add IDA plugins listed at vmallet

[williballenthin]

Details

There's a nice list of actively maintained IDA plugins here: https://vmallet.github.io/ida-plugins/

We should use this list as inspiration for IDA plugins to add to FLARE-VM.

[williballenthin]

• https://github.com/gaasedelen/lighthouse
• https://github.com/A200K/IDA-Pro-SigMaker
• https://github.com/airbus-cert/comida
• https://github.com/airbus-cert/ttddbg
• https://github.com/hasherezade/ida_ifl
• https://github.com/williballenthin/idawilli plugins and scripts
• https://github.com/alexander-hanel/FunctionTrapperKeeper
• https://github.com/Jinmo/ifred
• https://github.com/danigargu/deREferencing
• https://gitlab.com/eshard/d810

[Ana06]

@mandiant/flare-vm which of this plugins would you like to have in FLARE-VM?

I propose we start adding the following ones from the list provided above:

• https://github.com/gaasedelen/lighthouse
• https://github.com/A200K/IDA-Pro-SigMaker
• https://github.com/airbus-cert/comida
• https://github.com/hasherezade/ida_ifl
• https://gitlab.com/eshard/d810

I would suggest also adding https://github.com/nihilus/idastealth

https://github.com/airbus-cert/ttddbg seems to have issues with IDA 8, so I would leave it by now.

I think we could consider adding some parts of https://github.com/williballenthin/idawilli and https://github.com/Ana06/idapython but this requires some discussions and I think we should not address this as part of this PR.

[binjo]

I'd love to have these two:

• https://github.com/oopsmishap/HexRaysPyTools
• https://github.com/gaasedelen/tenet

[williballenthin]

and I'd like to see:

• https://github.com/danigargu/deREferencing

[emtuls]

I second these ones at the very least (the others look good as well!):

• https://github.com/danigargu/deREferencing
• https://github.com/gaasedelen/tenet
• https://github.com/gaasedelen/lighthouse
• https://github.com/hasherezade/ida_ifl
• https://github.com/airbus-cert/comida

[Ana06]

Should we split this PR and create an IDA plugin label? I have the feeling it is starting getting difficult to track and prioritize as a single issue. That would allow us to up vote issues and discuss which ones we should add to the default config.

[Ana06]

Even better: #996

[Ana06]

We have recently added IDA plugins helper functions to simplify IDA plugins installation, support for IDA plugins to the create_package_template.py script, an IDA plugin issue template, and automation for IDA plugins in #1013, #1020 and #1024. These improvements allow us to now split this issue into an issue using the IDA plugin template for every of the plugins proposed here for better tracking purposes (ensuring we have collected all the information, upvoting of existent issues, focused discussions, etc.).The new issue template supports the send PR automation to create new packages for IDA plugin distributed in a standard way: as a single file or ZIP containing a plugin (and supporting files/directories) that need to be copied to the IDA plugins directory.

Note that in addition to the capa explorer IDA plugin (which was introduced a long time ago before this issue was created), we have added the following IDA plugins in the last weeks (either as part of one of the previously mentioned PR or using the introduced automation):

• https://github.com/A200K/IDA-Pro-SigMaker
• https://github.com/danigargu/deREferencing
• https://github.com/gaasedelen/lighthouse
• https://github.com/hasherezade/ida_ifl
• https://github.com/airbus-cert/comida

Note also that https://github.com/gaasedelen/tenet doesn't work with Python 3.10: gaasedelen/tenet#15 (comment) which means we can't add it until the bug is fixed.

So closing this issue. @williballenthin @binjo @emtuls @d35ha please open new issues for any IDA plugin that hasn't been added already and you would like to have in FLARE-VM using the new IDA plugin issue template.