After IDA Pro

This repo contains information about what to do after installing IDA Pro v8.3 and above.

• ifred
• keypatch
• patching
• gepetto
• VulChatGPT
• IDA Signsrch
• IDASignsrch
• BinDiff
• ScyllaHide
• Flare - Capa
• efiXplorer
• ComIDA
• ClassInformer
• OllyDumpEx
• SmartJump
• IDA-names
• HexRaysPyTools
• Lucid
• yagi
• HexRaysCodeXplorer
• IDAFuzzy

Python

Install Python > 3.8 (If you still did not installed). IDA Pro's scripting engine IDAPython needs Python.

Under IDA Installation path, find idapyswitch or idapyswitch.exe and run. idapyswitch is a small tool to select between different python installations.

IMPORTANT: If you are using Windows 11 ARM64 and Python 3 ARM64 but your IDA Pro is still x86, idapyswitch will not recognize your ARM64 based Python installation. In this case you can Install Visual Studio. Visual Studio provides x86 based python installation, or you must install another python instance which have to be x86 based! Python which Visual Studio provided does not have pip. You can get pip by following the two commandlines below:

curl -sSL https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python get-pip.py

Install the required Python packages using pip or your distribution's package manager:

six
requests
keystone-engine
flare-capa
openai >= 0.27.0
pyelftools
sip
PyQt5
thefuzz

You can also use requirements.txt to install needed packages:

[/path/to/python] -m pip install -r requirements.txt

Plugins

There are repos containing curated lists of plugins for IDA Pro. But in this repo, I list the plugins which I use on a daily basis. Besides, I've included tips for installing them.

Where are plugins?

In your Operating system IDA Pro looks 2 paths for plugins:

Windows:

• User: %APPDATA%\Hex-Rays\IDA Pro\plugins
• System: <IDA_PRO_INSTALL_DIR\plugins>, generally under Program Files

macOS or linux:

• User: $HOME/.idapro/plugins
• System: <IDA_PRO_INSTALL_DIR/plugins>

IMPORTANT : For a better IDA Pro experience use USER path.

ifred

ifred, provides an easy to use command palette for IDA Pro. IDA Pro has lots of features and you can be lost on somewhere. But if you remember some keywords you can use ifred and search for the related commands.

ifred provides two shortcuts:

• Ctrl + P : Searches strings in binary. IDA Pro generally puts a in front of string literals, by this way you can easily search strings in your binary.
• Ctrl + Shift + P: Provides IDA Pro's own features, all menu items or context menu items. With this shortcut you do not need to search where your menu item is!

Bonus: You can change theme on ifred. On ifred repo, select one theme under palette/res/theme/<name>/* and copy its contents to: %APPDATA%/Hex-rays/IDA Pro/plugins/palette/theme/. I have provided Solarized (Dark and Light) themes for ifred.

ifred installation

Unfortunately ifred repo does not contain updated releases. Instead, Jinmo -the creator- provides prebuilt binaries in Azure pipelines.

Go to prebuilt binaries and follow the steps below to find the compiled binaries:

• Under Jobs click Windows Python311
• Click 1 artifact produced
• At the end of line which starts with win-7.x-both, there is a three-dot menu, click on the three dot menu and click Download artifacts

After downloading the prebuilt binaries, Just move them under plugins directory where IDA Pro is located.

keypatch

keypatch is a multi-architecture assembler for IDA Pro.

IDA Pro itself provides patching bytes on disassembled binaries, but it is cumbersome to use. People at keystone-engine created keypatch. It is way more easy to patch a byte on IDA Pro with this plugin.

keypatch features and provided shortcut:

• Ctrl + Alt + K: Opens patcher window. You can both patch a single byte or assemble new instructions.
• Fill Range: With this functionality you can fill a memory range with instructions. e.g. nop
• Search: You can search instructions with this feature. It is more easy and fast compare to the IDA Pro's text search.

keypatch installation

This plugin needs keystone-engine to run.

• Go to keypatch repo
• Download keypatch.py. (You only need this file)
• Move keypatch.py to plugins diretory of IDA Pro

patching

patching is an interactive Binary Patching Plugin for IDA Pro.

This plugin is a minor fork of keypatch. This plugin also needs keystone-engine to run. This plugin is simplistic and supports x86_32, x86_64 and ARM.

It feels you do not need this plugin if you already have keypatch! But this plugin's interface is way better than both IDA Pro and keypatch. Small and simple. Plugin locates itself under context menu and under Plugins menu.

Key and main features are:

• Assemble: Opens a new window with the focus of where the cursor is. You can both assemble a new instruction or patch a byte.
• Patching > Change byte: Pops a small window where you can edit bytes
• NOP: It fills with NOP instruction where you've clicked.

If you have an older IDA Pro you can use keypatch plugin.

patching does not support architectures other than intel and arm. So if you are revering MIPS, you have to use keypatch.

patching installation

• Go to patching repo and navigate to releases
• Download and extract contents: patching.py and patching folder.
• Move extracted file and directory under plugins folder

Above is the manual way to install plugin. In its own repo author provides an automatic oneliner solution, you may want to check it!

gepetto

IDA plugin which queries OpenAI's gpt-3.5-turbo language model to speed up reverse-engineering.

gepetto is a plugin which was written in Python. It uses OpenAI's ChatGPT Engine. Plugin sends decompiled output to ChatGPT and ChatGPT returns an explanation of the decompiled output. Then plugin takes this explanation of what the function does and adds it as a comment.

Because you did not give your money to OpenAI you will encounter this error:

Request to gpt-3.5-turbo sent...
gpt-3.5-turbo could not complete the request: You exceeded your current quota, please check your plan and billing details.
Request to gpt-3.5-turbo sent...
gpt-3.5-turbo could not complete the request: You exceeded your current quota, please check your plan and billing details.

gepetto installation

OpenAI provides developers an API key. Plugin needs this API key to process properly.

• Register an OpenAI account and retrieve your API key. This plugin needs an active working OpenAI API to query decompile output.
• Download repo as zip.
• Move gepetto.py and gepetto folder to IDA Pro's plugin directory.
• Edit gepetto/config.ini file and add your OpenAI API key.

VulChatGPT

HexRays decompiler with OpenAI(ChatGPT) to find possible vulnerabilities in binaries.

VulChatGPT inspired from gepetto and add a new functionality to gepetto: querying vulnerabilities. Rest is the same. Rename function variables and explain what the decompiled output does.

VulChatGPT installation

Register a OpenAI account and retrieve an API. This plugin needs an active working OpenAI API to query decompile output.

• Download VulChatGPT.py. You only need this file.
• Open VulChatGPT.py and add your OpenAI API key and save.
• Move VulChatGPT.py to IDA Pro's plugins folder.

After those steps VulChatGPT will add itself under context menu. It provides those features:

• Find possible vulnerability in function
• Create Sample Python Exploit
• Explain function
• Rename variables

You can't query sequentially. You have to wait 20 seconds in each query. So reverse, analyze, make some comments, reveal some structs and then use this plugin to query!

IDA Signsrch

IDA Pro plug-in of Luigi Auriemma's signsrch signature matching tool.

This plugin uses a static XML file which contains most of the cryptographic constants (and more), to find them inside binaries. So you can analyze faster.

After installation this plugin locates itself under Edit > Plugins > Signsrch. Clicking that menu item pops a small window. Select options and click continue. A new tab will pop. It contains matched signatures.

Unfortunately this tool only supports Windows!

IDA Signsrch installation

• Download IDA Signsrch
• Extract archive and move IDA_Signsrch.dlL, IDA_Signsrch64.dlL and signsrch.xmlunder IDA Pro's plugins folder

IDASignsrch

This is an IDAPython Plugin for searching signatures and uses xml signature database from IDA Signsrch. Because it is written in Python you can use it not only in Windows but also in macOS and Linux.

Plugin is place under Edit -> Plugins -> Signsrch after installation.

IDASignsrch installation

• Download signsrch.py and signsrch.xml
• Place them under IDA Pro's plugin folder

BinDiff

BinDiff is an open-source comparison tool for binary files, that assists vulnerability researchers and engineers to quickly find differences and similarities in disassembled code.

This is a standalone tool for binary diffing but, which also provides IDA Pro plugins. In comparison to its rival Diaphora this tool is better.

BinDiff Installation

• You need Java to run BinDiff.
• Download bindiff8.msi from github releases page
• Install msi package by double-clicking on it
• If BinDiff automatically finds your IDA Pro path, it will install plugin.
• If BinDiff cannot find IDA Pro path, it asks you the path.
• The msi package automatically installs BinExport plugin

BinDiff resides in Edit > Plugins > BinDiff and its shortcut is Ctrl + 6

ScyllaHide

ScyllaHide is an advanced usermode anti-anti-debugger. Most protector and malware's try to hook some of the Windows API's to prevent themself from debugging. This is the ultimate plugin for preventing anti-debugging methods. ScyllaHide provides plugins for IDA Pro and other debuggers, like x64dbg.

Unfortunately official ScyllaHide repo does not provide plugins for IDA Pro v7 and v8. So we need to use an external repo: ScyllaHide-IDA7.5. This repo provides plugin for IDA Pro v7.5 and above.

No need to say but this plugin is only for Windows.

ScyllaHide Installation

Under IDA directory copy the files below to plugins folder:

• HookLibraryx64.dll
• HookLibraryx86.dll
• InjectorCLIx64.exe
• InjectorCLIx86.exe
• ScyllaHideIDAProPlugin.dll
• ScyllaHideIDAProPluginx64.dll
• ScyllaHideIDAServerx64.exe
• ScyllaHideIDAServerx86.exe
• scylla_hide.ini

Only ScyllaHideIDAProPlugin.dll and ScyllaHideIDAProPluginx64.dll are plugins but they need other files to bu in the same directory!

IMPORTANT

I have created a seperate ScyllaHide directory under plugins directory because ScyllaPlugin sucks sometime. I only use it when I need it!

Flare - Capa

Mandiant's Flare team has created a very nice tool which named capa. This tool can analyze PE, ELF and shellcode! And it outputs a nice feasible dump which tells what the input does: like if it needs http request, internet connnection, might be a backdoor etc. This tools it very beneficial for malware reversers.

capa explorer IDA Pro plugin does the same functionality while you are analyzing your binary in IDA Pro. And capa explorer can do its job only by searching IDA Pro's database. It can create rules if you want!

Flare - Capa Installation

First install capa.

Windows:

python -m pip install flare-capa

If you have Win11 ARM64 and you have python3 arm64 build; you need a python3 x86_64 build for flare-capa.

macOS:

python -m pip install flare-capa

Ubuntu ARM64

pip3 install flare-capa

Download/clone CAPA RULES:

git clone https://github.com/mandiant/capa-rules.git

Capa IDA Pro Plugin asks capa rules directory on the first run!

Then copy capa_explorer.py from https://github.com/mandiant/capa/blob/master/capa/ida/plugin/capa_explorer.py to your IDA Pro's plugin folder.

Then restart your IDA; plugin will reside under Edit > Plugins > Capa Explorer. Click on Capa Explorer. If it is your first run it will ask for the capa rules folder. Selecl capa rules folder and you are ready to go.

efiXplorer

IDA plugin for UEFI firmware analysis and reverse engineering automation.

efiXloader is an IDA Pro loader module, responsible for processing UEFI drivers within single IDA Pro instance. During UEFI drivers analysis efiXloader identifies each driver's entry.

efiXplorer Installation

As stated above this plugin comes with a plugin and a loader.

• Form the latest release download your platforms zip file
• Extract zip file and copy efiXloader to loaders folder and efiXplorer.dll and efiXplorer.dll to plugins folder
• Copy guids directory under plugins folder

ComIDA

An IDA Plugin that help during the analysis of modules using COM. It works by searching data references to known COM GUID (Classes or Interfaces), and for hex-ray plugin user, infers type that use :

• CoCreateInstance function
• CoGetCallContext function
• QueryInterface method

ComIDA Installation

Just put the comida.py script in plugins folder of IDA.

This plugin is not enabled by default. By using Ctrl + Shift + M key combination you can easily enable/disable this plugin.

ClassInformer

IDA Pro class vftable finder, namer, fixer, lister plug-in. This pluging helps a reverser to find virtual function tables. It is an old plugin but still works on updated IDA Pro.

ClassInformer Installation

The original author has published pre-built binaries of plugin on sourceforge. The binaries on sourceforge works on IDA Pro v8.3. But there is an updated repo. This repo's binaried also work on IDA Pro 8.3. I have prefered the second one. Both Installations are same.

• Download the plugins and copy them under IDA Pro's plugins folder.

OllyDumpEx - Process memory dumper

This is an enhanced ollydump plugin. Author made this plugin for various tools such as ollydbg, immunity debugger ida pro... This plugin is process memory dumper for debuggers. Native 64bit process supported (IDA Pro, WinDbg and x64dbg) Also it auto calculate many parameters (RawSize, RawOffset, VirtualOffset, ...)

