Plugins
25 files
-
HexRaysCodeXplorer (Recompiled for IDA Pro)
By bluedevil
The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware like Stuxnet, Flame, Equation, Animal Farm ...
Features:
Automatic type REconstruction for C++ objects. To be able to reconstruct a type using HexRaysCodeXplorer one needs to select the variable holding pointer to the instance of position independed code or to an object and by right-button mouse click select from the context menu «REconstruct Type» option. Virtual function table identification - automatically identifies references to virtual function tables during type reconstruction. When a reference to a virtual function table is identified the plugin generates a corresponding C-structure. As shown below during reconstructing struct_local_data_storage two virtual function tables were identified and, as a result, two corresponding structures were generated: struct_local_data_storage_VTABLE_0 and struct_local_data_storage_VTABLE_4. C-tree graph visualization – a special tree-like structure representing a decompiled routine in citem_t terms (hexrays.hpp). Useful feature for understanding how the decompiler works. The highlighted graph node corresponds to the current cursor position in the HexRays Pseudocode window Ctree Item View – show ctree representation for highlighted element Extract Types to File – dump all types information (include reconstructed types) into file. Navigation through virtual function calls in HexRays Pseudocode window. After representing C++ objects by C-structures this feature make possible navigation by mouse clicking to the virtual function calls as structure fields Jump to Disasm - small feature for navigate to assembly code into "IDA View window" from current Pseudocode line position. It is help to find a place in assembly code associated with decompiled line. Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. Object Explorer outputs VTBL information into IDA custom view window. The output window is shown by choosing «Object Explorer» option in right-button mouse click context menu Support auto parsing RTTI objects This plugin is recompiled by disauto
71 downloads
Updated
-
Abyss
By Teddy Rogers
IDAPython plugin for postprocessing of Hexrays Decompiler output.
117 downloads
0 comments
Updated
-
Lighthouse
By Teddy Rogers
Lighthouse is a powerful code coverage plugin for IDA Pro and Binary Ninja. As an extension of the leading disassemblers, this plugin enables one to interactively explore code coverage data in new and innovative ways when symbols or source may not be available for a given binary.
This plugin is labeled only as a prototype & code resource for the community.
92 downloads
0 comments
Submitted
-
MicroAVX
By Teddy Rogers
MicroAVX is an extension of the IDA Pro decompiler, adding partial support for a number of common instructions from Intel's Advanced Vector Extensions (AVX). This plugin demonstrates how the Hex-Rays microcode can be used to lift and decompile new or previously unsupported instructions.
There are no plans further develop MicroAVX, or extend its coverage to the complete set of AVX instructions. This plugin is labeled only as a prototype & code resource for the community.
83 downloads
0 comments
Submitted
-
Prefix
By Teddy Rogers
Prefix is a small function prefixing plugin for IDA Pro. The plugin augments IDA's function renaming capabilities by adding a handful of convenient prefixing actions to relevant right click menus.
62 downloads
0 comments
Submitted
-
Lucid
By Teddy Rogers
Lucid is a developer-oriented IDA Pro plugin for exploring the Hex-Rays microcode. It was designed to provide a seamless, interactive experience for studying microcode transformations in the decompiler pipeline.
This plugin is labeled only as a prototype & code resource for the community. Please note that it is a development aid, not a general purpose reverse engineering tool.
77 downloads
0 comments
Updated
-
HexRaysCodeXplorer
By Teddy Rogers
The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware like Stuxnet, Flame, Equation, Animal Farm ...
97 downloads
0 comments
Submitted
-
HexRaysDeob
By Teddy Rogers
Hex-Rays microcode API plugin for breaking an obfuscating compiler.
