iida-mcp IDA Integration

iida-mcp IDA 集成

Skill by ara.so — MCP Skills collection.

iida-mcp is an IDA Pro plugin that exposes the current IDB's static analysis capabilities through a local HTTP MCP service. It provides 77 MCP tools for binary analysis, supports multiple IDA instances with automatic routing, and offers optional Windows kernel driver capabilities for kernel-mode analysis.

由 ara.so 开发的Skill — MCP Skills 合集。

iida-mcp是一款IDA Pro插件，通过本地HTTP MCP服务暴露当前IDB的静态分析能力。它提供77个用于二进制分析的MCP工具，支持多IDA实例自动路由，并提供可选的Windows内核驱动功能以进行内核模式分析。

What iida-mcp Does

iida-mcp 的功能

Static Analysis via MCP: Exposes IDA Pro's reverse engineering capabilities through Model Context Protocol
Multi-Instance Support: Automatically routes requests to the correct IDA instance when multiple IDBs are open
Comprehensive Tools: 77 MCP tools covering disassembly, decompilation, CFG analysis, cross-references, and more
Kernel Analysis: Optional Windows kernel driver for reading kernel memory and enumerating modules
x86/x86-64 Focus: Primarily designed for x86/x86-64 architecture executables

通过MCP实现静态分析：通过MCP（Model Context Protocol）暴露IDA Pro的逆向工程能力
多实例支持：当打开多个IDB时，自动将请求路由到正确的IDA实例
全面的工具集：77个MCP工具，涵盖反汇编、反编译、CFG分析、交叉引用等功能
内核分析：可选Windows内核驱动，用于读取内核内存和枚举模块
聚焦x86/x86-64架构：主要为x86/x86-64架构可执行文件设计

Installation

安装

Plugin Installation

插件安装

Copy plugin files to IDA's
```
plugins/
```
directory:

IDA_DIR/plugins/
  iida.py
  iida_core/
    __init__.py
    cache.py
    kdriver.py
    protocol.py
    registry.py
    router.py
    server.py
    thread_safe.py
    tools.py
    worker.py

Restart IDA Pro (compatible with IDA 8+ and IDA 9.x)

将插件文件复制到IDA的
```
plugins/
```
目录：

IDA_DIR/plugins/
  iida.py
  iida_core/
    __init__.py
    cache.py
    kdriver.py
    protocol.py
    registry.py
    router.py
    server.py
    thread_safe.py
    tools.py
    worker.py

重启IDA Pro（兼容IDA 8+和IDA 9.x版本）

Starting the MCP Server

启动MCP服务器

Open a target file in IDA Pro
Activate via
```
Edit > Plugins > iida-mcp
```
or press
```
Alt+Shift+I
```
First IDA instance starts server on
```
0.0.0.0:13897
```
Additional IDA instances automatically connect as workers
Toggle server/connection by pressing
```
Alt+Shift+I
```
again

在IDA Pro中打开目标文件
通过
```
Edit > Plugins > iida-mcp
```
激活，或按下
```
Alt+Shift+I
```
第一个IDA实例会在
```
0.0.0.0:13897
```
启动服务器
额外的IDA实例会自动作为工作节点连接
再次按下
```
Alt+Shift+I
```
可切换服务器/连接状态

MCP Client Configuration

MCP客户端配置

Configure your MCP client to connect to the HTTP endpoint:

json

{
  "mcpServers": {
    "iida": {
      "url": "http://127.0.0.1:13897/mcp"
    }
  }
}

For remote connections (from another machine):

json

{
  "mcpServers": {
    "iida-remote": {
      "url": "http://192.168.1.100:13897/mcp"
    }
  }
}

配置MCP客户端以连接HTTP端点：

json

{
  "mcpServers": {
    "iida": {
      "url": "http://127.0.0.1:13897/mcp"
    }
  }
}

如需远程连接（从另一台机器）：

json

{
  "mcpServers": {
    "iida-remote": {
      "url": "http://192.168.1.100:13897/mcp"
    }
  }
}

Key MCP Tools

核心MCP工具

File and Database Information

文件与数据库信息

list_files - List all connected IDA instances and their files:

python

undefined

list_files - 列出所有已连接的IDA实例及其文件：

python

undefined

Returns list of active IDB files with their IDs

Use file IDs for the 'f' parameter in other tools


**get_file_info** - Get metadata about the analyzed file:
```python


**get_file_info** - 获取被分析文件的元数据：
```python

Arguments: f (optional file ID)

Returns: filename, path, MD5, SHA256, architecture, etc.


