function_comment`                                               | Get the comment for a function.                                                                              |
144| `get_user_defined_type`                                              | Retrieve definition of a user-defined type (struct, enumeration, typedef, union).                            |
145| `get_xrefs_to(address)`                                              | Get all cross references (code and data) to an address.                                                      |
146| `get_data_decl(name_or_address, length)`                             | Return a C-like declaration and a hexdump for a data symbol or address.                                      |
147| `hexdump_address(address, length)`                                   | Text hexdump at address. `length < 0` reads exact defined size if available.                                 |
148| `hexdump_data(name_or_address, length)`                              | Hexdump by data symbol name or address. `length < 0` reads exact defined size if available.                  |
149| `get_xrefs_to_enum(enum_name)`                                       | Get usages related to an enum (matches member constants in code).                                            |
150| `get_xrefs_to_field(struct_name, field_name)`                        | Get all cross references to a named struct field.                                                            |
151| `get_xrefs_to_struct(struct_name)`                                   | Get xrefs/usages related to a struct (members, globals, code refs).                                          |
152| `get_xrefs_to_type(type_name)`                                       | Get xrefs/usages related to a struct/type (globals, refs, HLIL matches).                                     |
153| `get_xrefs_to_union(union_name)`                                     | Get xrefs/usages related to a union (members, globals, code refs).                                           |
154| `get_stack_frame_vars(function_identifier)`                          | Get stack frame variable information for a function (names, offsets, sizes, types).                           |
155| `get_type_info(type_name)`                                           | Resolve a type and return declaration, kind, and members.                                                    |
156| `make_function_at(address, platform)`                                | Create a function at an address. `platform` optional; use `default` to pick the BinaryView/platform default. |
157| `list_platforms()`                                                   | List all available platform names.                                                                           |
158| `list_binaries()`                                                    | List managed/open binaries with ids and active flag.                                                         |
159| `select_binary(view)`                                                | Select active binary by id or filename.                                                                      |
160| `list_all_strings()`                                                 | List all strings (no pagination; aggregates all pages).                                                      |
161| `list_classes`                                                       | List all namespace/class names in the program.                                                               |
162| `list_data_items`                                                    | List defined data labels and their values.                                                                   |
163| `list_exports`                                                       | List exported functions/symbols.                                                                             |
164| `list_imports`                                                       | List imported symbols in the program.                                                                        |
165| `list_local_types(offset, count)`                                    | List local Types in the current database (name/kind/decl).                                                   |
166| `list_methods`                                                       | List all function names in the program.                                                                      |
167| `list_namespaces`                                                    | List all non-global namespaces in the program.                                                               |
168| `list_segments`                                                      | List all memory segments in the program.                                                                     |
169| `list_strings(offset, count)`                                        | List all strings in the database (paginated).                                                                |
170| `list_strings_filter(offset, count, filter)`                         | List matching strings (paginated, filtered by substring).                                                    |
171| `rename_data`                                                        | Rename a data label at the specified address.                                                                |
172| `rename_function`                                                    | Rename a function by its current name to a new user-defined name.                                            |
173| `rename_single_variable`                                             | Rename a single local variable inside a function.                                                            |
174| `rename_multi_variables`                                             | Batch rename multiple local variables in a function (mapping or pairs).                                      |
175| `set_local_variable_type(function_address, variable_name, new_type)` | Set a local variable's type.                                                                                 |
176| `retype_variable`                                                    | Retype variable inside a given function.                                                                     |
177| `search_functions_by_name`                                           | Search for functions whose name contains the given substring.                                                |
178| `search_types(query, offset, count)`                                 | Search local Types by substring (name/decl).                                                                 |
179| `set_comment`                                                        | Set a comment at a specific address.                                                                         |
180| `set_function_comment`                                               | Set a comment for a function.                                                                                |
181| `set_function_prototype(name_or_address, prototype)`                 | Set a function's prototype by name or address.                                                               |
182| `patch_bytes(address, data, save_to_file)`                           | Patch raw bytes at an address (byte-level, not assembly). Can patch entire instructions by providing their bytecode. Address: hex (e.g., "0x401000") or decimal. Data: hex string (e.g., "90 90"). `save_to_file` (default True) saves to disk and re-signs on macOS. |
183 
184These are the list of HTTP endpoints that can be called:
185 
186- `/allStrings`: All strings in one response.
