GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → fireeye → Flare Ida

fireeye / Flare Ida

Licence: apache-2.0
IDA Pro utilities from FLARE team

Programming Languages

python
139335 projects - #7 most used programming language

Labels

reverse-engineeringidaida-proida-pluginidapython

Projects that are alternatives of or similar to Flare Ida

Idarling
Collaborative Reverse Engineering plugin for IDA Pro & Hex-Rays
Stars: ✭ 588 (-57.21%)
Mutual labels:  ida, ida-pro, ida-plugin, idapython, reverse-engineering
Stingray
IDAPython plugin for finding function strings recursively
Stars: ✭ 110 (-91.99%)
Mutual labels:  ida-pro, ida-plugin, idapython, reverse-engineering
Necromancer
IDA Pro V850 Processor Module Extension
Stars: ✭ 21 (-98.47%)
Mutual labels:  ida, ida-pro, ida-plugin, idapython
Idangr
Use angr in the IDA Pro debugger generating a state from the current debug session
Stars: ✭ 214 (-84.43%)
Mutual labels:  ida, ida-pro, ida-plugin, idapython
Ida For Delphi
IDA Python Script to Get All function names from Event Constructor (VCL)
Stars: ✭ 92 (-93.3%)
Mutual labels:  ida, ida-pro, idapython, reverse-engineering
Amie
A Minimalist Instruction Extender for the ARM architecture and IDA Pro
Stars: ✭ 136 (-90.1%)
Mutual labels:  ida, ida-pro, idapython, reverse-engineering
Rematch
REmatch, a complete binary diffing framework that is free and strives to be open source and community driven.
Stars: ✭ 141 (-89.74%)
Mutual labels:  ida, ida-pro, ida-plugin, reverse-engineering
Sark
IDAPython Made Easy
Stars: ✭ 477 (-65.28%)
Mutual labels:  ida-pro, ida-plugin, idapython, reverse-engineering
Ipyida
IPython console integration for IDA Pro
Stars: ✭ 358 (-73.94%)
Mutual labels:  ida, ida-pro, ida-plugin, idapython
Hyara
Yara rule making tool (IDA Pro & Binary Ninja & Cutter Plugin)
Stars: ✭ 142 (-89.67%)
Mutual labels:  ida, ida-pro, ida-plugin, idapython
ida migrator
IDA Migrator is an IDA Pro plugin which helps migrate existing work from one database instance to another. It Conveniently migrates function names, structures and enums.
Stars: ✭ 65 (-95.27%)
Mutual labels:  ida, ida-pro, ida-plugin, idapython
obfDetect
IDA plugin to pinpoint obfuscated code
Stars: ✭ 99 (-92.79%)
Mutual labels:  ida, ida-pro, ida-plugin, idapython
Scratchabit
Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API
Stars: ✭ 369 (-73.14%)
Mutual labels:  ida, ida-plugin, idapython, reverse-engineering
Keypatch
Multi-architecture assembler for IDA Pro. Powered by Keystone Engine.
Stars: ✭ 939 (-31.66%)
Mutual labels:  ida, ida-pro, reverse-engineering
Lighthouse
A Code Coverage Explorer for Reverse Engineers
Stars: ✭ 1,348 (-1.89%)
Mutual labels:  ida-pro, idapython, reverse-engineering
Polichombr
Collaborative malware analysis framework
Stars: ✭ 307 (-77.66%)
Mutual labels:  ida, ida-plugin, reverse-engineering
Ret Sync
ret-sync is a set of plugins that helps to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA/Ghidra/Binary Ninja disassemblers.
Stars: ✭ 896 (-34.79%)
Mutual labels:  ida-pro, ida-plugin, reverse-engineering
Hexrayspytools
IDA Pro plugin which improves work with HexRays decompiler and helps in process of reconstruction structures and classes
Stars: ✭ 873 (-36.46%)
Mutual labels:  ida, ida-plugin, idapython
Dereferencing
IDA Pro plugin that implements more user-friendly register and stack views
Stars: ✭ 336 (-75.55%)
Mutual labels:  ida-pro, ida-plugin, idapython
Pytest Idapro
A pytest module for The Interactive Disassembler and IDAPython; Record and Replay IDAPython API, execute inside IDA or use mockups of IDAPython API.
Stars: ✭ 44 (-96.8%)
Mutual labels:  ida-pro, ida-plugin, idapython
View All Similar Projects ➔

FLARE Team Reversing Repository

This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.

plugins

To install, copy the contents of the plugins directory in this repository to your %PROGRAMFILES%\IDA\plugins folder.

python

The python directory here can be copied to your %PROGRAMFILES%\IDA\python folder, or you can modify your PYTHONPATH environment variable to include the directory.

Provided Plugins

Shellcode Hashes

The shellcode_hashes_search_plugin.py IDA plugin implements the hash searching described here: https://www.mandiant.com/blog/precalculated-string-hashes-reverse-engineering-shellcode/.

The shellcode_hashes directory contains the script used to create the database for the shellcode_hash_search.py script, along with a provided database.

Struct Typer

The struct_typer_plugin.py plugin implements the struct typing described here: https://www.mandiant.com/blog/applying-function-types-structure-fields-ida/

StackStrings

The stackstrings_plugin.py implements the recovery of manually constructed strings described here: http://www.fireeye.com/blog/threat-research/2014/08/flare-ida-pro-script-series-automatic-recovery-of-constructed-strings-in-malware.html

MSDN Annotations

This script for IDA Pro adds MSDN information from a XML file to the database. Information about this plugin can be found at: https://www.fireeye.com/blog/threat-research/2014/09/flare-ida-pro-script-series-msdn-annotations-ida-pro-for-malware-analysis.html

The following functionality is included:

  • Backup the original database
  • Retrieve all imported functions
  • Import function descriptions
  • Import argument descriptions
  • Create custom enumerations for identified constants including descriptions
  • Rename constants to their readable values

MSDN Annotations Usage

TL;DR: In IDA run annotate_IDB_MSDN.py.

All files (IDAPython scripts, XML parser, MSDN information XML file, etc.) should be located in the same directory accessible by IDA Pro. In IDA use File - Script file... (ALT + F7) to open annotate_IDB_MSDN.py. The form will allow you to change the settings and annotate the IDB file after you click OK.

After executing the script once, View - Recent scripts (ALT + F9) can be used as well.

ApplyCalleeType

This plugin allows you to specify or choose a function type for indirect calls as described here: https://www.fireeye.com/blog/threat-research/2015/04/flare_ida_pro_script.html

idb2pat

This script allows you to easily generate function patterns from an existing IDB database that can then be turned into FLIRT signatures to help identify similar functions in new files. More information is available at: https://www.fireeye.com/blog/threat-research/2015/01/flare_ida_pro_script.html

argtracker

This utility can help you identify static arguments to functions used within a program. This is most commonly used to extract arguments to string decoder functions. Example usage is available in

  • examples/argtracker_example1.py
  • examples/argtracker_example2.py

A blog post with further information is available at:

https://www.fireeye.com/blog/threat-research/2015/11/flare_ida_pro_script.html

objc2_analyzer

This script creates cross-references between selector references and their implementations as defined in the Objective-C runtime related sections of the target Mach-O executable. It also patches selector reference pointers to instead point to their implementation function. This makes analysis of Objective-C code easier by enabling smooth transitions between an implementation and the locations where its selector is referenced throughout the code. Helpful Objective-C code comments are added to each call to objc_msgSend variants to clearly indicate which method is being called on which class.

ironstrings

ironstrings.py is an IDAPython script that uses code emulation to recover constructed strings (stackstrings) from malware. Please see the details in the script's README.

Code Grafter

code_grafter.py is an IDAPython script that grafts code to an IDA database to implement various imported functions and increase the likelihood of being able to execute an unpacker or decoder entirely under Bochs (or any other emulation tools that don't implement special handling for these functions). This prevents faults when emulated execution reaches functions such as VirtualAlloc or lstrlenA.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].