Home IDA Pro plugins (2025)
Post
Cancel

IDA Pro plugins (2025)

Posted Jan 22, 2025
By Travis Mathison
4 min read

Summary

Coming into the new year I did a personal review of plugins and frameworks that I currently use. There are also some that I am in the process of experimenting with as I may be able to apply them to work I’m doing. This year will be one of plugin development for me and I’ll be creating some new ones and updating/contributing to existing ones.

The following are a list that I have found useful and that I have confirmed work on IDA Pro 8.4.

Plugins

NameFlare CAPA Explorer
Linkhttps://github.com/mandiant/capa
DescriptionDetects capabilities in executable files.
Install notesReference the well-documented install instructions at:
https://github.com/mandiant/capa/blob/master/doc/installation.md
NameDiaphora
Linkhttps://github.com/joxeankoret/diaphora
DescriptionAn advanced program diff'ing tool integrated into IDA Pro. Can compared two IDB databases
and display the differences.
NameHexRaysPyTools
Linkhttps://github.com/igogo-x86/HexRaysPyTools
DescriptionIt assists in the creation of classes/structures and detection of virtual tables.
NameClassInformer
Linkhttps://github.com/herosi/classinformer
DescriptionParses disassembly to reconstruct classes from RTTI.
Install notes
Nameidaclu
Linkhttps://github.com/harlamism/IdaClu
DescriptionIt helps you find similarities in functions and group them in bulk.
Nameauto_dword.py
Linkhttps://gist.github.com/herrcore/4595a884345a60d3e9c1b6a8f17f93d9
DescriptionAllows you to highlight raw data and right click and select "Auto-DWORD" to transform
it into a list of DWORDS.
NameHashDB
Linkhttps://github.com/OALabs/hashdb-ida
DescriptionCan be used to look up strings that have been hashed in malware (typically to resolve
function hashing).
NameFindYara
Linkhttps://github.com/OALabs/findyara-ida
DescriptionAllows you to scan your binary with yara rules.
NameHexCopy
Linkhttps://github.com/OALabs/hexcopy-ida
DescriptionAllows you to quickly copy disassembly as encoded hex bytes.
NameLucid
Linkhttps://github.com/gaasedelen/lucid
DescriptionLucid is a developer-oriented IDA Pro plugin for exploring the Hex-Rays microcode. It
was designed to provide a seamless, interactive experience for studying microcode
transformations in the decompiler pipeline.
NameD810
Linkhttps://gitlab.com/eshard/d810
DescriptionD-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation
time by modifying IDA Pro microcode.
NameHighlight target instructions
LinkAGDCservices_highlight_target_instructions_plugin.py
DescriptionThese were two scripts that were original written for Ghidra by somebody else and I converted
them into IDA Pro equivalent ones. They will highlight (or unhighlight) call statements as
well as many other things related to encryption and math operations.
NameGepetto
Linkhttps://github.com/JusticeRage/Gepetto
DescriptionA Python plugin which uses various large language models to provide meaning to functions
decompiled by IDA Pro (≥ 7.4). It can leverage them to explain what a function does, and to
automatically rename its variables.
Install notes
  • This may be the best working plugin to integrate IDA Pro with ChatGPT (so far)
  • Models and costs can be seen below:
  • Install all requirements in requirements.txt
    • You may need to use the --user switch when installing them
  • In the config we need to make the following changes:
    [Gepetto]
    MODEL = gpt-4o-mini
    [OpenAI]
    # Set your API key here, or put it in the OPENAI_API_KEY
    # environment variable.
    API_KEY = YOUR_API_KEY
  • NOTE: It may be better to update the code to read it from the env variable OPENAI_API_KEY
    instead.
  • Code updates:
    • The usage of the OpenAI API has changed a bit since this plugin was created and I made
      the following changes to get it to work properly.
    • In openai.py:
      # Set the API key directly now.
      openai.api_key = api_key
      #self.client = openai.OpenAI(
      # api_key=api_key,
      # base_url=base_url,
      # http_client=_httpx.Client(
      # proxies=proxy,
      # ) if proxy else None
      #)
    • In openai.py:
      # from
      response = self.client.chat.completions.create(
      model=self.model,
      messages=conversation,
      **additional_model_options)

      # to
      response = openai.ChatCompletion.create(
      model=self.model,
      messages=conversation,
      **additional_model_options)

Tools and frameworks

NameSark Framework
Link https://github.com/tmr232/Sark
https://sark.readthedocs.io/en/latest/Installation.html
DescriptionIDA Plugins & IDAPython Scripting Library.
NameFlare-Emu
Link https://github.com/mandiant/flare-emu
DescriptionAn emulation framework to provide an easy to use and flexible interface for scripting emulation
tasks.
Install notespython -m pip install rzpipe flare-emu unicorn
NameFlare-FLOSS
Link https://github.com/mandiant/flare-floss
DescriptionThis is an Obfuscated String Solver that uses advanced static analysis techniques to
automatically extract and deobfuscate all strings from malware binaries.
Install notes
  • Download source and the release binary to put into the source directory
  • Put directly into the IDA Pro (or a tools) directory
  • To parse the resulting JSON file from FLOSS you can install the jq tool
    type .\stealc.json | jq -r '.strings.decoded_strings | map(.string) | unique
    type .\stealc.json | jq -r '.strings.stack_strings | map(.string) | unique
    type .\stealc.json | jq -r '.strings.static_strings | map(.string) | unique
    type .\stealc.json | jq -r '.strings.tight_strings | map(.string) | unique
  • There are also scripts to import the results back into IDA Pro
NameAngr Framework
Link https://github.com/angr/angr
https://github.com/andreafioraldi/IDAngr
https://github.com/andreafioraldi/angrdbg
https://github.com/degrigis/awesome-angr
DescriptionA platform-agnostic binary analysis framework.
Install notespython -m pip install angr angrdbg angr-management capstone-windows
NameQScripts
Link https://github.com/allthingsida/qscripts
DescriptionAllows you to develop and run any supported scripting language (*.py; *.idc, etc.) from the comfort
of your own favorite text editor as soon as you save the active script, the trigger file or any of its
dependencies.
Blogging
ida plugins
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents