IDA MCP Server

A headless IDA Pro MCP server built on idalib. Exposes IDA Pro's binary analysis capabilities over the Model Context Protocol (MCP), letting LLMs drive IDA Pro for reverse engineering tasks. Supports multiple simultaneous databases through a supervisor/worker architecture.

Note: This is a standalone server, not an IDA plugin. It uses idalib (IDA as a library) to run IDA's analysis engine headlessly — no IDA GUI needs to be running. You just need IDA Pro 9+ installed on the same machine.

Requirements

IDA Pro 9+ with a valid license (including Hex-Rays decompiler for decompilation tools)
Python 3.12+
uv package manager (recommended) or pip
macOS, Windows, or Linux

Installation

uv tool install ida-mcp

Or with pip:

pip install ida-mcp

The idapro package is loaded at runtime directly from your local IDA Pro installation — no extra setup steps or environment variables are needed if IDA is installed in a standard location.

From source

git clone https://github.com/jtsylve/ida-mcp && cd ida-mcp
uv sync

Or with pip:

git clone https://github.com/jtsylve/ida-mcp && cd ida-mcp
pip install -e .

Finding IDA Pro

At startup, the server looks for your IDA Pro installation in the following order:

IDADIR environment variable — checked first; set this if IDA is in a non-standard location.
IDA's own config file — Paths.ida-install-dir in ~/.idapro/ida-config.json (macOS/Linux) or %APPDATA%\Hex-Rays\IDA Pro\ida-config.json (Windows). If the IDAUSR environment variable is set, it is used as the config directory instead. This is the same config file IDA itself uses.
Platform-specific default paths:

Platform	Default search paths
macOS	`/Applications/IDA Professional *.app/Contents/MacOS`
Windows	`C:\Program Files\IDA Professional 9.3`, `C:\Program Files\IDA Pro 9.3`, and their `Program Files (x86)` equivalents
Linux	`/opt/ida-pro-9.3`, `/opt/idapro-9.3`, `/opt/ida-9.3`, `~/ida-pro-9.3`, `~/idapro-9.3`

If the server can't find IDA, you'll get a clear error message telling you to set IDADIR.

Usage

Stdio transport (default)

uvx ida-mcp

Or if installed with pip:

ida-mcp

Running without installing

You can run the server without installing it first:

# uv
IDADIR=/path/to/ida uvx ida-mcp

# pipx (set IDADIR if IDA isn't in a standard location)
IDADIR=/path/to/ida pipx run ida-mcp

# uv
$env:IDADIR = "C:\Program Files\IDA Professional 9.3"
uvx ida-mcp

# pipx (set IDADIR if IDA isn't in a standard location)
$env:IDADIR = "C:\Program Files\IDA Professional 9.3"
pipx run ida-mcp

MCP client configuration

Add to your MCP client config (e.g. Claude Desktop claude_desktop_config.json):

{
  "mcpServers": {
    "ida": {
      "command": "uvx",
      "args": ["ida-mcp"]
    }
  }
}

If you don't use uv, use ida-mcp directly (assuming it's installed and on your PATH):

{
  "mcpServers": {
    "ida": {
      "command": "ida-mcp"
    }
  }
}

If ida-mcp isn't on your PATH (e.g. installed into a pyenv or virtualenv), use the full path to the executable:

{
  "mcpServers": {
    "ida": {
      "command": "/home/user/.pyenv/versions/<version>/bin/ida-mcp"
    }
  }
}

On macOS, the path would typically be /Users/<you>/.pyenv/versions/<version>/bin/ida-mcp.

If IDA is not in a default location, add IDADIR via the env key (works with any command):

{
  "mcpServers": {
    "ida": {
      "command": "uvx",
      "args": ["ida-mcp"],
      "env": {
        "IDADIR": "/path/to/ida"
      }
    }
  }
}

Basic workflow

Open a binary — call open_database with the path to a binary or an existing .i64/.idb database, then wait_for_analysis to block until it is ready
Analyze — use the available tools (list functions, decompile, search strings, read bytes, etc.)
Close — call close_database when done (auto-saves by default)

Raw binaries must be in a writable directory since IDA creates a .i64 database file alongside them. When opening an existing database, the original binary does not need to be present.