146 downloads
0 comments
Submitted
-
idenLib
By Teddy Rogers
When analyzing malware or 3rd party software, it's challenging to identify statically linked libraries and to understand what a function from the library is doing.
idenLib.exe is a tool for generating library signatures from .lib/.obj/.exe files.
idenLib.dp32/idenLib.dp64 is a x32dbg/x64dbg plugin to identify library functions.
idenLib.py is an IDA Pro plugin to identify library functions.
115 downloads
0 comments
Submitted
-
Oregami
By Teddy Rogers
IDA plugins and scripts for analyzing register usage frame.
If this happened to you (perhaps more than once), you are in for a treat!
Just Shift-X, and your troubles will go away!
You may also re(g)name the register in the usage frame. Just Shift-N, and follow instructions!
Also - instead of changing the types of all the usages to a certain type, just Shift-T once.
Note: Sometimes there is already another plugin using Shift-T. Remove that plugin - you never used it before anyway :-).
63 downloads
0 comments
Submitted
-
IDA Batch Decompile
By Teddy Rogers
IDA Batch Decompile is a plugin for Hex-Ray's IDA Pro that adds the ability to batch decompile multiple files and their imports with additional annotations (xref, stack var size) to the pseudocode .c file
102 downloads
0 comments
Submitted
-
UEFI BinDiff
By Teddy Rogers
UEFI modules analysing with BinDiff IDA plugin. In fact, most real UEFI firmwares are building using edk2. Thus, to simplify the analysis, we can match debug versions of UEFI images with release versions from real firmware using BinDiff.
68 downloads
0 comments
Submitted
-
dwarfexport
By Teddy Rogers
dwarfexport is an IDA Pro plugin that allows the user to export dwarf debug information. This can then be imported in to gdb and other tools, allowing you to debug using info you have recovered in IDA even when you cannot connect the IDA debugger.
65 downloads
0 comments
Submitted
-
Sk3wlDbg
By Teddy Rogers
This is the Sk3wlDbg plugin for IDA Pro. It's purpose is to provide a front end for using the Unicorn Engine to emulate machine code that you are viewing with IDA.
The plugin installs as an IDA debugger which you may select whenever you open an IDA database containing code supported by Unicorn. Currently supported architectures include:
x86 x86-64 ARM ARM64 MIPS MIPS64 SPARC SPARC64 M68K65 downloads
0 comments
Submitted
-
LoadProcConfig
By Teddy Rogers
LoadProcConfig is an IDA Plugin to load processor configuration files.
With just a couple of clicks configuration files can add memory regions, entries and registers/ports.
By default IDA is shipped with configuration files for many processors in IDA/cfg folder. These configuration files are loaded automatically when corresponding processor module is loaded.
However, this approach has some disadvantages:
You have to keep your own configuration files inside IDA There is no easy way to load and apply configuration file on existing database Most important, ARM processor module doesn't have configuration file Current plugin was implemented to address all these issues.
63 downloads
0 comments
Submitted
-
0 comments
Submitted
-
idawasm
By Teddy Rogers
These IDA Pro plugins add support for loading and disassembling WebAssembly modules.
Features:
control flow reconstruction and graph mode code and data cross references globals, function parameters, local variables, etc. can be renamed auto-comment hint support55 downloads
0 comments
Submitted
-
HeapViewer
By Teddy Rogers
An IDA Pro plugin to examine the heap, focused on exploit development.
Currently supports the glibc malloc implementation (ptmalloc2).
3rd place winner of the 2018 Hex-Rays Plugin Contest
63 downloads
0 comments
Submitted
-
Binary Lifting Contraption
By Teddy Rogers
This is the blc (Binary Lifting Contraption) plugin for IDA Pro. It is the custard love child of Ghidra's decompiler with Ida Pro.
The plugin integrates Ghidra's decompiler code into an Ida plugin an provides a basic decompiler capability for all platforms support by both Ida and Ghidra. It provides a basic source code display that attempts to mimic that of the Hex-Rays decompiler. It has only been written with Ida 7.x in mind.
