Speakeasy is a Windows malware emulation framework that executes binaries, drivers, and shellcode in a modeled Windows runtime instead of a full VM. It emulates APIs, process/thread behavior, filesystem, registry, and network activity so samples can keep moving through realistic execution paths. You can run it from the speakeasy CLI for fast triage or embed it as a Python library and consume structured JSON reports.
Background context: Mandiant's overview post.
Install from PyPI:
python3 -m pip install speakeasy-emulator
Run a sample and inspect high-level report fields (replace sample.dll with your target):
speakeasy -t sample.dll --no-mp -o report.json 2>/dev/null
jq '{sha256, arch, filetype, entry_points: (.entry_points | length)}' report.json
{
"sha256": "30ec092d122a90441a2560f6778ef8233c98079cd34b7633f7bbc2874c8d7a45",
"arch": "x86",
"filetype": "dll",
"entry_points": 3
}
Executable proof for this snippet: doc/readme-quickstart-showboat.md.
--volumeStart with doc/help.md.
If you still need help, open an issue at github.com/mandiant/speakeasy/issues.
$ claude mcp add speakeasy \
-- python -m otcore.mcp_server <graph>