**read_bytes** - Read raw bytes from the binary:
```python


**read_bytes** - 读取二进制文件的原始字节：
```python

Arguments:

ea (effective address, hex string)

size (number of bytes)

f (optional file ID)

undefined

undefined

Functions and Disassembly

函数与反汇编

list_functions - Enumerate all functions:

python

undefined

list_functions - 枚举所有函数：

python

undefined

Arguments: f (optional file ID)

Returns: array of {ea, name, size, flags}


**get_function_info** - Get detailed function information:
```python


**get_function_info** - 获取详细的函数信息：
```python

Arguments:

ea (function address, hex string)

f (optional file ID)

Returns: start_ea, end_ea, size, name, frame size, flags


**disassemble** - Get disassembly listing:
```python


**disassemble** - 获取反汇编列表：
```python

Arguments:

ea (start address, hex string)

count (number of instructions, default 10)

f (optional file ID)

Returns: array of disassembled instructions with addresses


**disasm_bytes** - Disassemble raw bytes using Capstone:
```python


**disasm_bytes** - 使用Capstone反汇编原始字节：
```python

Arguments:

bytes_hex (hex-encoded bytes)

arch (optional: "x86", "x64", default auto-detect)

f (optional file ID)

Requires: capstone installed in IDA's Python environment

undefined

undefined

Decompilation (Requires Hex-Rays)

反编译（需Hex-Rays）

decompile - Get decompiled pseudocode:

python

undefined

decompile - 获取反编译伪代码：

python

undefined

Arguments:

ea (function address, hex string)

f (optional file ID)

Returns: C-like pseudocode


**get_function_args** - Get function parameter information:
```python


**get_function_args** - 获取函数参数信息：
```python

Arguments:

ea (function address, hex string)

f (optional file ID)

Returns: array of {name, type, location}


**get_local_vars** - Get local variables:
```python


**get_local_vars** - 获取局部变量：
```python

Arguments:

ea (function address, hex string)

f (optional file ID)

undefined

undefined

Control Flow and Cross-References

控制流与交叉引用

get_function_cfg - Get control flow graph:

python

undefined

get_function_cfg - 获取控制流图：

python

undefined

Arguments:

ea (function address, hex string)

f (optional file ID)

Returns: nodes and edges representing CFG


**get_xrefs_to** - Get cross-references to an address:
```python


**get_xrefs_to** - 获取指向某地址的交叉引用：
```python

Arguments:

ea (target address, hex string)

f (optional file ID)

Returns: array of {from, to, type}


**get_xrefs_from** - Get cross-references from an address:
```python


**get_xrefs_from** - 获取从某地址出发的交叉引用：
```python

Arguments:

ea (source address, hex string)

f (optional file ID)


**get_call_tree** - Build call tree (callers/callees):
```python


**get_call_tree** - 构建调用树（调用者/被调用者）：
```python

Arguments:

ea (function address, hex string)

direction ("up" for callers, "down" for callees)

depth (recursion depth, default 3)

f (optional file ID)

undefined

undefined

Searching

搜索功能

search_text - Search for text strings:

python

undefined

search_text - 搜索文本字符串：

python

undefined

Arguments:

pattern (search string)

case_sensitive (boolean, default false)

f (optional file ID)


**search_bytes** - Search for byte patterns:
```python


**search_bytes** - 搜索字节模式：
```python

Arguments:

pattern (hex pattern, e.g. "48 8B ? ? 90")

f (optional file ID)

Use ? for wildcard bytes


**search_immediate** - Search for immediate values:
```python


**search_immediate** - 搜索立即数：
```python

Arguments:

value (decimal or hex string)

f (optional file ID)

undefined

undefined

Modification Tools

修改工具

rename - Rename address:

python

undefined

rename - 重命名地址：

python

undefined

Arguments:

ea (address, hex string)

new_name (new symbol name)

f (optional file ID)


**set_comment** - Add/modify comment:
```python


**set_comment** - 添加/修改注释：
```python

Arguments:

ea (address, hex string)

text (comment text)

repeatable (boolean, default false)

f (optional file ID)


**set_type** - Set type information:
```python


**set_type** - 设置类型信息：
```python

Arguments:

ea (address, hex string)

type_str (C-style type declaration)

f (optional file ID)

Example type_str: "int __fastcall(void *ptr, size_t len)"


**patch_bytes** - Modify bytes in database:
```python


**patch_bytes** - 修改数据库中的字节：
```python

Arguments:

ea (address, hex string)

bytes_hex (hex-encoded replacement bytes)

f (optional file ID)

undefined

undefined

Structures and Types

结构体与类型

list_structs - List all structures:

python

undefined

list_structs - 列出所有结构体：

python

undefined

Arguments: f (optional file ID)

Returns: array of structure names and IDs


**get_struct_info** - Get structure definition:
```python


**get_struct_info** - 获取结构体定义：
```python

Arguments:

name (structure name)

f (optional file ID)

Returns: members with offsets, types, sizes


**list_enums** - List enumerations:
```python


**list_enums** - 列出枚举类型：
```python

Arguments: f (optional file ID)


**typed_read** - Read memory with type interpretation:
```python


**typed_read** - 按类型解析读取内存：
```python

Arguments:

ea (address, hex string)

type_str (C type, e.g. "unsigned int")

f (optional file ID)

Returns: interpreted value

undefined

undefined

Kernel Analysis (Windows Only)

内核分析（仅Windows）

kernel_read_memory - Read kernel memory:

python

undefined

kernel_read_memory - 读取内核内存：

python

undefined

Arguments:

address (kernel virtual address, hex string)

size (bytes to read)

Requires: iida-mcp-ioctl.sys driver loaded


**kernel_list_modules** - Enumerate kernel modules:
```python


**kernel_list_modules** - 枚举内核模块：
```python

Returns: array of {name, base, size}

Requires: iida-mcp-ioctl.sys driver loaded


**kernel_get_module_base** - Get module base address:
```python


**kernel_get_module_base** - 获取模块基地址：
```python

Arguments:

name (module name, e.g. "ntoskrnl.exe")

Requires: iida-mcp-ioctl.sys driver loaded


**map_ida_to_runtime** - Map IDA address to runtime address:
```python


**map_ida_to_runtime** - 将IDA地址映射到运行时地址：
```python

Arguments:

ea (IDA address, hex string)

module_name (target module name)

f (optional file ID)

Useful for live debugging correlation

undefined

undefined

Common Usage Patterns

常见使用模式

Single IDB Analysis

单IDB分析

When working with one IDA database, omit the

parameter:

python

undefined

当仅处理一个IDA数据库时，可省略

参数：

python

undefined

Get function info at specific address

get_function_info(ea="0x401000")

Decompile function

decompile(ea="0x401000")

Get cross-references

get_xrefs_to(ea="0x401000")

undefined

get_xrefs_to(ea="0x401000")

undefined

Multi-IDB Workflow

多IDB工作流

When multiple IDA instances are connected:

python

undefined

当连接多个IDA实例时：

python

undefined

1. List available files

files = list_files()

Returns: [{id: "file1", path: "C:\samples\malware.exe"}, ...]

2. Use file ID in subsequent calls

get_function_info(ea="0x401000", f="file1") decompile(ea="0x401000", f="file1")

undefined

get_function_info(ea="0x401000", f="file1") decompile(ea="0x401000", f="file1")

undefined

Reverse Engineering Workflow

逆向工程工作流

Typical analysis sequence:

python

undefined

典型分析流程：

python

undefined

1. Get file overview

file_info = get_file_info()

2. List all functions

functions = list_functions()

3. Analyze interesting function

func = get_function_info(ea="0x401000") code = decompile(ea="0x401000") args = get_function_args(ea="0x401000") xrefs = get_xrefs_to(ea="0x401000")

4. Search for patterns

strings = search_text(pattern="password") crypto_calls = search_bytes(pattern="48 8B 05 ? ? ? ?")

5. Annotate findings

rename(ea="0x401000", new_name="decrypt_config") set_comment(ea="0x401000", text="RC4 decryption routine") set_type(ea="0x401000", type_str="void __fastcall(uint8_t *data, size_t len)")

undefined

rename(ea="0x401000", new_name="decrypt_config") set_comment(ea="0x401000", text="RC4 decryption routine") set_type(ea="0x401000", type_str="void __fastcall(uint8_t *data, size_t len)")

undefined

Kernel Driver Analysis

内核驱动分析

For kernel-mode binaries:

python

undefined

针对内核模式二进制文件：

python

undefined

1. Analyze driver in IDA

driver_info = get_file_info()

2. Map IDA addresses to runtime

runtime_addr = map_ida_to_runtime( ea="0x140001000", module_name="mydriver.sys" )

3. Read live kernel memory

kernel_data = kernel_read_memory( address=runtime_addr, size=256 )

4. List loaded kernel modules

modules = kernel_list_modules()

undefined

modules = kernel_list_modules()

undefined

Configuration

配置

Ports

端口

13897: MCP HTTP service (listens on all interfaces)
13898: Internal worker communication (localhost only)

13897: MCP HTTP服务（监听所有接口）
13898: 内部工作节点通信（仅本地主机）

Network Access

网络访问

By default, the MCP server listens on

0.0.0.0:13897

, allowing connections from:

Localhost:
```
http://127.0.0.1:13897/mcp
```
LAN:
```
http://<host-ip>:13897/mcp
```

For security, consider firewall rules if exposing to network.

默认情况下，MCP服务器监听

0.0.0.0:13897

，允许来自以下地址的连接：

本地主机：
```
http://127.0.0.1:13897/mcp
```
局域网：
```
http://<host-ip>:13897/mcp
```

出于安全考虑，若暴露到网络中，建议配置防火墙规则。

Dependencies

依赖项

Core Plugin: No additional dependencies (uses IDA's built-in Python)

Optional Dependencies:

Hex-Rays Decompiler: Required for

decompile

,

get_function_args

,

get_local_vars

Capstone: Required for
```
disasm_bytes
```
(install:
```
pip install capstone
```
in IDA's Python)
Kernel Driver: Required for
```
kernel_*
```
and
```
map_ida_to_runtime
```
tools

核心插件：无需额外依赖（使用IDA内置的Python环境）

可选依赖项：

Hex-Rays反编译器：使用
```
decompile
```
、
```
get_function_args
```
、
```
get_local_vars
```
工具需安装
Capstone：使用
```
disasm_bytes
```
工具需安装（在IDA的Python环境中执行：
```
pip install capstone
```
）
内核驱动：使用
```
kernel_*
```
和
```
map_ida_to_runtime
```
工具需安装

Kernel Driver Setup

内核驱动设置

The

iida-mcp-ioctl.sys

driver provides kernel memory access:

Driver is located in
```
driver/
```
directory
Requires proper code signing or test signing enabled
Load with
```
sc create
```
or driver loader tool
Without driver, kernel tools return clear error messages

Test Signing (development only):

cmd

bcdedit /set testsigning on

Load Driver:

cmd

sc create iida-mcp-ioctl binPath="C:\path\to\iida-mcp-ioctl.sys" type=kernel
sc start iida-mcp-ioctl

iida-mcp-ioctl.sys

驱动提供内核内存访问能力：

驱动位于
```
driver/
```
目录
需要正确的代码签名或启用测试签名
使用
```
sc create
```
或驱动加载工具加载
若未加载驱动，内核工具会返回清晰的错误信息

测试签名（仅开发环境）：

cmd

bcdedit /set testsigning on

加载驱动：

cmd

sc create iida-mcp-ioctl binPath="C:\path\to\iida-mcp-ioctl.sys" type=kernel
sc start iida-mcp-ioctl

Troubleshooting

故障排除

Server Won't Start

服务器无法启动

Issue: Plugin activated but server doesn't respond

Check IDA Output window for error messages
Verify port 13897 is not in use:
```
netstat -an | findstr 13897
```
Ensure IDA has network permissions (firewall)

问题：插件已激活但服务器无响应

查看IDA输出窗口中的错误信息
验证端口13897未被占用：
```
netstat -an | findstr 13897
```
确保IDA具备网络权限（防火墙设置）

Tool Returns "capstone not installed"

工具返回“capstone not installed”

Issue:

disasm_bytes

fails

python

undefined

问题：

disasm_bytes

执行失败

python

undefined

Install Capstone in IDA's Python environment

From IDA's Python console:

import subprocess import sys subprocess.check_call([sys.executable, "-m", "pip", "install", "capstone"])

undefined

import subprocess import sys subprocess.check_call([sys.executable, "-m", "pip", "install", "capstone"])

undefined

Kernel Tools Fail

内核工具执行失败

Issue:

kernel_read_memory

returns error

Verify

iida-mcp-ioctl.sys

is loaded:

sc query iida-mcp-ioctl

Check driver loaded correctly in DebugView or DbgView
Ensure administrator privileges
Verify test signing or proper code signature

问题：

kernel_read_memory

返回错误

验证

iida-mcp-ioctl.sys

已加载：

sc query iida-mcp-ioctl

在DebugView或DbgView中检查驱动是否正确加载
确保具备管理员权限
验证测试签名或代码签名是否有效

Multiple IDA Instances Not Routing

多IDA实例路由异常

Issue: Tools access wrong IDB

Always call
```
list_files()
```
first to get current file IDs
Include
```
f
```
parameter with correct file ID
Verify worker connection in IDA Output window

问题：工具访问了错误的IDB

始终先调用
```
list_files()
```
获取当前文件ID
在后续调用中包含正确的
```
f
```
参数
在IDA输出窗口中验证工作节点连接状态

Decompilation Tools Fail

反编译工具执行失败

Issue:

decompile

returns error

Ensure Hex-Rays Decompiler is installed and licensed
Verify address points to valid function:
```
get_function_info(ea="0x...")
```
Some functions may not decompile due to complexity or obfuscation

问题：

decompile

返回错误

确保Hex-Rays反编译器已安装并授权
验证地址指向有效函数：
```
get_function_info(ea="0x...")
```
部分函数可能因复杂度或混淆无法反编译

Remote Connection Fails

远程连接失败

Issue: Cannot connect from another machine

Verify server listens on
```
0.0.0.0
```
: check IDA Output window on startup
Check firewall allows inbound TCP 13897
Use host's actual IP, not 127.0.0.1
Ping host to verify network connectivity

问题：无法从另一台机器连接

验证服务器监听
```
0.0.0.0
```
：启动时查看IDA输出窗口
检查防火墙是否允许TCP 13897入站连接
使用主机实际IP，而非127.0.0.1
Ping主机以验证网络连通性

Tool Returns Empty Results

工具返回空结果

Issue: Search or query returns no data

Verify address is valid: check IDA's disassembly view
Ensure IDA has finished auto-analysis (check status bar)
For searches, check pattern syntax (hex bytes use spaces:
```
"48 8B 05"
```
)
Some tools require specific IDA analysis (e.g., functions must be recognized)

问题：搜索或查询无数据返回

验证地址有效：查看IDA的反汇编视图
确保IDA已完成自动分析（检查状态栏）
搜索时检查模式语法（十六进制字节需用空格分隔：
```
"48 8B 05"
```
）
部分工具需要特定的IDA分析结果（例如，函数需被识别）

