search

mandiant / VM-Packages

Chocolatey packages supporting the analysis environment projects FLARE-VM & Commando VM.
Apache License 2.0
144 stars 65 forks source link

add IDA plugins listed at vmallet #719

Closed williballenthin closed 6 months ago

williballenthin commented 1 year ago

Details

There's a nice list of actively maintained IDA plugins here: https://vmallet.github.io/ida-plugins/

We should use this list as inspiration for IDA plugins to add to FLARE-VM.

williballenthin commented 1 year ago
Ana06 commented 8 months ago

@mandiant/flare-vm which of this plugins would you like to have in FLARE-VM?

I propose we start adding the following ones from the list provided above:

I would suggest also adding https://github.com/nihilus/idastealth

https://github.com/airbus-cert/ttddbg seems to have issues with IDA 8, so I would leave it by now.

I think we could consider adding some parts of https://github.com/williballenthin/idawilli and https://github.com/Ana06/idapython but this requires some discussions and I think we should not address this as part of this PR.

binjo commented 8 months ago

I'd love to have these two:

williballenthin commented 8 months ago

and I'd like to see:

emtuls commented 8 months ago

I second these ones at the very least (the others look good as well!):

Ana06 commented 6 months ago

Should we split this PR and create an IDA plugin label? I have the feeling it is starting getting difficult to track and prioritize as a single issue. That would allow us to up vote issues and discuss which ones we should add to the default config.

Ana06 commented 6 months ago

Even better: https://github.com/mandiant/VM-Packages/issues/996

Ana06 commented 6 months ago

We have recently added IDA plugins helper functions to simplify IDA plugins installation, support for IDA plugins to the create_package_template.py script, an IDA plugin issue template, and automation for IDA plugins in https://github.com/mandiant/VM-Packages/pull/1013, https://github.com/mandiant/VM-Packages/pull/1020 and https://github.com/mandiant/VM-Packages/pull/1024. These improvements allow us to now split this issue into an issue using the IDA plugin template for every of the plugins proposed here for better tracking purposes (ensuring we have collected all the information, upvoting of existent issues, focused discussions, etc.).The new issue template supports the send PR automation to create new packages for IDA plugin distributed in a standard way: as a single file or ZIP containing a plugin (and supporting files/directories) that need to be copied to the IDA plugins directory.

Note that in addition to the capa explorer IDA plugin (which was introduced a long time ago before this issue was created), we have added the following IDA plugins in the last weeks (either as part of one of the previously mentioned PR or using the introduced automation):

Note also that https://github.com/gaasedelen/tenet doesn't work with Python 3.10: https://github.com/gaasedelen/tenet/issues/15#issuecomment-2084743150 which means we can't add it until the bug is fixed.

So closing this issue. @williballenthin @binjo @emtuls @d35ha please open new issues for any IDA plugin that hasn't been added already and you would like to have in FLARE-VM using the new IDA plugin issue template.