Convert Figma logo to code with AI

mandiant logoflare-ida

IDA Pro utilities from FLARE team

2,194
465
2,194
25
View on GitHub

Top Related Projects

mandiant's avatar

flare-ida

2,194

IDA Pro utilities from FLARE team

gaasedelen's avatar

lighthouse

2,220

A Coverage Explorer for Reverse Engineers

REhints's avatar

HexRaysCodeXplorer

2,337

Hex-Rays Decompiler plugin for better code navigation

NationalSecurityAgency's avatar

ghidra

50,446

Ghidra is a software reverse engineering (SRE) framework

Quick Overview

The mandiant/flare-ida repository is a collection of IDA Pro scripts and plugins developed by Mandiant's FLARE team. These tools are designed to enhance reverse engineering capabilities within IDA Pro, a popular disassembler and debugger used for analyzing binary code and malware.

Pros

  • Enhances IDA Pro's functionality with specialized scripts and plugins
  • Developed by Mandiant's FLARE team, known for their expertise in reverse engineering and malware analysis
  • Provides a variety of tools for different aspects of binary analysis
  • Open-source, allowing for community contributions and customization

Cons

  • Requires IDA Pro, which is a commercial and expensive software
  • Some scripts may be outdated or incompatible with newer versions of IDA Pro
  • Limited documentation for some of the tools
  • May require additional setup or dependencies for certain scripts

Code Examples

# Example 1: Using the shellcode_hashes script to find API hashes
from shellcode_hashes import hash_api
print(hash_api("kernel32.dll", "CreateProcessA", algorithm="ror13"))

# Example 2: Using the struct_typer script to apply structure types
import idaapi
import struct_typer
struct_typer.run()

# Example 3: Using the stackstrings_plugin to decode stack strings
from stackstrings_plugin import decode_stackstrings
decode_stackstrings()

Getting Started

  1. Clone the repository: 
    git clone https://github.com/mandiant/flare-ida.git
  2. Copy the desired scripts or plugins to your IDA Pro plugins directory.
  3. Restart IDA Pro or load the scripts manually.
  4. Use the tools as needed during your reverse engineering process.

Note: Some scripts may require additional setup or dependencies. Refer to the individual script documentation for specific instructions.

Competitor Comparisons

mandiant logo

flare-ida

2,194

IDA Pro utilities from FLARE team

Pros of flare-ida

  • Comprehensive set of IDA Pro scripts and plugins for malware analysis
  • Regularly updated with new features and improvements
  • Well-documented with usage instructions and examples

Cons of flare-ida

  • Requires IDA Pro, which is a commercial and expensive tool
  • May have a steeper learning curve for beginners in reverse engineering

Code comparison

flare-ida:

def get_function_name(ea):
    name = idc.get_func_name(ea)
    if name:
        return name
    return "sub_%X" % ea

flare-ida:

def get_function_name(ea):
    name = idc.get_func_name(ea)
    if name:
        return name
    return "sub_%X" % ea

Note: The code comparison shows identical functions, as we are comparing the same repository to itself. In a real comparison between different repositories, there would likely be differences in the code snippets.

gaasedelen logo

lighthouse

2,220

A Coverage Explorer for Reverse Engineers

Pros of Lighthouse

  • Provides advanced code coverage visualization and analysis tools
  • Offers a more intuitive and user-friendly interface for navigating coverage data
  • Supports multiple coverage formats and integrates well with various testing frameworks

Cons of Lighthouse

  • More focused on code coverage, while FLARE-IDA offers a broader set of reverse engineering tools
  • May have a steeper learning curve for users not familiar with code coverage concepts
  • Less extensive documentation compared to FLARE-IDA

Code Comparison

Lighthouse:

def highlight_coverage(self, coverage):
    for address in coverage:
        self.color_block(address, self.color_coverage)

FLARE-IDA:

def highlight_function(self, ea):
    for (startea, endea) in idautils.Chunks(ea):
        for head in idautils.Heads(startea, endea):
            idc.set_color(head, idc.CIC_ITEM, 0xFFFFFF)

Both projects use Python for their IDA Pro plugins, but Lighthouse focuses on coverage visualization, while FLARE-IDA provides a wider range of reverse engineering functionalities.

REhints logo

HexRaysCodeXplorer

2,337

Hex-Rays Decompiler plugin for better code navigation

Pros of HexRaysCodeXplorer

  • More focused on object-oriented code analysis and reconstruction
  • Provides advanced features for C++ class and vtable recovery
  • Offers graph-based visualization of class hierarchies

Cons of HexRaysCodeXplorer

  • Less frequently updated compared to flare-ida
  • Narrower scope, primarily targeting C++ reverse engineering
  • May have a steeper learning curve for users unfamiliar with advanced C++ concepts

Code Comparison

HexRaysCodeXplorer:

def get_virtual_functions(vftable):
    funcs = []
    for ea in vftable:
        func = get_func(ea)
        if func:
            funcs.append(func)
    return funcs

flare-ida:

def find_xrefs(ea):
    xrefs = []
    for xref in XrefsTo(ea, 0):
        xrefs.append(xref.frm)
    return xrefs

Both repositories provide valuable tools for reverse engineering and malware analysis using IDA Pro. HexRaysCodeXplorer excels in C++ analysis, offering specialized features for object-oriented code reconstruction. flare-ida, on the other hand, provides a broader set of utilities for various reverse engineering tasks and is more frequently updated. The choice between the two depends on the specific needs of the reverse engineer and the target of analysis.

