It might be a Procmon trace with millions of events, or a packed executable that refuses to give up its secrets. I’ve lost count of the hours I’ve spent manually sifting through that noise, knowing the clue I need is right there, if only I could get to it.

That frustration is exactly why I started building two new open-source tools. I’m chuffed to bits to finally share them today: ProcmonMCP and the PeMCP Toolkit. My goal was to build something that could cut through the noise and help us get to the interesting bits faster.

Actually Talking to Your Procmon Logs with ProcmonMCP

Let’s be honest, we all rely on Procmon, but wrestling with its XML logs can be a proper slog. It’s a fantastic tool for capturing data, but a nightmare for analysing it.

That’s where ProcmonMCP comes in.

It’s a server that you point at a Procmon XML file. It loads the whole thing up, does some clever optimisation in the background, and then lets you—or an AI assistant—ask it plain English questions. The workflow completely changes from hunting and filtering to just… investigating.

Instead of building complex filters, you can just ask things like:

• “What were the top 10 busiest processes?”
• “Show me every file svchost.exe wrote to the Windows directory.”
• “Did suspicious.exe make any network connections? If so, where to?”

It’s about getting answers directly from the data, which I hope will save people a massive amount of time. (Just a quick heads-up: these logs can contain very sensitive info, so please use it responsibly in a trusted environment).

Making Sense of Binaries with the PeMCP Toolkit

So, ProcmonMCP looks at what a program did. The PeMCP Toolkit, on the other hand, is for figuring out what a program is. Static analysis can often feel like a disconnected process where you’re jumping between five different tools just to build a complete picture. I wanted to change that.

The PeMCP Toolkit is an all-in-one suite that doesn’t just parse a PE file—it connects the dots.

Where it really comes alive, though, is in providing context. It’s one thing to find a suspicious string, but it’s another to know why it’s there. The bit I’m probably most proud of is its ability to link static strings directly to the functions that use them, and even show you the disassembly around the reference. It also integrates fantastic tools like flare-floss for digging out hidden strings, flare-stringsifter to rank them by importance, and of course, YARA and Capa. It’s about building a rich, correlated view of a file’s capabilities from a single place.

Dual Wielding: Using Both Tools in Tandem

This is where it gets really exciting. The tools are powerful on their own, but the real magic happens when you use them together—a workflow I’ve started calling ‘dual wielding’.

Imagine this: you have both MCP servers running at the same time, giving you a complete, real-time view of a suspect file.

• On one screen, you have the PeMCP Toolkit loaded with malware.exe. It’s already told you the file has capabilities for persistence via scheduled tasks and has flagged a suspicious-looking domain name buried in its code.
• On the other, you’re feeding a live Procmon capture from your sandbox into ProcmonMCP. You’re not guessing where to look anymore; you’re armed with intelligence.

You can pivot instantly. You see the file write to System32\Tasks in the Procmon trace and immediately switch to the PeMCP window to examine the exact function responsible for that behaviour. You spot a network connection in the live trace and can instantly ask the PeMCP toolkit to show you the disassembly for how that flagged domain is actually used in the code.

This is what I mean by dual wielding. It closes the loop between static potential and dynamic evidence, turning two separate phases of analysis into one fluid investigation.

Have a Go

These tools were born out of my own experiences in the field, trying to make my own life easier. They’re open-source, and I genuinely hope they can help you as much as they’ve already helped me.

I’d love for you to get stuck in, try them out, and see what you think.

You can find both projects, along with all the documentation, over on my GitHub: https://github.com/JameZUK/

Feedback, ideas, and bug reports are more than welcome. Let me know what you build with them!