59 downloads
0 comments
Submitted
-
uEmu
By Teddy Rogers
uEmu is a tiny cute emulator plugin for IDA based on unicorn engine.
Supports following architectures out of the box: x86, x64, ARM, ARM64, MIPS, MIPS64.
What is it GOOD for?
Emulate bare metal code (bootloaders, embedded firmware etc) Emulate standalone functions What is it BAD for?
Emulate complex OS code (dynamic libraries, processes etc) Emulate code with many syscalls What can be improved?
Find a way to emulate vendor specific register access (like MSR S3_x, X0 for ARM64) Add more registers to track61 downloads
0 comments
Submitted
-
RetDec
By Teddy Rogers
RetDec plugin for IDA (Interactive Disassembler). RetDec is a retargetable machine-code decompiler based on LLVM. The decompiler is not limited to any particular target architecture, operating system, or executable file format.
The plugin is compatible with the IDA 7.5+ versions. The plugin does NOT work with IDA 6.x, IDA 7.0-7.4, or freeware version of IDA 7.0. The plugin comes at both 32-bit and 64-bit address space variants (both are 64-bit binaries). I.e. it works in both ida and ida64. At the moment, it can decompile the following architectures:
32-bit: x86, arm, mips, and powerpc. 64-bit: x86-64, arm64.
75 downloads
0 comments
Submitted
-
Search API Plugin
By Teddy Rogers
A Simple plugin for IDA Pro that automates the process of googling an API.
It Googles the selected function name in a new tab of your default browser.
67 downloads
0 comments
Submitted
-
FRIEND
By Teddy Rogers
Flexible Register/Instruction Extender aNd Documentation (FRIEND) is an IDA plugin created to improve disassembly and bring register/instruction documentation right into IDA View.
78 downloads
0 comments
Submitted
-
CLI Macros
By Teddy Rogers
CLI macros is a productivity tool that lets you define and use static or dynamic macros in IDA's command line interfaces (Python, IDC, WinDbg, BochDbg, Gdb, etc.).
53 downloads
0 comments
Submitted
-
VT-IDA Plugin
By Teddy Rogers
This is the official VirusTotal plugin for Hex-Rays IDA Pro. This plugin integrates functionality from VirusTotal web services into the IDA Pro's user interface.
The current version is v0.9, This plugin is not production-ready yet, and unexpected behavior can still occur. This release integrates VTGrep into IDA Pro, facilitating the searching for similar code, strings, or sequences of bytes.
Requirements
This plugin has been developed for IDA Pro 7.0 and beyond and supports both Python 2.7 and 3.x. It requires the "requests" module, the easiest way of installing it is by using pip:
$ pip install requests Installation
Copy the content of the plugin directory into the IDA Pro's plugin directory and start IDA Pro.
Usage
While in the disassembly window, select an area of a set of instructions and right-click to chose one of the following actions:
Search for bytes: it searches for the bytes contained in the selected area. Search for string: it searches for the same string as the one selected in the Strings Window. Search for similar code: identifies memory offsets or addresses in the currently selected area and ignores them when searching. Search for similar code (strict): same as above but it also ignores all the constants in the currently selected area. Search for similar functions: same as "similar code" but you don’t need to select all the instructions that belong to a function. Just right-click on one instruction, and it will automatically detect the function boundaries, selecting all the instructions of the current function.
Another option is to look for similar strings. To search for similar ones, open the Strings Windows in IDA Pro, right-click on any string (one or many) and select Virus Total -> Search for string.
These actions will launch a new instance of your default web browser, showing all the matches found in VTGrep. Remember that your default web browser must be logged into your VirusTotal Enterprise account in order to see the results.
Check IDA Pro's output window for any message that may need your attention.
Note: This version supports Intel 32/64 bits and ARM processor architectures when searching for similar code. Probably more architectures are supported but it hasn't been tested yet.
124 downloads
0 comments
Updated
-
Download Statistics