NationalSecurityAgency logo

ghidra

50,446

Ghidra is a software reverse engineering (SRE) framework

Pros of Ghidra

  • Comprehensive reverse engineering suite with a wide range of features
  • Open-source and free to use
  • Cross-platform compatibility (Windows, Linux, macOS)

Cons of Ghidra

  • Steeper learning curve due to its extensive feature set
  • Slower performance compared to IDA Pro for large binaries
  • Less extensive plugin ecosystem than IDA Pro

Code Comparison

Ghidra (Java):

public class SimpleDecompiler extends GhidraScript {
    @Override
    public void run() throws Exception {
        DecompInterface decompInterface = new DecompInterface();
        DecompileResults results = decompInterface.decompileFunction(currentFunction, 30, monitor);
    }
}

FLARE-IDA (Python):

import idaapi

class SimpleDecompiler(idaapi.plugin_t):
    def init(self):
        return idaapi.PLUGIN_OK

    def run(self, arg):
        func = idaapi.get_func(idaapi.get_screen_ea())
        if func:
            cfunc = idaapi.decompile(func)

Both repositories provide tools for reverse engineering and binary analysis. Ghidra offers a complete suite of tools with a graphical interface, while FLARE-IDA focuses on enhancing IDA Pro's functionality through scripts and plugins. Ghidra is more suitable for users seeking a free, comprehensive solution, while FLARE-IDA caters to those already using IDA Pro and looking to extend its capabilities.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

FLARE Team Reversing Repository

This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.

plugins

To install, copy the contents of the plugins directory in this repository to your %PROGRAMFILES%\IDA\plugins folder.

python

The python directory here can be copied to your %PROGRAMFILES%\IDA\python folder, or you can modify your PYTHONPATH environment variable to include the directory.

Provided Plugins

Shellcode Hashes

The shellcode_hashes_search_plugin.py IDA plugin implements the hash searching described here: https://www.mandiant.com/blog/precalculated-string-hashes-reverse-engineering-shellcode/.

The shellcode_hashes directory contains the script used to create the database for the shellcode_hash_search.py script, along with a provided database.

Struct Typer

The struct_typer_plugin.py plugin implements the struct typing described here: https://www.mandiant.com/blog/applying-function-types-structure-fields-ida/

StackStrings

The stackstrings_plugin.py implements the recovery of manually constructed strings described here: http://www.fireeye.com/blog/threat-research/2014/08/flare-ida-pro-script-series-automatic-recovery-of-constructed-strings-in-malware.html

MSDN Annotations

This script for IDA Pro adds MSDN information from a XML file to the database. Information about this plugin can be found at: https://www.fireeye.com/blog/threat-research/2014/09/flare-ida-pro-script-series-msdn-annotations-ida-pro-for-malware-analysis.html

The following functionality is included:

  • Backup the original database
  • Retrieve all imported functions
  • Import function descriptions
  • Import argument descriptions
  • Create custom enumerations for identified constants including descriptions
  • Rename constants to their readable values

MSDN Annotations Usage

TL;DR: In IDA run annotate_IDB_MSDN.py.

All files (IDAPython scripts, XML parser, MSDN information XML file, etc.) should be located in the same directory accessible by IDA Pro. In IDA use File - Script file... (ALT + F7) to open annotate_IDB_MSDN.py. The form will allow you to change the settings and annotate the IDB file after you click OK.

After executing the script once, View - Recent scripts (ALT + F9) can be used as well.

ApplyCalleeType

This plugin allows you to specify or choose a function type for indirect calls as described here: https://www.fireeye.com/blog/threat-research/2015/04/flare_ida_pro_script.html

idb2pat

This script allows you to easily generate function patterns from an existing IDB database that can then be turned into FLIRT signatures to help identify similar functions in new files. More information is available at: https://www.fireeye.com/blog/threat-research/2015/01/flare_ida_pro_script.html

argtracker

This utility can help you identify static arguments to functions used within a program. This is most commonly used to extract arguments to string decoder functions. Example usage is available in

  • examples/argtracker_example1.py
  • examples/argtracker_example2.py

A blog post with further information is available at:

https://www.fireeye.com/blog/threat-research/2015/11/flare_ida_pro_script.html

objc2_analyzer

This script creates cross-references between selector references and their implementations as defined in the Objective-C runtime related sections of the target Mach-O executable. It also patches selector reference pointers to instead point to their implementation function. This makes analysis of Objective-C code easier by enabling smooth transitions between an implementation and the locations where its selector is referenced throughout the code. Helpful Objective-C code comments are added to each call to objc_msgSend variants to clearly indicate which method is being called on which class.

ironstrings

ironstrings.py is an IDAPython script that uses code emulation to recover constructed strings (stackstrings) from malware. Please see the details in the script's README.

Code Grafter

code_grafter.py is an IDAPython script that grafts code to an IDA database to implement various imported functions and increase the likelihood of being able to execute an unpacker or decoder entirely under Bochs (or any other emulation tools that don't implement special handling for these functions). This prevents faults when emulated execution reaches functions such as VirtualAlloc or lstrlenA.