Example Agent Workflow

示例Agent工作流

When helping a user analyze a binary with iida-mcp:

Verify Setup: Confirm IDA is running with plugin active
Check Connections: Use
```
list_files()
```
to see available IDBs
Gather Context: Use
```
get_file_info()
```
for binary metadata
Explore Functions: Use
```
list_functions()
```
to enumerate code
Deep Dive: Combine
```
disassemble()
```
,
```
decompile()
```
,
```
get_xrefs_to()
```
for analysis
Search & Pattern Match: Use
```
search_text()
```
,
```
search_bytes()
```
for specific artifacts
Annotate: Apply findings with
```
rename()
```
,
```
set_comment()
```
,
```
set_type()
```
Export: Document findings based on tool outputs

All addresses should be provided as hex strings (e.g.,

"0x401000"

) and the

parameter should be included when multiple IDBs are active.

使用iida-mcp帮助用户分析二进制文件时：

验证设置：确认IDA已运行且插件已激活
检查连接：使用
```
list_files()
```
查看可用IDB
收集上下文：使用
```
get_file_info()
```
获取二进制元数据
探索函数：使用
```
list_functions()
```
枚举代码
深入分析：结合
```
disassemble()
```
、
```
decompile()
```
、
```
get_xrefs_to()
```
进行分析
搜索与模式匹配：使用
```
search_text()
```
、
```
search_bytes()
```
查找特定特征
标注结果：使用
```
rename()
```
、
```
set_comment()
```
、
```
set_type()
```
应用分析发现
导出结果：基于工具输出记录分析结论

所有地址需以十六进制字符串形式提供（例如

"0x401000"

），当多个IDB处于活动状态时，需包含

参数。

iida-mcp-ida-integration

Original

Translation

iida-mcp IDA Integration

iida-mcp IDA 集成

What iida-mcp Does

iida-mcp 的功能

Installation

安装

Plugin Installation

插件安装

Starting the MCP Server

启动MCP服务器

MCP Client Configuration

MCP客户端配置

Key MCP Tools

核心MCP工具

File and Database Information

文件与数据库信息

Returns list of active IDB files with their IDs

Returns list of active IDB files with their IDs

Use file IDs for the 'f' parameter in other tools

Use file IDs for the 'f' parameter in other tools

Arguments: f (optional file ID)

Arguments: f (optional file ID)

Returns: filename, path, MD5, SHA256, architecture, etc.

Returns: filename, path, MD5, SHA256, architecture, etc.

Arguments:

Arguments:

ea (effective address, hex string)

ea (effective address, hex string)

size (number of bytes)

size (number of bytes)

f (optional file ID)

f (optional file ID)

Functions and Disassembly

函数与反汇编

Arguments: f (optional file ID)

Arguments: f (optional file ID)

Returns: array of {ea, name, size, flags}

Returns: array of {ea, name, size, flags}

Arguments:

Arguments:

ea (function address, hex string)

ea (function address, hex string)

f (optional file ID)

f (optional file ID)

Returns: start_ea, end_ea, size, name, frame size, flags

Returns: start_ea, end_ea, size, name, frame size, flags

Arguments:

Arguments:

ea (start address, hex string)

ea (start address, hex string)

count (number of instructions, default 10)

count (number of instructions, default 10)

f (optional file ID)

f (optional file ID)

Returns: array of disassembled instructions with addresses

Returns: array of disassembled instructions with addresses

Arguments:

Arguments:

bytes_hex (hex-encoded bytes)

bytes_hex (hex-encoded bytes)

arch (optional: "x86", "x64", default auto-detect)

arch (optional: "x86", "x64", default auto-detect)

f (optional file ID)

f (optional file ID)

Requires: capstone installed in IDA's Python environment

Requires: capstone installed in IDA's Python environment

Decompilation (Requires Hex-Rays)

反编译（需Hex-Rays）

Arguments:

Arguments:

ea (function address, hex string)

ea (function address, hex string)

f (optional file ID)

f (optional file ID)

Returns: C-like pseudocode

Returns: C-like pseudocode

Arguments: