From 7495d86362e3811abcc418947210874d88b297f2 Mon Sep 17 00:00:00 2001 From: Ana Maria Martinez Gomez Date: Mon, 13 May 2024 08:05:39 +0200 Subject: [PATCH] Add ida.plugin.flare.vm Install IDA Pro plugins from https://github.com/mandiant/flare-ida by coping: - `shellcode_hashes_search_plugin.py` and `apply_callee_type_plugin.py` to the IDA plugins directory - the `flare` Python module inside the IDA plugins directory for Python to find it when running the plugins. - `sc_hashes.db` to a location where `shellcode_hashes_search_plugin.py` can find it: https://github.com/mandiant/flare-ida/blob/011cb3310d82a1c00104a4830289ea2fed5165f5/python/flare/shellcode_hash_search.py#L428 --- .../ida.plugin.flare.vm.nuspec | 12 ++++++ .../tools/chocolateyinstall.ps1 | 42 +++++++++++++++++++ .../tools/chocolateyuninstall.ps1 | 12 ++++++ 3 files changed, 66 insertions(+) create mode 100644 packages/ida.plugin.flare.vm/ida.plugin.flare.vm.nuspec create mode 100644 packages/ida.plugin.flare.vm/tools/chocolateyinstall.ps1 create mode 100644 packages/ida.plugin.flare.vm/tools/chocolateyuninstall.ps1 diff --git a/packages/ida.plugin.flare.vm/ida.plugin.flare.vm.nuspec b/packages/ida.plugin.flare.vm/ida.plugin.flare.vm.nuspec new file mode 100644 index 000000000..69f1b37b5 --- /dev/null +++ b/packages/ida.plugin.flare.vm/ida.plugin.flare.vm.nuspec @@ -0,0 +1,12 @@ + + + + ida.plugin.flare.vm + 0.0.0.20240513 + Jay Smith + IDA Pro plugins used by the FLARE team. + + + + + diff --git a/packages/ida.plugin.flare.vm/tools/chocolateyinstall.ps1 b/packages/ida.plugin.flare.vm/tools/chocolateyinstall.ps1 new file mode 100644 index 000000000..e339742fa --- /dev/null +++ b/packages/ida.plugin.flare.vm/tools/chocolateyinstall.ps1 @@ -0,0 +1,42 @@ +$ErrorActionPreference = 'Stop' +Import-Module vm.common -Force -DisableNameChecking + +try { + $pluginUrl = 'https://github.com/mandiant/flare-ida/archive/011cb3310d82a1c00104a4830289ea2fed5165f5.zip' + $pluginSha256 = 'd74c81d9fb1db2de801a05aeeb289ea98d93604aa11e44b27568382e78225bb2' + + $tempDownloadDir = Join-Path ${Env:chocolateyPackageFolder} "temp_$([guid]::NewGuid())" + # Download and unzip + $packageArgs = @{ + packageName = ${Env:ChocolateyPackageName} + unzipLocation = $tempDownloadDir + url = $pluginUrl + checksum = $pluginSha256 + checksumType = 'sha256' + } + Install-ChocolateyZipPackage @packageArgs | Out-Null + VM-Assert-Path $tempDownloadDir + + # Copy plugins to IDA plugins directory + $pluginsDir = VM-Get-IDA-Plugins-Dir + $pluginDir = Get-Item "$tempDownloadDir\*\plugins" + $pluginNames = @('apply_callee_type_plugin.py', + 'shellcode_hashes_search_plugin.py') + ForEach ($pluginName in $pluginNames) { + $pluginPath = Join-Path $pluginDir $pluginName -Resolve + Copy-Item $pluginPath $pluginsDir -Force + } + + # Copy flare Python module to the IDA plugins directory + $flareDir = Get-Item "$tempDownloadDir\*\python\flare" + Copy-Item $flareDir $pluginsDir -Recurse -Force + + # Copy sc_hashes.db to a directory where shellcode_hashes_search_plugin.py can find it: + # https://github.com/mandiant/flare-ida/blob/011cb3310d82a1c00104a4830289ea2fed5165f5/python/flare/shellcode_hash_search.py#L428 + $dbFile = Get-Item "$tempDownloadDir\*\shellcode_hashes\sc_hashes.db" + $dbDir = New-Item "$Env:APPDATA\Hex-Rays\IDA Pro\shellcode_hashes" -ItemType "directory" -Force + Copy-Item $dbFile $dbDir -Recurse -Force +} catch { + VM-Write-Log-Exception $_ +} + diff --git a/packages/ida.plugin.flare.vm/tools/chocolateyuninstall.ps1 b/packages/ida.plugin.flare.vm/tools/chocolateyuninstall.ps1 new file mode 100644 index 000000000..27a6c5a60 --- /dev/null +++ b/packages/ida.plugin.flare.vm/tools/chocolateyuninstall.ps1 @@ -0,0 +1,12 @@ +$ErrorActionPreference = 'Continue' +Import-Module vm.common -Force -DisableNameChecking + +$pluginItems = @('apply_callee_type_plugin.py', + 'shellcode_hashes_search_plugin.py', + 'flare') + +ForEach ($name in $pluginItems) { + VM-Uninstall-IDA-Plugin -pluginName $name +} + +Remove-Item "$Env:APPDATA\Hex-Rays\IDA Pro\shellcode_hashes" -Force -Recurse