187- `/formatValue?address=<addr>&text=<value>&size=<n>`: Convert and set a comment at an address.
188- `/getXrefsTo?address=<addr>`: Xrefs to address (code+data).
189- `/getDataDecl?name=<symbol>|address=<addr>&length=<n>`: JSON with declaration-style string and a hexdump for a data symbol or address. Keys: `address`, `name`, `size`, `type`, `decl`, `hexdump`. `length < 0` reads exact defined size if available.
190- `/hexdump?address=<addr>&length=<n>`: Text hexdump aligned at address; `length < 0` reads exact defined size if available.
191- `/hexdumpByName?name=<symbol>&length=<n>`: Text hexdump by symbol name. Recognizes BN auto-labels like `data_<hex>`, `byte_<hex>`, `word_<hex>`, `dword_<hex>`, `qword_<hex>`, `off_<hex>`, `unk_<hex>`, and plain hex addresses.
192- `/makeFunctionAt?address=<addr>&platform=<name|default>`: Create a function at an address (idempotent if already exists). `platform=default` uses the BinaryView/platform default.
193- `/platforms`: List all available platform names.
194- `/binaries` or `/views`: List managed/open binaries with ids and active flag.
195- `/selectBinary?view=<id|filename>`: Select active binary for subsequent operations.
196- `/data?offset=<n>&limit=<m>&length=<n>`: Defined data items with previews. `length` controls bytes read per item (capped at defined size). Default behavior reads exact defined size when available; `length=-1` forces exact-size.
197- `/getXrefsToEnum?name=<enum>`: Enum usages by matching member constants.
198- `/getXrefsToField?struct=<name>&field=<name>`: Xrefs to struct field.
199- `/getXrefsToType?name=<type>`: Xrefs/usages related to a struct/type name.
200- `/getTypeInfo?name=<type>`: Resolve a type and return declaration and details.
201- `/getXrefsToUnion?name=<union>`: Union xrefs/usages (members, globals, refs).
202- `/getStackFrameVars?name=<function>|address=<addr>`: Get stack frame variable information for a function.
203- `/localTypes?offset=<n>&limit=<m>`: List local types.
204- `/strings?offset=<n>&limit=<m>`: Paginated strings.
205- `/strings/filter?offset=<n>&limit=<m>&filter=<substr>`: Filtered strings.
206- `/searchTypes?query=<substr>&offset=<n>&limit=<m>`: Search local types by substring.
207- `/patch` or `/patchBytes?address=<addr>&data=<hex>&save_to_file=<bool>`: Patch raw bytes at an address (byte-level, not assembly). Can patch entire instructions by providing their bytecode. Address: hex (e.g., "0x401000") or decimal. Data: hex string (e.g., "90 90"). `save_to_file` (default True) saves to disk and re-signs on macOS.
208- `/renameVariables`: Batch rename locals in a function. Parameters:
209  - Function: one of `functionAddress`, `address`, `function`, `functionName`, or `name`.
210  - Provide renames via one of:
211    - `renames`: JSON array of `{old, new}` objects
212    - `mapping`: JSON object of `old->new`
213    - `pairs`: compact string `old1:new1,old2:new2`
214          Returns per-item results plus totals. Order is respected; later pairs can refer to earlier new names.
215 
216## Development
217 
218### Code Quality
219 
220This project uses [Ruff](https://docs.astral.sh/ruff/) for linting and formatting. Configuration is in `ruff.toml`.
221 
222#### Running Ruff Manually
223 
224Check for issues:
225```bash
226ruff check .
227```
228 
229Auto-fix issues:
230```bash
231ruff check --fix .
232```
233 
234Check formatting issues:
235```bash
236ruff format --check .
237```
238 
239Format code:
240```bash
241ruff format .
242```
243 
244#### GitHub Actions
245 
246A GitHub Action workflow (`.github/workflows/lint-format.yml`) automatically runs Ruff on:
247 
248- Every push to the `main` branch
249- Every pull request targeting the `main` branch
250 
251The workflow will fail if there are linting errors or formatting issues, ensuring code quality in CI.
252 
253## Contributing
254 
255Contributions are welcome. Please feel free to submit a pull request.
256