Displaying 1 to 20 from 27 results

mcsema - Framework for lifting x86, amd64, and aarch64 program binaries to LLVM bitcode

  •    C++

McSema is an executable lifter. It translates ("lifts") executable binaries from native machine code to LLVM bitcode. LLVM bitcode is an intermediate representation form of a program that was originally created for the retargetable LLVM compiler, but which is also very useful for performing program analysis methods that would not be possible to perform on an executable binary directly. McSema enables analysts to find and retroactively harden binary programs against security bugs, independently validate vendor source code, and generate application tests with high code coverage. McSema isn’t just for static analysis. The lifted LLVM bitcode can also be fuzzed with libFuzzer, an LLVM-based instrumented fuzzer that would otherwise require the target source code. The lifted bitcode can even be compiled back into a runnable program! This is a procedure known as static binary rewriting, binary translation, or binary recompilation.

IDASkins - Advanced skinning plugin for IDA Pro

  •    Python

Plugin providing advanced skinning support for IDA Pro utilizing Qt stylesheets, similar to CSS. The screenshot above shows the "IDASkins Dark" theme in combination with the idaConsonance theme.


  •    Python

GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in IDA. Select a function, both in the Graph view or in the Text View. Then, Press CTRL+ALT+D or (Edit > Plugins > GhIDA Decompiler). Wait a few seconds and a new window will open showing the decompiled code of the function.

ipyida - IPython console integration for IDA Pro

  •    Python

IPyIDA is a python-only solution to add an IPython console to IDA Pro. Use <Shift-.> to open a window with an embedded Qt console. You can then benefit from IPython’s autocompletion, online help, monospaced font input field, graphs, and so on. You can also connect to the kernel outside of IDA using ipython console --existing.

FIDL - A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research

  •    Python

This is a set of utilities wrapping the decompiler API into something sane. This code focus on vulnerability research and bug hunting, however most of the functionality is generic enough to be used for broader reverse engineering purposes. Release mode: pip install .

ScratchABit - Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API

  •    Python

ScratchABit is an interactive incremental disassembler with data/control flow analysis capabilities. ScratchABit is dedicated to the efforts of the OpenSource reverse engineering community (reverse engineering to produce OpenSource drivers/firmware for hardware not properly supported by vendors, for hardware and software interoperability, for security research). ScratchABit supports well-known in the community IDAPython API to write disassembly/extension modules.

vm86 - 🍔 A x86 Script Instruction Virtual Machine

  •    C

This is a very simple and lightweight x86 virtual machine which can load and run the assembly code from ida pro directly. And we call it in c language first.

ida-xtensa2 - IDAPython plugin for Tensilica Xtensa (as seen in ESP8266), version 2

  •    Python

This is a processor plugin for disassemblers which use IDAPython API, to support the Xtensa core found in Espressif ESP8266. It does not support other configurations of the Xtensa architecture, but that is probably (hopefully) easy to implement. Originally developed for IDA (https://github.com/themadinventor/ida-xtensa), this fork is used almost exclusively with ScratchABit open-source disassembler: https://github.com/pfalcon/ScratchABit . Copy the file to the plugins/cpu/ directory in your ScratchABit install.

iBoot64helper - IDAPython utility to help with iBoot64 reverse engineering

  •    Python

This aims to become an IDAPython utility to help with iBoot64 reverse engineering. Currently it just locates iBoot's proper loading address, rebases the image, and identifies ARM64 functions based on a common function prologue. As you can see in the screenshot below, 1347 functions are recognized after running it on iBoot version 4076.1.43. I will be adding features to it, like function renaming based on string usage, etc.

Utilities - Uncategorized utilities

  •    Python

Uncategorized utilities that do not need their own repository. Small dumb utility to port obvious function matches across two IDA databases.

ida-evm - IDA Processor Module for the Ethereum Virtual Machine (EVM)

  •    Python

IDA Processor Module for the Ethereum Virtual Machine (EVM). This plugin is under active development. New issues and contributions are welcome, and are covered by bounties from Trail of Bits. Join us in #ethereum on the Empire Hacking Slack to discuss Ethereum security tool development.

continuum - Plugin adding multi-binary project support to IDA Pro (WIP)

  •    Python

continuum is an IDA Pro plugin adding multi-binary project support, allowing fast navigation in applications involving many shared libraries. This project is still work in progress and not suitable for production use.

ida-cmake - IDA plugin CMake build-script

  •    CMake

This repository holds CMake build scripts and a Python helper allowing compilation of C++ IDA plugins for Windows, macOS and Linux without much user effort. Substitute <ida-sdks-path> with a directory of the IDA SDK corresponding to your IDA version.

JARVIS - "Just Another ReVersIng Suite" or whatever other bullshit you can think of

  •    Python

The auxiliary plugin jarvis_launcher.py registers a shortcut (Alt-J) which launches the actual plugin. JARVIS is written in PySide (Qt). It consists of a dockable Widget with several tabs, one for each different category.


  •    Julia

Note that CVODES and IDAS contain all functions provided by CVODE and IDA (for integration without sensitivity analysis). If you need to use the latter, you can set enable_sensitivities=false in deps/build.jl and (re)build the package. before you install the package. Downloading and/or re-building of the library can be triggered by Pkg.build("Sundials") if anything goes wrong.

bap-ida-python - integration with IDA

  •    Python

This package provides the necessary IDAPython scripts required for interoperatibility between BAP and IDA Pro. It also provides many useful feature additions to IDA, by leveraging power from BAP. BAP-IDA integration package installs several plugins into IDA distribution. Some plugins works automatically, and do not require user intervention, while others are invoked with keybindings, or via the Edit->Plugins menu, that can be popped at with the Ctrl-3 bindging.

Cardinal - Similarity Analysis to Defeat Malware Compiler Variations

  •    LLVM

CPC Aggregation by Reversing and Dumping in Arrays Lightweight (CARDINAL) is a tool that can find similarities between binaries compiled with different optimization flags, or even completely different compilers. CARDINAL accurately finds the number of arguments at each callsite, also known as the callsite parameter cardinalities (CPC's), and creates a easily comparable signature by aggregating them per function and dumping the result into a Bloom filter. Bloom filters are compared via the Jaccard index from which a similarity score is calculated. CARDINAL is proven to tolerate differences between binaries produced using the same source but different compiler configurations, from using different optimization levels to using completely different compilers. We hope that CARDINAL paves the way for future static analyses that similarly tolerate radical code transformations like a dynamic analysis, yet still retain the benefits of static analysis. For more information, see the paper. The test harness automates the above steps for a large number of binaries. We run the tests en masse by executing a find command and running the above steps on all matching files. The test harness is designed to perform the isocompiler modulation, different compiler, and different source tests, and as such, the harness only handles files that conform to the naming scheme adopted for the aforementioned tests. The scheme is as follows: [name_of_test_binary].simple.lin.[name_of_compiler].[optimization_flag].elf "Name of compiler" can be "clang" or "gcc" and "optimization flag" can be "o0," "o1," "o2," or "o3".