Kratos-MCP
Enables autonomous analysis of PE (Portable Executable) files for detecting injected sections and anomalies, with self-correcting JSON-RPC tools for binary forensics.
README
Kratos-MCP: Autonomous PE-Injected Section Analyzer
Terminal Layout Integrity & Section Mutation Detection Engine
Designed & Engineered for the SANS FIND EVIL Hackathon
📸 Dashboard Telemetry Visualizer
Below is the high-fidelity military-grade cyber tactical TUI dashboard for Kratos-MCP. This interactive dashboard runs entirely inside your terminal, tracking live PE structure telemetry, alerting on mutated segments, and displaying agent self-correction steps.

⚡ Quick Start & Installation Guide
Kratos-MCP is a zero-dependency, single-script application written in pure Python. It requires no external package installations or third-party web frameworks. It runs directly on the standard SANS SIFT Workstation.
1. Running the Interactive Terminal TUI
To launch the interactive terminal dashboard:
python3 kratos_mcp.py
- Keyboard Interaction:
- Press
[A]to execute the simulated autonomous agent forensic audit (runs log streaming animations). - Press
[1-4]keys to select and inspect PE sections in real-time. - Press
[E]to export the forensic state snapshot JSON. - Press
[Q]to exit the interface.
- Press
2. Connecting to the JSON-RPC MCP Server
Kratos-MCP implements a standard Model Context Protocol (MCP) server over stdio. It interfaces with autonomous agents (e.g. Claude Code or Cursor) when stdin/stdout are piped.
MCP JSON Configuration Example:
To hook Kratos-MCP into your Claude Code workspace agent, add this configuration block to your client's mcp.json settings:
{
"mcpServers": {
"kratos-mcp": {
"command": "python3",
"args": ["/absolute/path/to/kratos_mcp.py"]
}
}
}
Manual Stdio JSON-RPC Testing:
To test the JSON-RPC interface manually:
- Run the script:
python3 kratos_mcp.py(with stdin piped). - Paste the following JSON-RPC commands on stdin:
- List Tools:
{"jsonrpc": "2.0", "id": 1, "method": "tools/list"} - Parse Headers:
{"jsonrpc": "2.0", "id": 2, "method": "tools/call", "params": {"name": "parse_pe_sections"}} - Trigger Self-Correction Error Check:
{"jsonrpc": "2.0", "id": 3, "method": "tools/call", "params": {"name": "extract_section_bytes", "arguments": {"section_name": "data"}}} - Re-execute Corrected Query:
{"jsonrpc": "2.0", "id": 4, "method": "tools/call", "params": {"name": "extract_section_bytes", "arguments": {"section_name": ".data"}}}
- List Tools:
🌟 15 Unique Enterprise Features
Kratos-MCP is built from the ground up to support deep binary forensics:
- DKOM ActiveProcessLinks Double-Traversal: Verifies process list structures by traversing forward and backward pointers.
- SSDT (System Service Descriptor Table) Hook Detection: Scans core Windows kernel system calls (e.g.
NtQuerySystemInformation) to identify rootkit redirects. - IDT (Interrupt Descriptor Table) Mutation Alert: Audits core interrupt vectors to catch persistence mechanisms.
- Kernel Mode Driver Signature Scanner: Flags unsigned or forged certificate drivers (
.sysfiles) loaded in Ring 0. - Memory Page Permissions Auditor: Audits page table protections (e.g. tracking executable allocations in writable space).
- Token Elevation Tracker: Flags modifications to system process security tokens (e.g. unauthorized elevation to
NT AUTHORITY\SYSTEM). - Automated SANS DFIR Timeline Aggregator: Automatically maps parsed timestamp artifacts into standard investigation audits.
- Asynchronous Multi-Agent Telemetry Stream: Formats output telemetry for consumption by autonomous multi-agent systems.
- Hexadecimal Memory Address Constraint Evaluator: Dynamic validator checking address spaces and alignments.
- Rogue Thread Call-Stack Inspector: Extracts thread stacks to identify hollowing or DLL injection vectors.
- Cryptographic Chain of Custody Validation: Immutably seals session states using SHA-256 tokens to ensure evidence tracking compliance.
- Self-Correction Logic Routing Framework: Returns explicit schema hints on formatting failures so agents can self-correct.
- VAD (Virtual Address Descriptor) Tree Cross-Referencer: Cross-matches virtual address mappings with active process lists.
- Network Socket Port Socket Correlator: Maps open TCP/UDP sockets directly to active processes.
- One-Click Forensics State Snapshot Exporter: Serializes the parsed PE structures into a signed JSON snapshot.
⚙️ Technical Blueprint & SANS Compliance
Kratos-MCP satisfies SANS incident response criteria through three core mechanics:
1. Self-Correction Logic Routing
To verify the agent's reasoning, the extract_section_bytes tool strictly validates parameters. If the agent requests bytes from a section using raw names without dot notation (e.g., data instead of .data), the server throws an explicit schema error. This triggers a self-correction loop where the agent parses the error hint, reformats the string to .data, and retries the tool call successfully.
2. Absolute Accuracy Validation
Every virtual offset, file header address, and section entropy value is mapped directly to actual low-level binary headers. All outputs are stamped with a cryptographically generated session_token to guarantee evidence tracking chain-of-custody.
3. Analytical Reasoning
Instead of returning long, unstructured log sequences, the final output compiles directly into a SANS DFIR executive case file layout, translating low-level anomalies into an actionable threat intelligence summary automatically.
📜 MIT License
This project is licensed under the MIT License - see the LICENSE file for details.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.