Multi-database mode

Multiple databases can be open at the same time. By default, open_database keeps previously opened databases open. Pass keep_open=False to save and close databases owned by the current session before opening the new one. All tools except management tools (open_database, close_database, save_database, list_databases, wait_for_analysis) require the database parameter (the stem ID returned by open_database or list_databases).

open_database("first.bin")                              # spawns worker (returns immediately)
wait_for_analysis(database="first")                     # blocks until ready
open_database("second.bin")                             # spawns second worker
wait_for_analysis(database="second")                    # blocks until ready
decompile_function(address="main", database="first")    # targets first
close_database(database="second")                       # closes second

Environment variables

Variable	Default	Description
`IDADIR`	(auto-detected)	Path to IDA Pro installation directory
`IDA_MCP_MAX_WORKERS`	(no limit)	Maximum simultaneous databases (1-8, unset for unlimited)
`IDA_MCP_ALLOW_SCRIPTS`	(unset)	Set to `1`, `true`, or `yes` to enable the `run_script` tool for arbitrary IDAPython execution
`IDA_MCP_LOG_LEVEL`	`WARNING`	Logging level (`DEBUG`, `INFO`, `WARNING`, `ERROR`, `CRITICAL`) — output goes to stderr

Tools

The server provides tools covering all major areas of IDA Pro's functionality:

Database — open/close/save/list databases, file region mapping, metadata
Functions — list, query, decompile, disassemble, rename, prototypes, chunks, stack frames
Decompiler — pseudocode variable renaming/retyping, decompiler comments, microcode
Ctree — Hex-Rays AST exploration and pattern matching
Cross-References — xref queries, call graphs, xref creation/deletion
Imports & Exports — imported functions, exported symbols, entry points
Search — string extraction, byte patterns, text in disassembly, immediate values, string-to-code references, string list rebuilding
Types & Structures — local types, structs, enums, type parsing and application, source declarations
Instructions & Operands — decode instructions, resolve operand values, change operand display format
Control Flow — basic blocks, CFG edges, switch/jump tables
Data — raw byte reading, hex dumps, segment listing, pointer tables
Patching — byte patching, instruction assembly, function/code creation, data loading
Data Definition — define bytes, words, dwords, qwords, floats, doubles, strings, and arrays
Segments — create, modify, and rebase segments
Names & Comments — rename addresses, manage comments (get, set, and append)
Demangling — C++ symbol name demangling
Analysis — auto-analysis, fixups, exception handlers, segment registers
Address Metadata — source line numbers, analysis flags, library item marking
Register Tracking — register and stack pointer value tracking
Register Variables — register-to-name mappings within functions
Signatures — FLIRT signatures, type libraries, IDS modules
Export — batch decompilation/disassembly, output file generation, executable rebuilding
Snapshots — take, list, and restore database snapshots
Processor — architecture info, register names, instruction classification
Bookmarks — marked-position management
Colors — address/function coloring
Undo — undo/redo operations
Directory Tree — IDA folder organization
Utility — number conversion, IDC evaluation, scripting

All tools include MCP annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) so clients can distinguish safe reads from mutations and prompt for confirmation on destructive operations. Mutation tools return old values alongside new values for change tracking.

See docs/tools.md for the complete tools reference.

Resources

The server exposes MCP resources — read-only, cacheable context endpoints that provide structured data without consuming tool calls:

Static binary data — imports, exports, entry points (with regex search variants)
Aggregate snapshot — statistics (function/segment/entry point/string/name counts, code coverage)
Supervisor — ida://databases lists all open databases with worker state

Prompts

The server provides MCP prompts — guided workflow templates that instruct the LLM to use tools in a structured sequence:

survey_binary — binary triage producing an executive summary
analyze_function — full single-function analysis with decompilation, data flow, and behavior summary
diff_before_after — preview the effect of renaming/retyping on decompiler output
classify_functions — categorize functions by behavioral pattern
find_crypto_constants — scan for known cryptographic constants
auto_rename_strings — suggest function renames based on string references
apply_abi — apply known ABI type information to identified functions
export_idc_script — generate an IDAPython script that reproduces user annotations

Architecture

See docs/architecture.md for detailed architecture documentation.

