{"id":27063481,"url":"https://github.com/fireeye/flare-ida","last_synced_at":"2025-04-05T16:01:45.234Z","repository":{"id":19206683,"uuid":"22440346","full_name":"mandiant/flare-ida","owner":"mandiant","description":"IDA Pro utilities from FLARE team","archived":false,"fork":false,"pushed_at":"2024-10-29T14:38:07.000Z","size":91132,"stargazers_count":2228,"open_issues_count":25,"forks_count":467,"subscribers_count":155,"default_branch":"master","last_synced_at":"2024-10-29T15:08:06.614Z","etag":null,"topics":["fireeye-flare","ida","ida-plugin","ida-pro","idapython","reverse-engineering"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mandiant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-07-30T18:42:23.000Z","updated_at":"2024-10-29T14:38:52.000Z","dependencies_parsed_at":"2022-07-10T07:46:08.366Z","dependency_job_id":"abe39448-872b-475c-b249-328b1b12aa53","html_url":"https://github.com/mandiant/flare-ida","commit_stats":{"total_commits":148,"total_committers":45,"mean_commits":"3.2888888888888888","dds":0.6486486486486487,"last_synced_commit":"f65fae6db0a5951a285fc76689acf64f35c3c878"},"previous_names":["fireeye/flare-ida"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fflare-ida","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fflare-ida/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fflare-ida/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fflare-ida/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mandiant","download_url":"https://codeload.github.com/mandiant/flare-ida/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247361594,"owners_count":20926641,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fireeye-flare","ida","ida-plugin","ida-pro","idapython","reverse-engineering"],"created_at":"2025-04-05T16:01:22.034Z","updated_at":"2025-04-05T16:01:45.218Z","avatar_url":"https://github.com/mandiant.png","language":"Python","readme":"# FLARE Team Reversing Repository #\nThis repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.\n\n## plugins ##\n\nTo install, copy the contents of the plugins directory in this repository to your %PROGRAMFILES%\\IDA\\plugins folder. \n\n## python ##\nThe python directory here can be copied to your %PROGRAMFILES%\\IDA\\python folder, or you can modify your PYTHONPATH environment variable to include the directory.\n\n## Provided Plugins ##\n\n### Shellcode Hashes  ###\nThe shellcode_hashes_search_plugin.py IDA plugin implements the hash searching described here: https://www.mandiant.com/blog/precalculated-string-hashes-reverse-engineering-shellcode/.\n\nThe shellcode_hashes directory contains the script used to create the database for the shellcode_hash_search.py script, along with a provided database.\n\n### Struct Typer ###\nThe struct_typer_plugin.py plugin implements the struct typing described here: https://www.mandiant.com/blog/applying-function-types-structure-fields-ida/\n\n\n### StackStrings ###\nThe stackstrings_plugin.py implements the recovery of manually constructed strings described here: http://www.fireeye.com/blog/threat-research/2014/08/flare-ida-pro-script-series-automatic-recovery-of-constructed-strings-in-malware.html\n\n### MSDN Annotations ###\nThis script for IDA Pro adds MSDN information from a XML file to the database. Information about this plugin can be found at: https://www.fireeye.com/blog/threat-research/2014/09/flare-ida-pro-script-series-msdn-annotations-ida-pro-for-malware-analysis.html\n\nThe following functionality is included:\n\n  - Backup the original database\n  - Retrieve all imported functions\n  - Import function descriptions\n  - Import argument descriptions\n  - Create custom enumerations for identified constants including descriptions\n  - Rename constants to their readable values\n\n#### MSDN Annotations Usage ####\n\nTL;DR: In IDA run *annotate_IDB_MSDN.py*.\n\nAll files (IDAPython scripts, XML parser, MSDN information XML file, etc.) \nshould be located in the same directory accessible by IDA Pro.\nIn IDA use *File - Script file...* (ALT + F7) to open **annotate_IDB_MSDN.py**.\nThe form will allow you to change the settings and annotate the IDB file after\nyou click OK.\n\nAfter executing the script once, *View - Recent scripts* (ALT + F9) can be used\nas well.\n\n### ApplyCalleeType ###\nThis plugin allows you to specify or choose a function type for indirect calls as described here: https://www.fireeye.com/blog/threat-research/2015/04/flare_ida_pro_script.html\n\n\n### idb2pat ###\nThis script allows you to easily generate function patterns from an existing IDB database that can then be turned into FLIRT signatures to help identify similar functions in new files. More information is available at:\nhttps://www.fireeye.com/blog/threat-research/2015/01/flare_ida_pro_script.html\n\n\n### argtracker ###\nThis utility can help you identify static arguments to functions used within a program. This is most commonly used to extract arguments to string decoder functions. Example usage is available in \n\n* examples/argtracker_example1.py\n* examples/argtracker_example2.py\n\nA blog post with further information is available at:\n\nhttps://www.fireeye.com/blog/threat-research/2015/11/flare_ida_pro_script.html\n\n### objc2_analyzer ###\nThis script creates cross-references between selector references and their implementations as defined in the Objective-C  runtime related sections of the target Mach-O executable. It also patches selector reference pointers to instead point to their implementation function. This makes analysis of Objective-C code easier by enabling smooth transitions between an implementation and the locations where its selector is referenced throughout the code. Helpful Objective-C code comments are added to each call to objc_msgSend variants to clearly indicate which method is being called on which class.\n\n\n### ironstrings ###\n`ironstrings.py` is an IDAPython script that uses code emulation to recover constructed strings (stackstrings) from malware. Please see the details in the script's [README](https://github.com/fireeye/flare-ida/blob/master/python/flare/ironstrings/README.md).\n\n### Code Grafter ###\n`code_grafter.py` is an IDAPython script that grafts code to an IDA database to implement various imported functions and increase the likelihood of being able to execute an unpacker or decoder entirely under Bochs (or any other emulation tools that don't implement special handling for these functions). This prevents faults when emulated execution reaches functions such as `VirtualAlloc` or `lstrlenA`.\n","funding_links":[],"categories":["\u003ca id=\"f11ab1ff46aa300cc3e86528b8a98ad7\"\u003e\u003c/a\u003e插件\u0026\u0026脚本","\u003ca id=\"c39a6d8598dde6abfeef43faf931beb5\"\u003e\u003c/a\u003e未分类","Python","Python (1887)"],"sub_categories":["\u003ca id=\"c39a6d8598dde6abfeef43faf931beb5\"\u003e\u003c/a\u003e未分类"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffireeye%2Fflare-ida","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffireeye%2Fflare-ida","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffireeye%2Fflare-ida/lists"}