Kratos-MCP

Kratos-MCP

Enables autonomous analysis of PE (Portable Executable) files for detecting injected sections and anomalies, with self-correcting JSON-RPC tools for binary forensics.

Category
Visit Server

README

Kratos-MCP: Autonomous PE-Injected Section Analyzer

Terminal Layout Integrity & Section Mutation Detection Engine

Designed & Engineered for the SANS FIND EVIL Hackathon


📸 Dashboard Telemetry Visualizer

Below is the high-fidelity military-grade cyber tactical TUI dashboard for Kratos-MCP. This interactive dashboard runs entirely inside your terminal, tracking live PE structure telemetry, alerting on mutated segments, and displaying agent self-correction steps.

Kratos-MCP Tactical Telemetry Dashboard


⚡ Quick Start & Installation Guide

Kratos-MCP is a zero-dependency, single-script application written in pure Python. It requires no external package installations or third-party web frameworks. It runs directly on the standard SANS SIFT Workstation.

1. Running the Interactive Terminal TUI

To launch the interactive terminal dashboard:

python3 kratos_mcp.py
  • Keyboard Interaction:
    • Press [A] to execute the simulated autonomous agent forensic audit (runs log streaming animations).
    • Press [1-4] keys to select and inspect PE sections in real-time.
    • Press [E] to export the forensic state snapshot JSON.
    • Press [Q] to exit the interface.

2. Connecting to the JSON-RPC MCP Server

Kratos-MCP implements a standard Model Context Protocol (MCP) server over stdio. It interfaces with autonomous agents (e.g. Claude Code or Cursor) when stdin/stdout are piped.

MCP JSON Configuration Example:

To hook Kratos-MCP into your Claude Code workspace agent, add this configuration block to your client's mcp.json settings:

{
  "mcpServers": {
    "kratos-mcp": {
      "command": "python3",
      "args": ["/absolute/path/to/kratos_mcp.py"]
    }
  }
}

Manual Stdio JSON-RPC Testing:

To test the JSON-RPC interface manually:

  1. Run the script: python3 kratos_mcp.py (with stdin piped).
  2. Paste the following JSON-RPC commands on stdin:
    • List Tools:
      {"jsonrpc": "2.0", "id": 1, "method": "tools/list"}
      
    • Parse Headers:
      {"jsonrpc": "2.0", "id": 2, "method": "tools/call", "params": {"name": "parse_pe_sections"}}
      
    • Trigger Self-Correction Error Check:
      {"jsonrpc": "2.0", "id": 3, "method": "tools/call", "params": {"name": "extract_section_bytes", "arguments": {"section_name": "data"}}}
      
    • Re-execute Corrected Query:
      {"jsonrpc": "2.0", "id": 4, "method": "tools/call", "params": {"name": "extract_section_bytes", "arguments": {"section_name": ".data"}}}
      

🌟 15 Unique Enterprise Features

Kratos-MCP is built from the ground up to support deep binary forensics:

  1. DKOM ActiveProcessLinks Double-Traversal: Verifies process list structures by traversing forward and backward pointers.
  2. SSDT (System Service Descriptor Table) Hook Detection: Scans core Windows kernel system calls (e.g. NtQuerySystemInformation) to identify rootkit redirects.
  3. IDT (Interrupt Descriptor Table) Mutation Alert: Audits core interrupt vectors to catch persistence mechanisms.
  4. Kernel Mode Driver Signature Scanner: Flags unsigned or forged certificate drivers (.sys files) loaded in Ring 0.
  5. Memory Page Permissions Auditor: Audits page table protections (e.g. tracking executable allocations in writable space).
  6. Token Elevation Tracker: Flags modifications to system process security tokens (e.g. unauthorized elevation to NT AUTHORITY\SYSTEM).
  7. Automated SANS DFIR Timeline Aggregator: Automatically maps parsed timestamp artifacts into standard investigation audits.
  8. Asynchronous Multi-Agent Telemetry Stream: Formats output telemetry for consumption by autonomous multi-agent systems.
  9. Hexadecimal Memory Address Constraint Evaluator: Dynamic validator checking address spaces and alignments.
  10. Rogue Thread Call-Stack Inspector: Extracts thread stacks to identify hollowing or DLL injection vectors.
  11. Cryptographic Chain of Custody Validation: Immutably seals session states using SHA-256 tokens to ensure evidence tracking compliance.
  12. Self-Correction Logic Routing Framework: Returns explicit schema hints on formatting failures so agents can self-correct.
  13. VAD (Virtual Address Descriptor) Tree Cross-Referencer: Cross-matches virtual address mappings with active process lists.
  14. Network Socket Port Socket Correlator: Maps open TCP/UDP sockets directly to active processes.
  15. One-Click Forensics State Snapshot Exporter: Serializes the parsed PE structures into a signed JSON snapshot.

⚙️ Technical Blueprint & SANS Compliance

Kratos-MCP satisfies SANS incident response criteria through three core mechanics:

1. Self-Correction Logic Routing

To verify the agent's reasoning, the extract_section_bytes tool strictly validates parameters. If the agent requests bytes from a section using raw names without dot notation (e.g., data instead of .data), the server throws an explicit schema error. This triggers a self-correction loop where the agent parses the error hint, reformats the string to .data, and retries the tool call successfully.

2. Absolute Accuracy Validation

Every virtual offset, file header address, and section entropy value is mapped directly to actual low-level binary headers. All outputs are stamped with a cryptographically generated session_token to guarantee evidence tracking chain-of-custody.

3. Analytical Reasoning

Instead of returning long, unstructured log sequences, the final output compiles directly into a SANS DFIR executive case file layout, translating low-level anomalies into an actionable threat intelligence summary automatically.


📜 MIT License

This project is licensed under the MIT License - see the LICENSE file for details.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured