Nexuscore_MCP

NexusCore MCP is an advanced Model Context Protocol server designed to enable an AI agent to interact with a Windows malware analysis environment in real time. It exposes a suite of dynamic analysis, evasion, and forensics tools that run under Frida, Unicorn, and native components, allowing the AI agent to spawn and inspect malware, monitor API calls, dump memory, bypass delays, and perform forensic triage on the fly. The server communicates with AI clients over standard RMCP channels (stdio-based in the architecture diagram), enabling Claude Desktop or Cursor-like agents to issue commands and receive structured results.

To use NexusCore MCP, start the Rust-built executable and connect your AI integration to its standard input/output. The tools are grouped into dynamic analysis utilities (spawn_process, api_monitor, trace_execution, warp_time, dump_ssl_keys, emulate_shellcode, etc.), session-based debugging (session_start, session_command, session_batch, session_end, debug_help), and Frida session management (frida_session_create, frida_session_inject, frida_session_messages, frida_session_destroy). You can also run system checks (scan_persistence, inspect_gui, get_metrics) and perform automated analysis steps like CAPA detection, DIE/CAPA/PE-Sieve scans, YARA generation, and more. The integration is designed to return standardized JSON results with timing metadata, making it suitable for AI-driven decision making and iterative analysis.

When integrating with Claude Desktop or Cursor, provide a mapping for the NexusCore MCP server and ensure the environment variables (such as CAPE_API_URL and CAPE_API_TOKEN if you’re using CAPEv2) are configured. The tools operate on a Windows VM and leverage Frida for instrumentation, so ensure the host environment supports Frida injection and the necessary debugging permissions.

Prerequisites

• A Windows 10/11 x64 virtual machine (VM recommended)
• Rust toolchain (1.70+) installed
• Git installed
• Optional: CAPEv2 sandbox or accessible CAPE API for integration

Step 1: Install dependencies (recommended via the provided setup script in the repo)

• Clone the repository: git clone https://github.com/yourusername/NexusCore_MCP.git cd NexusCore_MCP
• Run the all-in-one setup script (PowerShell) to install required tools and utilities: Set-ExecutionPolicy Bypass -Scope Process -Force .\scripts\setup_tools.ps1

Step 2: Build NexusCore MCP

• Build in release mode: cargo build --release
• The executable will be located at: .\target\release\nexuscore_mcp.exe

Step 3: Create configuration

• Create a .env file in the repository root if you plan to set CAPE and log configurations, for example: CAPE_API_URL=http://127.0.0.1:8000 CAPE_API_TOKEN=your_token_here RUST_LOG=info

Step 4: Run the MCP server

• Run the built executable directly: .\target\release\nexuscore_mcp.exe
• You should see startup logs indicating the server is listening on Stdio or similar RMCP channel.

Step 5: Integrate with an AI client

• Configure your AI client to connect via the MCP protocol (stdio-based in this setup) and route requests to commands such as spawn_process, api_monitor, trace_execution, and frida_session_*.

Tips and common issues:

• Ensure Frida is properly configured on the Windows VM to allow injection and instrumentation.
• If CAPEv2 integration is used, provide valid CAPE_API_URL and CAPE_API_TOKEN in the environment or .env file.
• The server outputs structured JSON with timing metadata; if logs seem missing or the AI client isn’t receiving results, verify the RMCP stdio channel is open and the process has the necessary permissions.
• For debugging, use the built-in debug_help tool to reference common cdb.exe commands when using the session-based debugger tools.
• When building from source, ensure a clean environment (fresh cargo registry) if you encounter dependency compilation issues.
• If running multiple analyses, consider using the async I/O and batch features to reduce IPC overhead.