OllyDumpEx Installation

• Download latest OllyDumpEx plugin. Extract the archive
• Copy OllyDumpEx_IdaRT.dll and OllyDumpEx_IdaRT64.dll to your plugins folder

Open IDA Pro under Edit > Plugins you will see OllyDumpEx menu item. When you click on it a new will pop up where you can make configurations of your dump!

SmartJump

This plugin simply enhances the IDA Pro's JumpAsk g command

With this plugin enabled, you can also jump to labels/names. You can use brackets so you can jump referenced memory addresses.

SmartJump Installation

• Go to [SmartJump]35 repo
• Download repo as zip.
• In repo there is a plugins folder. Inside it there is SmartJump.py and a folder
• Copy SmartJump.py and SmartJump folder in your IDA Pro's plugins folder

Needed config to enable plugin. Open IDA_INSTALL_DIR\cfg\idagui.cfg

Change this:
"JumpAsk"               =       'g'
To this:
"JumpAsk"               =       0 //'g'

IDA-names

IDA-names automatically renames pseudocode windows with the current function name. It can also rename ANY window with SHIFT-T hotkey.

Not so important but comes in handy when you are struggling with pseudo windows more than three!

Installation

• Go to IDA-names repo
• Copy ida_names.py in plugins folder.

HexRaysPyTools

IDA Pro plugin which improves work with HexRays decompiler and helps in process of reconstruction structures and classes.

The plugin assists in the creation of classes/structures and detection of virtual tables. It also facilitates transforming decompiler output faster and allows to do some stuff which is otherwise impossible.

HexRaysPyTools Installation

• Go to HexRaysPyTools github repo
• Drop HexRaysPyTools.py and HexRaysPyTools folder under IDA Pro's plugins folder.

Lucid

Lucid is a developer-oriented IDA Pro plugin for exploring the Hex-Rays microcode. It was designed to provide a seamless, interactive experience for studying microcode transformations in the decompiler pipeline.

In 2018, Hex-Rays released IDA Pro 7.1. This was the first version of IDA to expose the decompiler’s internal microcode. This gave researchers access to richer forms of analysis (dataflow, value/type speculation) and the ability to augment the logic of the decompiler at a much lower level than previously possible.

The Hex-Rays microcode is an intermediate language (IL). Like most IL’s, its purpose is to provide a portable and architecture-agnostic platform suitable for program analysis. By lifting compiled code to an intermediate language, Hex-Rays can apply a generic set of rules and analysis algorithms to decompile code from any architecture.

Lucid Installation

I am not using original Lucid plugin. There is a way more updated fork: Fireboyd78 - lucid. Installation is the same:

• Download the repo as zip: Fireboyd78 - lucid
• Copy the python file and the folder inside your IDA Pro's plugins folder

After installation the plugin resides:

• On the PseudoCode windows plugin adds itself under the context menu: View microcode
• Plugin's shortcut is Ctrl + Shift +M

yagi - Yet Another Ghidra Integration for IDA

Yagi intends to include the Ghidra decompilers into both IDA pro and IDA Free. After installation you can use F3 to use plugin.

yagi installation

For installation:

• Windows: double click on *.msi file
• Linux: run *.sh file to install

Additional hot keys:

key	interact
Decompile	Place cursor on a func tion and press F3
Edit Type	Y
Clear Type	C
Edit Name	N
Cross References	X
Navigate	Duble click on the keyword

HexRaysCodeXplorer

This plugin is for Hex-Rays Decompiler. It provides a better code navigation throughout the reversing process. HexRaysCodeXplorer also automates the code reconstruction of C++ applications.

IMPORTANT: The official repo provides prebuilt plugins for IDA Pro v7.7 Bu I have recompiled the plugin for IDA Pro v8.4. The prebuilt plugins ca be downloaded from Tuts4You Downloads - HexRaysCodeXplorer (Recompiled for IDA Pro) 2.1.

HexRaysCodeXplorer Installation

• Download plugin for Ida Pro v7.7, v8.3 or v8.4
• Drop the DLL files under your plugins folder

To use the plugin you need to open the HexRays Pseudocode window then right click it. You will see the plugins contect menu items:

Display Ctree Graph         T
Object Explorer             O
REconstruct Type            R
Extract Types to File       S
Extract Ctrees to File      C
Ctree Item View             V
Jump to Disasm              J

IDAFuzzy

According to this plugins repo it is:

IDAFuzzy is fuzzy searching tool for IDA Pro. This tool helps you to find command/function/struct and so on. This tool is usefull when

• You don't remember all shortcut. -You don't remember all function/struct name exactly.

This tool is inspired by Mac's Spotlight and Intellij's Search Everywhere dialog.

But in short it is a replacement for ifred in Python! I have tested both the command palette and the IDA Pro generated variable name; both working!

IDAFuzzy Installation

• You need to install PyPi package thefuzz!
• Go to updated repo: IDAFuzzy
• Copy ida_fuzz.py under your plugin folder!

Usage: Press Shift + Space, a window will pop up and you are good to go!

Processor Modules

IDA Pro does not provide all processor architectures. Under IDA Pro installation folder there is a directory called procs; which is a short name of processors. Under this folder there are a lot of dll files which provides IDA Pro to understand processor types. e.g. arm.dll and arm64.dll provides IDA Pro to understand these processor architectures.

Because I love ctfing, sometimes I need external IDA Pro processor modules:

eBPF_processor

eBPF_processor IDA Processor and supporting scripts that can be used to disassemble eBPF bytecode.

eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in a privileged context such as the operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.

eBPF_processor Installation

• Download ebpf.py
• Copy ebpf.py under procs folder
• install pyelftools python package with pip

After installation you can use the processor module like this:

• Open the eBPF ELF file in IDA, using the standard ELF loader, but selecting the eBPF processor
• Wait for autoanalysis to complete

Themes

IDA Pro Solarized Theme - Solarized Theme for IDA Pro 7.3 and above

IDA Pro Solarized Theme has been developing by me. I really like the colors of Solarized palette. Put the theme directory under :

Windows:

%APPDATA%\Hex-Rays\IDA Pro\themes

*nix:

~/.idapro/themes

You can also put theme folder under installation path but it is not advised.

Todo

• Add IDA_Signsrch
• Detail on ScyllaHide
• Add efiXplorer

Resources

• eBPF - Extended Berkeley Packet Filter
• Get PIP
• Keystone Engine - The Ultimate Assembler
• PyPi - TheFuzz - Fuzzy string matching like a boss.

Plugins

• ifred - IDA command palette & more
• patching - Interactive Binary Patching Plugin
• keypatch
• gepetto - IDA plugin which OpenAI's gpt-3.5-turbo for reverse-engineering
• VulChatGPT - HexRays decompiler with OpenAI(ChatGPT) to find possible vulnerabilities in binaries
• IDA Signsrch
• Luigi Auriemma's signsrch
• IDA Signsrch in Python
• x64dbg - ScyllaHide
• notify-bibi - ScyllaHide-IDA7.5
• BinDiff - Diffing Tool and Plugin Repo
• BinDiff - Diffing Tool and Plugin Homepage
• Diaphora
• Flare - Capa
• Flare - Capa IDA Pro Plugin
• Flare - Capa Rules
• efiXplorer - UEFI firmware analysis
• ComIDA
• IDA ClassInformer PlugIn - Windows object RTTI vftable finder, fixer, and lister
• ClassInformer
• ClassInformer 8
• OllyDumpEx - Process memory dumper
• SmartJump - IDA Pro plugin to enhance the JumpAsk 'g' command
• ida_names - IDA-names automatically renames pseudocode windows with the current function name
• HexRaysPyTools - improves work with HexRays decompiler and helps in process of reconstruction structures and classes
• Lucid - An Interactive Hex-Rays Microcode Explorer
• Lucid - Updated Fork
• yagi - Yet Another Ghidra Integration for IDA
• IDAFuzzy - Fuzzy search tool for IDA Pro (Update)

Other Plugins

• HexRaysCodeXplorer - Automates code REconstruction of C++ applications
• lscan - library identification on statically linked/stripped binaries
• Tenet - A Trace Explorer for Reverse Engineers
• Lighthouse - A Coverage Explorer for Reverse Engineers
• Diaphora - Open Spurce Diffing Plugin
• findyara-ida - Scan binary with Yara rules
• deREferencing - Adds dereferenced pointers, colors and other useful information, similar to some GDB plugins (e.g: PEDA, GEF, pwndbg, etc).

Processor Modules

• zandi - eBPF_processor
• saaph - eBPF_processor

Themes

• IDA Pro Solarized Theme - Solarized Theme for IDA Pro 7.3 and above

Author

• Blue DeviL // SCT

License

This project is under the AGPL v3.0 License.