Development

# With uv (recommended)
uv sync                          # Install dependencies
uv run ruff check src/           # Lint
uv run ruff format src/          # Format
uv run ruff check --fix src/     # Lint with auto-fix

# With pip
pip install -e .                 # Install in editable mode
pip install pre-commit pytest pytest-asyncio ruff  # Install dev tools (see [dependency-groups] in pyproject.toml for pinned versions)
ruff check src/                  # Lint
ruff format src/                 # Format
ruff check --fix src/            # Lint with auto-fix

Pre-commit hooks run REUSE compliance checks, ruff lint (with auto-fix), ruff formatting, idalib threading lint, and pytest on every commit.

License

This project is licensed under the MIT License.

This project is REUSE compliant.

IDA Pro and Hex-Rays are trademarks of Hex-Rays SA. ida-mcp is an independent project and is not affiliated with or endorsed by Hex-Rays.

Version	Changes	Urgency	Date
v2.2.0	Adds a meta-tool layer that fundamentally changes how agents interact with IDA. Instead of dozens of round-trips — each burning tokens on schema, framing, and repeated context — agents can now compose complex multi-step operations, filter output, and chain tool calls server-side. The result is fewer MCP calls, tighter token budgets, and more sophisticated analysis per conversation turn. ## What's new ### execute meta-tool - Run arbitrary Python against the full IDA API in a single MCP call. An	High	4/21/2026
v2.2.0rc4	v2.2.0rc4 — Meta-Tools, Sandboxed Execute, and Daemon Mode Adds a meta-tool layer that fundamentally changes how agents interact with IDA. Instead of dozens of round-trips — each burning tokens on schema, framing, and repeated context — agents can now compose complex multi-step operations, filter output, and chain tool calls server-side. The result is fewer MCP calls, tighter token budgets, and more sophisticated analysis per conversation turn. What's new ---------- execute meta-tool: - Run a	High	4/20/2026
v2.2.0rc3	v2.2.0rc3 — Meta-Tools, Sandboxed Execute, and Daemon Mode Adds a meta-tool layer that fundamentally changes how agents interact with IDA. Instead of dozens of round-trips — each burning tokens on schema, framing, and repeated context — agents can now compose complex multi-step operations, filter output, and chain tool calls server-side. The result is fewer MCP calls, tighter token budgets, and more sophisticated analysis per conversation turn. What's new ---------- execute meta-tool: - Run a	High	4/20/2026
v2.2.0rc2	v2.2.0rc2 — Meta-Tools, Sandboxed Execute, and Daemon Mode Adds a meta-tool layer that fundamentally changes how agents interact with IDA. Instead of dozens of round-trips — each burning tokens on schema, framing, and repeated context — agents can now compose complex multi-step operations, filter output, and chain tool calls server-side. The result is fewer MCP calls, tighter token budgets, and more sophisticated analysis per conversation turn. What's new ---------- execute meta-tool: - Run a	High	4/19/2026
v2.1.0	Major architecture upgrade: migrated to FastMCP v3, added structured Pydantic output for all tools, introduced background auto-analysis, session-scoped database ownership, and batch operations. ## What's new ### FastMCP v3 migration - Replaced `mcp[cli]` with standalone `fastmcp>=3.1` and `mcp>=1.26`. - Worker management now uses FastMCP's `Client`/`StdioTransport` instead of raw subprocess handling. - Worker pool extracted into a native FastMCP `Provider` (`WorkerPoolProvider`) with `RoutingT	High	4/6/2026
v2.1.0rc2	Major architecture upgrade: migrated to FastMCP v3, added structured Pydantic output for all tools, introduced background auto-analysis, session-scoped database ownership, and batch operations. ## What's new ### FastMCP v3 migration - Replaced `mcp[cli]` with standalone `fastmcp>=3.1` and `mcp>=1.26`. - Worker management now uses FastMCP's `Client`/`StdioTransport` instead of raw subprocess handling. - Worker pool extracted into a native FastMCP `Provider` (`WorkerPoolProvider`) with `RoutingT	Medium	4/5/2026
