MCPcopy
hub / github.com/mandiant/speakeasy

github.com/mandiant/speakeasy @v2.0.0b3 sqlite

repository ↗ · DeepWiki ↗ · release v2.0.0b3 ↗
3,002 symbols 9,335 edges 160 files 1,537 documented · 51%
README

Speakeasy

Speakeasy is a Windows malware emulation framework that executes binaries, drivers, and shellcode in a modeled Windows runtime instead of a full VM. It emulates APIs, process/thread behavior, filesystem, registry, and network activity so samples can keep moving through realistic execution paths. You can run it from the speakeasy CLI for fast triage or embed it as a Python library and consume structured JSON reports.

Background context: Mandiant's overview post.

Quick start

Install from PyPI:

python3 -m pip install speakeasy-emulator

Run a sample and inspect high-level report fields (replace sample.dll with your target):

speakeasy -t sample.dll --no-mp -o report.json 2>/dev/null
jq '{sha256, arch, filetype, entry_points: (.entry_points | length)}' report.json
{
  "sha256": "30ec092d122a90441a2560f6778ef8233c98079cd34b7633f7bbc2874c8d7a45",
  "arch": "x86",
  "filetype": "dll",
  "entry_points": 3
}

Executable proof for this snippet: doc/readme-quickstart-showboat.md.

Documentation map

Start here

CLI usage

Reports, configuration, and runtime behavior

Debugging and extension

Questions and help

Start with doc/help.md.

If you still need help, open an issue at github.com/mandiant/speakeasy/issues.

Core symbols most depended-on inside this repo

mem_write
called by 443
speakeasy/winenv/api/api.py
get_ptr_size
called by 281
speakeasy/winenv/api/api.py
read_mem_string
called by 199
speakeasy/winenv/api/api.py
set_last_error
called by 173
speakeasy/windows/win32.py
get_char_width
called by 143
speakeasy/winenv/api/api.py
mem_read
called by 107
speakeasy/winenv/api/api.py
update
called by 107
speakeasy/windows/common.py
get_bytes
called by 79
speakeasy/winenv/api/api.py

Shape

Method 2,118
Class 416
Function 239
Route 229

Languages

Python100%

Modules by API surface

speakeasy/winenv/api/usermode/kernel32.py425 symbols
speakeasy/winenv/api/kernelmode/ntoskrnl.py177 symbols
speakeasy/winenv/api/usermode/user32.py155 symbols
speakeasy/windows/winemu.py139 symbols
speakeasy/winenv/api/usermode/msvcrt.py135 symbols
speakeasy/winenv/defs/nt/ntoskrnl.py92 symbols
speakeasy/windows/objman.py88 symbols
speakeasy/winenv/api/usermode/advapi32.py74 symbols
speakeasy/binemu.py70 symbols
speakeasy/speakeasy.py65 symbols
speakeasy/winenv/api/api.py62 symbols
speakeasy/winenv/api/kernelmode/wdfldr.py59 symbols

Dependencies from manifests, versioned

capstone
lznt1
pefile
pycryptodome
pydantic2.0 · 1×
rich
unicorn2.1.4 · 1×

For agents

$ claude mcp add speakeasy \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact