This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.
To install, copy the contents of the plugins directory in this repository to your %PROGRAMFILES%\IDA\plugins folder.
The python directory here can be copied to your %PROGRAMFILES%\IDA\python folder, or you can modify your PYTHONPATH environment variable to include the directory.
The shellcode_hashes_search_plugin.py IDA plugin implements the hash searching described here: https://www.mandiant.com/blog/precalculated-string-hashes-reverse-engineering-shellcode/.
The shellcode_hashes directory contains the script used to create the database for the shellcode_hash_search.py script, along with a provided database.
The struct_typer_plugin.py plugin implements the struct typing described here: https://www.mandiant.com/blog/applying-function-types-structure-fields-ida/
The stackstrings_plugin.py implements the recovery of manually constructed strings described here: http://www.fireeye.com/blog/technical/malware-research/2014/08/flare-ida-pro-script-series-automatic-recovery-of-constructed-strings-in-malware.html