Model Context Protocol moderate risk

Ida Pro

IDA Pro MCP server enables interactive reverse engineering with LLMs, providing access to IDB state, core functions, and modification operations within IDA Pro.

Connections & Capabilities

Connects To

GitHubAWS

Capabilities

readwriteexecadmin

Quickstart

Install

npx -y @modelcontextprotocol/inspector

Config

{
  "mcpServers": {
    "github.com/mrexodia/ida-pro-mcp": {
      "command": "uv",
      "args": [
        "--directory",
        "c:\\MCP\\ida-pro-mcp",
        "run",
        "server.py",
        "--install-plugin"
      ],
      "timeout": 1800,
      "disabled": false
    }
  }
}

Exposed MCP Tools (7)

safe

lookup_funcs

Retrieves function information by address or name.

Read-only operation, no side effects.

safe

int_convert

Converts numbers between different formats (decimal, hex, bytes, etc.).

Read-only operation, no side effects.

moderate

set_comments

Sets comments at specified addresses in the disassembly and decompiler views.

Non-destructive write operation, but can affect the IDB's readability.

high

patch_asm

Patches assembly instructions at specified addresses.

Structural modification that can corrupt the binary if misused.

critical

py_eval

Executes arbitrary Python code within the IDA context.

Allows unrestricted code execution, posing a significant security risk.

high

dbg_continue

Continues execution of the debugged process.

Can lead to unexpected behavior or security breaches if the process is malicious.

high

undefine

Undefines code or data at a given address, converting it back to raw bytes.

Structural modification that can corrupt the binary if misused.

Safety Assessment

The IDA Pro MCP server offers powerful reverse engineering capabilities but requires careful handling. It is safe when used for read-only analysis and exploration within a controlled environment. It becomes risky when modification operations, especially code patching or Python execution, are performed without thorough understanding and validation.

Access to potentially destructive operations is gated by IDA Pro's existing security model.
Many operations are read-only, limiting the potential for accidental damage.
The server requires a valid IDA Pro license, adding a layer of authentication.
Provides a dry-run mode for certain operations.

Allows code patching and type modification, which can corrupt the IDB if misused.
Enables execution of arbitrary Python code within the IDA context, posing a significant risk if exploited.
Exposes internal IDA state and functionality to external clients, potentially revealing sensitive information.
Debugger operations can directly manipulate a running process, leading to instability or security breaches.