v2.0.4	Patch release fixing a database session management bug. ## What's new in v2.0.4 - Fix open_database returning 'already_open' for databases whose previous load attempt failed or was still in progress, preventing reopening after transient errors. - Update dependency versions (anyio, attrs, and others via uv.lock). ## What's new in v2.0.3 - Add pip, pipx, and pyenv installation instructions alongside uv commands throughout the README, with MCP client config examples for non-uv users inc	Medium	4/1/2026
v2.0.3	Patch release improving installation flexibility and build portability. ## What's new in v2.0.3 - Add pip, pipx, and pyenv installation instructions alongside uv commands throughout the README, with MCP client config examples for non-uv users including full-path pyenv/virtualenv setups. - Clarify that ida-mcp is a standalone idalib server, not an IDA plugin. - Switch build backend from uv_build to hatchling for broader compatibility — this is a pure Python package with no uv-specific b	Medium	3/30/2026
v2.0.2	v2.0.2 — Cooperative Cancellation Patch release adding cooperative cancellation and removing pagination hard caps. What's new in v2.0.2 -------------------- - Cooperative cancellation: supervisor sends SIGUSR1 to workers on MCP notifications/cancelled, setting IDA's cancellation flag so batch loops break early via check_cancelled()/is_cancelled() helpers. - Workers handle SIGINT (first press cancels, second escalates to shutdown) and SIGUSR1 (idempotent cancel from supervisor). - sessio	Medium	3/27/2026
v2.0.1	v2.0.1 — Concurrency and Environment Fixes Patch release fixing worker dispatch reliability and environment variable inheritance in the supervisor/worker architecture. Fixes ----- - Fix worker subprocesses not inheriting environment variables. The MCP SDK default (get_default_environment) only forwards a small allowlist of variables, causing workers to silently lose IDADIR and other env vars needed for IDA bootstrap. Workers now inherit the full parent environment. - Add per-worker co	Medium	3/26/2026
v2.0.0	Major release adding a supervisor/worker architecture for multiple simultaneous databases, MCP resources for structured read-only context, and prompt templates for guided analysis workflows. ## What's new ### Multi-database support - Open multiple databases at once with `keep_open=True` on `open_database`. Each binary gets its own worker process and idalib instance. - Target any open database by name with the `database` parameter, now available on every tool. Omit it when only one is open. - M	Medium	3/25/2026
v2.0.0rc2	v1 could only work with one binary at a time. v2 adds a supervisor/worker architecture so you can open multiple binaries in a single MCP session. ## What's new - Open multiple databases at once with `keep_open=True` on `open_database`. Each binary gets its own worker process and idalib instance. - Target any open database by name with the `database` parameter, now on every tool. Omit it when only one is open. - Manage sessions with `list_databases` and `close_database`. ## Changes since rc1	Medium	3/24/2026
v2.0.0rc1	v1 could only work with one binary at a time. v2 adds a supervisor/worker architecture so you can open multiple binaries in a single MCP session. ## What's new - Open multiple databases at once with `keep_open=True` on `open_database`. Each binary gets its own worker process and idalib instance. - Target any open database by name with the `database` parameter, now on every tool. Omit it when only one is open. - Manage sessions with `list_databases` and `close_database`. ## Internals - `ida-m	Medium	3/24/2026
v1.0.0	v1.0.0 — Initial public release Headless IDA Pro 9.3 MCP server built on idalib. Exposes IDA's full analysis capabilities over the Model Context Protocol (MCP), letting LLMs drive IDA Pro for reverse engineering tasks. Highlights ---------- - 181 tools covering all major areas of IDA Pro's functionality - Stdio transport for easy integration with any MCP client - Automatic IDA Pro installation discovery (IDADIR, ida-config.json, or platform-specific default paths) - Published on PyPI — inst	Low	3/19/2026
v1.0.0-rc1	Initial Release Candidate	Low	3/14/2026

ida-mcp

Description

README