[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80867":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":13,"stars30d":13,"stars90d":15,"forks30d":15,"starsTrendScore":17,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":20,"hasPages":20,"topics":22,"createdAt":10,"pushedAt":10,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":15,"starSnapshotCount":15,"syncStatus":26,"lastSyncTime":27,"discoverSource":28},80867,"pocsmith","originsec\u002Fpocsmith","originsec","Autonomous Windows POC developer from patchwatch diff reports","",null,"Python",44,9,35,0,4,12,3,"Apache License 2.0",false,"main",[],"2026-06-12 02:04:07","# pocsmith\n\nAn autonomous Windows POC developer. Reads [patchwatch](https:\u002F\u002Fgithub.com\u002Foriginsec\u002Fpatchwatch) per-CVE reports and drives a Claude agent through writing, building, deploying, running, and verifying a Proof-of-Concept against a pre-patch Windows VM under a remote kernel debugger.\n\npocsmith wires a handful of MCP servers and an LLM into one workflow:\n\n- **[patchwatch](https:\u002F\u002Fgithub.com\u002Foriginsec\u002Fpatchwatch)** — produces the per-CVE reports (description, ranked binaries, ghidriff output) that pocsmith consumes.\n- **[hyperv-mcp](https:\u002F\u002Fgithub.com\u002Foriginsec\u002Fhyperv-mcp)** — Hyper-V VM lifecycle: snapshots, KD configuration, PowerShell-Direct guest exec.\n- **[kd-mcp](https:\u002F\u002Fgithub.com\u002Foriginsec\u002Fkd-mcp)** — remote kernel debugger wrapper (breakpoints, register\u002Fmemory inspection, `!analyze -v`).\n- **[pyghidra-mcp](https:\u002F\u002Fgithub.com\u002Fclearbluejar\u002Fpyghidra-mcp)** — Ghidra running over the pre-patch binary with PDB symbols applied.\n- **pocsmith-mcp** — driver tools the agent uses to compile, record attempts, declare success, and end phases. Implemented in this repo.\n- **Anthropic API** — the agent that drives the loop. Configurable model.\n\nIt is designed to run **locally** against your own infrastructure: your Hyper-V host, your VMs, your ISOs. The only outbound traffic is to the LLM endpoint you configure.\n\n## Safety\n\npocsmith generates and runs exploit code. The system prompt restricts execution to the target Hyper-V VM via `hyperv-mcp`; payloads never run on the host. Treat any artifacts produced (POC sources, repro scripts) as authorized-research output and handle them accordingly. Only use against systems you control or are explicitly authorized to test.\n\n## Prerequisites\n\n### Hardware\n\n- Windows 11 host with Hyper-V enabled (32 GB RAM recommended).\n- At least one Windows ISO matching the CVE's patch KB (e.g. a 24H2 build).\n\n### Software\n\n| Dependency | Where to get it | Notes |\n|---|---|---|\n| Python 3.12+ | \u003Chttps:\u002F\u002Fpython.org> | Must be on `PATH`. |\n| Visual Studio 2022 | \u003Chttps:\u002F\u002Fvisualstudio.com> | Install the *Desktop Development with C++* workload. |\n| Windows SDK (Debugging Tools) | \u003Chttps:\u002F\u002Fdeveloper.microsoft.com\u002Fwindows\u002Fdownloads\u002Fwindows-sdk> | Needed for `kd.exe`. |\n| Docker Desktop | \u003Chttps:\u002F\u002Fdocker.com> | For `ghidra.mode: docker` (recommended). |\n| Java 21+ | \u003Chttps:\u002F\u002Fadoptium.net> | Only for `ghidra.mode: local`. |\n| Ghidra 11.x | \u003Chttps:\u002F\u002Fgithub.com\u002FNationalSecurityAgency\u002Fghidra> | Only for `ghidra.mode: local`; set `GHIDRA_INSTALL_DIR`. |\n| pyghidra-mcp | `pip install pyghidra-mcp` | Only for `ghidra.mode: local`. |\n| patchwatch | \u003Chttps:\u002F\u002Fgithub.com\u002Foriginsec\u002Fpatchwatch> | Produces the CVE reports pocsmith consumes. |\n| hyperv-mcp | \u003Chttps:\u002F\u002Fgithub.com\u002Foriginsec\u002Fhyperv-mcp> | Installed editable by `setup.ps1`; invoked as `python -m hyperv_mcp`. |\n| kd-mcp | \u003Chttps:\u002F\u002Fgithub.com\u002Foriginsec\u002Fkd-mcp> | Installed editable by `setup.ps1`; invoked as `python -m kd_mcp`. |\n\n### Environment variables\n\nSet these in a `.env` file at the workspace root (copy `.env.example` to start):\n\n```\nANTHROPIC_API_KEY your Anthropic API key\nHYPERV_GUEST_USERNAME guest VM admin username (e.g. Administrator)\nHYPERV_GUEST_PASSWORD guest VM admin password\nHYPERV_GUEST_VICTIM_USERNAME optional: unprivileged account for EoP scenarios\nHYPERV_GUEST_VICTIM_PASSWORD optional: password for the victim account\nGHIDRA_INSTALL_DIR e.g. C:\\Tools\\ghidra_11.3 (only for ghidra.mode=local)\n```\n\n## Quickstart\n\n```powershell\n# 1. Clone and enter the project\ngit clone https:\u002F\u002Fgithub.com\u002Foriginsec\u002Fpocsmith.git\ncd pocsmith\n\n# 2. Run the setup script. Creates a venv, installs deps, generates a config\n# template, and pulls the pyghidra-mcp Docker image.\n.\\scripts\\setup.ps1\n\n# 3. Activate the venv\n.\\.venv\\Scripts\\Activate.ps1\n\n# 4. Copy and edit the env file\ncopy .env.example .env\nnotepad .env\n\n# 5. Copy and edit the config file\ncopy pocsmith.example.yaml pocsmith.yaml\nnotepad pocsmith.yaml\n\n# 6. Export a CVE from patchwatch\npatchwatch export-poc-context CVE-2026-XXXXX --out C:\\Research\\pocsmith-workspaces\n\n# 7. Run pocsmith\npocsmith run --cve CVE-2026-XXXXX --config pocsmith.yaml\n```\n\nTo check prerequisites without installing anything:\n\n```powershell\n.\\scripts\\check-prereqs.ps1\n```\n\n## CLI\n\n```powershell\n# Start a fresh run on an exported CVE\npocsmith run --cve CVE-2026-XXXXX --config pocsmith.yaml\n\n# Steer the agent with a hint injected into the first phase kickoff\npocsmith run --cve CVE-2026-XXXXX --config pocsmith.yaml `\n --hint \"The bug is in the pool allocation path; try heap spray with large IRPs first.\"\n\n# Resume an interrupted run (re-uses notes.md and attempt history)\npocsmith resume --cve CVE-2026-XXXXX --config pocsmith.yaml\n\n# List CVE workspaces under the configured workspace root\npocsmith inspect --workspace-root C:\\Research\\pocsmith-workspaces\n\n# Regenerate the report.md for a workspace that already reached a success status\npocsmith report --cve CVE-2026-XXXXX --config pocsmith.yaml\n\n# Live-tail the active session transcript in human-readable form\npocsmith tail --cve CVE-2026-XXXXX --config pocsmith.yaml --tail\n# ...or point it at any session.jsonl directly:\npocsmith tail --file C:\\Research\\pocsmith-workspaces\\CVE-2026-XXXXX\\session.jsonl --thinking\n```\n\nOptional flags on `run` and `resume`:\n\n| Flag | Default | Description |\n|---|---|---|\n| `--level A\u002FB\u002FC` | A | A = crash repro, B = controlled primitive, C = full exploit. |\n| `--config` | — | Path to `pocsmith.yaml`. |\n| `--workspace-root` | from config | Override workspace root. |\n| `--vm-name` | from config | Hyper-V VM name. |\n| `--hint TEXT` | _(none)_ | Hints injected into the agent's first kickoff message. |\n| `--model` | `claude-opus-4-7` | Anthropic model id. |\n| `--skip-build-check` | off | Skip verifying that the VM's build matches `context.json`'s `patched_build`. |\n\n## Configuration\n\n`pocsmith.example.yaml` is the canonical example. The fields most worth knowing about:\n\n```yaml\nvm:\n backend: hyperv # only supported backend\n vm_root: C:\\VMs\\pocsmith # where Hyper-V VHDXs live\n default_profile: win11-24h2 # VM used when no --vm-name given\n mcp_module: hyperv_mcp # python -m hyperv_mcp (installed in venv)\n\nkd:\n module: kd_mcp # python -m kd_mcp (installed in venv)\n\nhyperv_guest:\n username_env: HYPERV_GUEST_USERNAME # env var holding the admin username\n password_env: HYPERV_GUEST_PASSWORD\n victim_username_env: HYPERV_GUEST_VICTIM_USERNAME # optional unprivileged account\n victim_password_env: HYPERV_GUEST_VICTIM_PASSWORD\n\nghidra:\n mode: docker # docker | local\n image: ghcr.io\u002Fclearbluejar\u002Fpyghidra-mcp\n port: 8000\n\ncompile:\n vcvarsall: C:\\Program Files\\Microsoft Visual Studio\\2022\\Community\\VC\\Auxiliary\\Build\\vcvarsall.bat\n arch: x64\n\nattacker_py:\n venv: C:\\Research\\pocsmith-workspaces\\attacker-venv\n sysinternals_dir: C:\\Research\\pocsmith-workspaces\\sysinternals # optional\n packages: [impacket]\n\nllm:\n model: claude-opus-4-7\n api_key_env: ANTHROPIC_API_KEY\n context_threshold_pct: 70\n\nceilings:\n level_a: { wall_min: 60, iterations: 40, dollars: 10.0, phases: 8 }\n level_b: { wall_min: 240, iterations: 80, dollars: 50.0, phases: 16 }\n level_c: { wall_min: 240, iterations: 80, dollars: 50.0, phases: 16 }\n\npaths:\n patchwatch_bin: C:\\Tools\\patchwatch\\patchwatch.exe\n workspace_root: C:\\Research\\pocsmith-workspaces\n```\n\n### Local Ghidra (no Docker)\n\n```yaml\nghidra:\n mode: local\n pyghidra_mcp_cmd: pyghidra-mcp\n ghidra_install_dir: C:\\Tools\\ghidra_11.3\n```\n\n## How it works\n\n```\npatchwatch report --> pocsmith run --> Claude agent (Agent SDK)\n |\n +--------------------------+--------------------------+\n v v v\n hyperv-mcp kd-mcp pyghidra-mcp\n (VM lifecycle, (kernel debugger) (pre-patch binary\n guest exec, + PDB analysis)\n KD setup)\n | |\n +----------+---------------+\n |\n pocsmith-mcp\n (compile_c, attacker_py,\n record_attempt, end_phase,\n report_outcome, cve_context)\n |\n pre-patch VM\n (kernel-debugged)\n```\n\nEach run is a sequence of *phases*, each one a bounded Claude Agent SDK session.\nThe agent iterates: edit POC source, compile, deploy to VM, trigger the bug,\ncapture KD output, record the attempt, revert, repeat. On `report_outcome`,\npocsmith replays the attempt on a fresh revert to verify the signal before\npromoting artifacts.\n\n### Phases\n\nA *phase* is a coherent stretch of work — typically 3–6 iterations chasing one\nhypothesis. A run is 3–8 phases. A phase ends when the agent calls `end_phase`\n(voluntary, on changing hypothesis or hitting a wall) or when the driver's\ninput-token threshold (default 70% of the model's context window) is reached.\n\nOn phase end the full transcript is flushed to `transcripts\u002Fphase-N.jsonl`, the\nsession closes, and the next phase starts fresh — reading `notes.md` and a\ncompact summary of `attempts\u002F*\u002Fstatus.json` instead of a transcript replay.\n\n### Replay verification\n\n`report_outcome` is the terminal call. On a success status, pocsmith:\n\n1. Reverts the VM to a clean snapshot.\n2. Re-attaches kd, re-deploys the recorded POC artifact, re-runs the recorded invocation.\n3. Evaluates the agent-declared signal against the replay's kd output.\n\nSignals are one of five typed kinds: `bugcheck`, `usermode_exception`,\n`kd_breakpoint_hit`, `service_crash`, `assertion`. Anything outside this set is\nrecorded as `unverified_claim` and not promoted to an artifact.\n\nThe `register_predicate` DSL on `kd_breakpoint_hit` signals supports register\nreads, dereferences with displacement, integer comparisons, and AND\u002FOR.\n\n### Budgets\n\n| Level | Wall-clock | Iterations | Dollars | Phases |\n|---|---|---|---|---|\n| A | 60 min | 40 | $10 | 8 |\n| B | 4 h | 80 | $50 | 16 |\n| C | 4 h | 80 | $50 | 16 |\n\nAt 75% of any ceiling pocsmith injects a one-line reminder before the next\niteration. At 100% it forces the agent to call `report_outcome` and refuses\nfurther tool calls.