First pass
Start with hashes, file shape, imports, sections, strings, hardening posture, call structure, and likely behavior families before opening heavier tools.
Tools for malware analysis.
Rogue Binary builds practical reverse engineering tools for analysts and agents. The first release is rbinmcp: a Rust MCP server for binary triage, static parsing, Ghidra, radare2, and native command wrappers.
sample.exeanalysis log
sha256local artifact recorded before claims
entry0x401000 -> unpacking branch
importsVirtualAlloc, WriteProcessMemory
nextchoose the next focused MCP call
triageinspectverify
Get to useful evidence faster.
rbinmcp gives an agent the boring parts of binary triage without burning a full decompiler pass first. It keeps hashes, offsets, imports, sections, strings, callsites, and backend output close to the claim, then points the next step at the smallest Ghidra, radare2, or native-tool query that can prove it.
Static and native tools
Read PE, ELF, and Mach-O metadata. Check export hashes, entropy, packer hints, crypto constants, strings, objdump output, binary diffs, and embedded signatures.
Ghidra and radare2
Use cached Ghidra projects and persistent r2 sessions for functions, CFGs, xrefs, callsite facts, byte reads, field flow, path digests, and decompiler views.
Repo helpers
Use tool discovery, backend status, source navigation, validation hints, and local Ghidra/r2 reference indexes when working on rbinmcp itself.
Contact
Contact Rogue Binary.
rbinmcp feedback, binary-analysis tooling, malware triage, and private consulting.