\n\n## Workspace layout\n\n`paths.workspace_root` is the root for all pocsmith runtime data: the shared\nattacker venv, the Sysinternals tools cache, and one isolated subdirectory per\nCVE.\n\n```\n\u003Cworkspace-root>\\\n attacker-venv\\ shared Python venv with impacket etc. (setup.ps1)\n sysinternals\\ Sysinternals Suite, host-side stage (setup.ps1)\n CVE-XXXX-NNNNN\\\n context.json static CVE context from patchwatch\n pre-patch\\ pre-patch binaries (hardlinked from patchwatch cache)\n post-patch\\ post-patch binaries\n ghidriff\\ ghidriff diff outputs\n symbols\\ _NT_SYMBOL_PATH cache\n ghidra-project\\ pyghidra .gpr (cached by pre-patch SHA)\n poc\\ agent's POC sources and builds\n notes.md agent exobrain - survives phase boundaries\n attempts\\NNN\\ per-iteration: status.json, kd.log, target.log\n transcripts\\phase-N.jsonl full session transcript per phase\n artifacts\\ written on verified success:\n poc\\ the verified POC\n repro.md reproduction steps\n verification.json signal match record\n summary.md run summary\n report.md LLM-written narrative report\n .mcp.json auto-generated MCP server config\n pocsmith-run.lock prevents concurrent runs on this workspace\n```\n\nThe agent receives `POCSMITH_SYSINTERNALS` as an env var on the pocsmith MCP\nwhen `attacker_py.sysinternals_dir` is set, and is instructed to deploy those\nbinaries into the guest via `hyperv_guest_put` rather than executing them on\nthe host.\n\n## Architecture notes\n\n- **Phase-scoped sessions**: each phase is a fresh Agent SDK session. Persistent state lives in `notes.md` (agent-curated) and `attempts\u002F*\u002Fstatus.json` (driver-written). Transcripts are flushed to disk but not replayed.\n- **Subagents for expensive reads**: the system prompt directs the agent to route large-token reads (full decompilations, kd dumps, ghidriff JSON) through `Task` subagents that return short structured summaries — the single biggest token-cost lever for Ghidra-heavy CVEs.\n- **VM-only exploit execution**: the system prompt forbids running exploit code on the host. attacker_py is for network-side tooling (e.g. impacket) targeting the VM, not host-side exploitation.\n- **Idempotent resume**: `pocsmith resume` re-uses the existing workspace, `notes.md`, and attempt history. It starts a new phase, not a full transcript replay.\n- **Driver-managed MCP supervision**: `.mcp.json` is generated per workspace; kd-mcp and pyghidra-mcp are crash-restarted; hyperv-mcp failures abort the run.\n\nSee [docs\u002Fdesign.md](docs\u002Fdesign.md) for the complete design spec, including signal-predicate types, context-window management, and MCP server contracts.\n\n## Testing\n\n```powershell\n# Unit tests (no VM, no Anthropic, no Ghidra)\npytest\n\n# Live smoke tests are gated by RUN_LIVE=1\n$env:RUN_LIVE = \"1\"; pytest -k smoke\n```\n\n## Contributing\n\nIssues and PRs welcome. This is a research tool, not a product — expect rough edges and breaking changes between versions.\n\n---\n\n## License\n\nApache 2.0 — see [LICENSE](.\u002FLICENSE) and [NOTICE](.\u002FNOTICE)\n\nBuilt by [Origin](https:\u002F\u002Foriginhq.com) for security research and red team operations.\n","pocsmith是一个自动化Windows漏洞利用代码(POC)开发工具,能够从patchwatch的CVE报告中读取信息,并通过Claude代理完成编写、构建、部署、运行和验证POC的过程。其核心功能包括集成多个MCP服务器与大语言模型来驱动整个工作流,支持对预打补丁的Windows虚拟机进行远程内核调试。此项目特别适合于安全研究人员在受控环境中针对已知漏洞快速生成并测试POC。要求本地具备Windows 11主机、Hyper-V环境及相关软件配置。使用时需谨慎处理生成的文件,并确保仅用于授权的研究目的。",2,"2026-06-11 04:02:37","CREATED_QUERY"]