An IDA PRO plugin to help in finding vulnerabilites in binaries.
Use IDA PRO HexRays decompiler with OpenAI(ChatGPT) to find possible vulnerabilities in binaries
Disclaimer, possible replies while trying to find binary vulnerabilites using an AI may lead to false positives, however it has worked in many CTFs I have worked on (simple/medium ... some hard)
Inspired by Gepetto : https://github.com/JusticeRage/Gepetto
Drop python script on IDA Pro Plugin location.
Right click on decompiled code , select "Find possible vulnerability in function"
BinAIVulHunter is an advanced IDA Pro plugin that leverages multiple AI providers (OpenAI GPT, Google Gemini, and Ollama) to perform intelligent vulnerability analysis, code explanation, and security assessment of decompiled functions.
- Multi-AI Provider Support: Choose between OpenAI GPT, Google Gemini, or Ollama
- Vulnerability Detection: Automated scanning based on CWE (Common Weakness Enumeration) taxonomy
- Code Explanation: AI-powered analysis and explanation of decompiled functions
- Variable Renaming: Intelligent suggestions for better variable and function names
- Batch Processing: Scan all functions in a binary with memory management
- CWE Reference Integration: Built-in CWE lookup and detailed vulnerability categorization
- Headless Mode: Command-line support for automated analysis
- Local AI Support: Privacy-focused analysis with Ollama (no cloud dependencies)
- Installation
- AI Provider Setup
- Configuration
- Usage
- Vulnerability Categories
- Examples
- Troubleshooting
- Contributing
- License
-
Download the plugin:
# Save BinAIVulHunter.py to your IDA Pro plugins directory # Typically: C:\Program Files\IDA Pro X.X\plugins\
-
Install base dependencies:
pip install psutil
-
Install AI provider libraries (choose one or more):
# For OpenAI pip install openai # For Google Gemini pip install google-generativeai # For Ollama (local AI) pip install requests
-
Restart IDA Pro to load the plugin
-
Get API Key:
- Visit OpenAI API Keys
- Create a new API key
-
Set Environment Variable:
# Windows Command Prompt set OPENAI_API_KEY=sk-your-openai-key-here # PowerShell $env:OPENAI_API_KEY="sk-your-openai-key-here" # Linux/Mac export OPENAI_API_KEY="sk-your-openai-key-here"
-
Restart IDA Pro
-
Get API Key:
- Visit Google AI Studio
- Create a new API key
-
Set Environment Variable:
# Windows Command Prompt set GEMINI_API_KEY=your-gemini-key-here # PowerShell $env:GEMINI_API_KEY="your-gemini-key-here" # Linux/Mac export GEMINI_API_KEY="your-gemini-key-here"
-
Restart IDA Pro
-
Install Ollama:
- Visit Ollama.ai and download the installer
- Or use package managers:
# Linux curl -fsSL https://ollama.ai/install.sh | sh # macOS brew install ollama
-
Start Ollama Service:
ollama serve
-
Pull AI Models:
# For general code analysis ollama pull llama2 # For coding tasks (recommended) ollama pull codellama # Other specialized models ollama pull mistral ollama pull deepseek-coder
-
Optional Environment Variables:
# Custom Ollama server (if not localhost:11434) set OLLAMA_BASE_URL=http://your-server:11434 # Set default model set OLLAMA_MODEL=codellama
| Variable | Description | Default | Required |
|---|---|---|---|
OPENAI_API_KEY |
OpenAI API key | None | For OpenAI |
GEMINI_API_KEY |
Google Gemini API key | None | For Gemini |
OLLAMA_BASE_URL |
Ollama server URL | http://localhost:11434 |
No |
OLLAMA_MODEL |
Default Ollama model | llama2 |
No |
VULCHAT_PROVIDER |
AI provider to use | openai |
No |
VULCHAT_MODEL |
Specific model name | Provider default | No |
OPENAI_BASE_URL |
Custom OpenAI endpoint | Official API | No |
Set your preferred AI provider:
# Use OpenAI (default)
set VULCHAT_PROVIDER=openai
# Use Google Gemini
set VULCHAT_PROVIDER=gemini
# Use Ollama (local)
set VULCHAT_PROVIDER=ollama- Open IDA Pro with your binary file
- Navigate to the decompiler view (F5)
- Access VulChat via:
- Menu:
Edit → VulChat - Context menu: Right-click in decompiler view
- Hotkeys (see below)
- Menu:
Right-click in the decompiler view to access:
- Find Possible Vulnerability - Analyze current function for security issues
- Explain - Get AI explanation of function behavior
- Rename Variables - Get intelligent variable naming suggestions
- Generate Safe Test Inputs - Create test cases for the function
- Scan All - Batch vulnerability scan of entire binary
- CWE Info - Look up CWE vulnerability details
- Control Panel - Switch AI providers and configure settings
Access via Edit → VulChat → Control Panel or Ctrl+Alt+P:
- Switch AI Providers: Change between OpenAI, Gemini, and Ollama
- Model Selection: Choose specific models for each provider
- Status Information: View current configuration and provider availability
- Setup Guide: Get detailed setup instructions
| Hotkey | Action |
|---|---|
Ctrl+Alt+V |
Find Vulnerabilities |
Ctrl+Alt+G |
Explain Function |
Ctrl+Alt+R |
Rename Variables |
Ctrl+Alt+X |
Generate Test Inputs |
Ctrl+Alt+S |
Scan All Functions |
Ctrl+Alt+W |
CWE Reference Lookup |
Ctrl+Alt+P |
Control Panel |
Ctrl+F5 |
Decompile All Functions |
For automated analysis and CI/CD integration:
# Scan all functions for vulnerabilities
ida64.exe -A -S"BinAIVulHunter.py --scan-all --output results.json" binary.exe
# Decompile all functions with caching
ida64.exe -A -S"BinAIVulHunter.py --decompile-all --cache-dir ./cache" binary.exe
# Custom batch settings
ida64.exe -A -S"BinAIVulHunter.py --scan-all --batch-size 5 --function-pause 3 --batch-pause 15" binary.exe| Parameter | Description | Default |
|---|---|---|
--scan-all |
Scan all functions for vulnerabilities | - |
--decompile-all |
Decompile all functions | - |
--batch-size |
Functions per batch | 3 |
--function-pause |
Pause between functions (seconds) | 5 |
--batch-pause |
Pause between batches (seconds) | 10 |
--output |
JSON output file for results | None |
--cache-dir |
Directory for decompilation cache | None |
BinAIVulHunter analyzes code based on the CWE-699 Software Development taxonomy:
| Category | CWE ID | Examples |
|---|---|---|
| Memory Buffer Errors | CWE-1218 | Buffer overflows, use-after-free |
| Numeric Errors | CWE-189 | Integer overflow, divide by zero |
| Resource Management | CWE-399 | Memory leaks, file handle leaks |
| Data Validation | CWE-1215 | Input validation, injection flaws |
| Authentication | CWE-1211 | Weak authentication, bypass |
| Authorization | CWE-1212 | Privilege escalation, access control |
| Cryptographic Issues | CWE-310 | Weak crypto, key management |
| Information Leaks | CWE-199 | Data exposure, side channels |
| Error Handling | CWE-389 | Uncaught exceptions, error states |
| Initialization | CWE-452 | Uninitialized variables, cleanup |
# Navigate to a function in IDA Pro
# Press Ctrl+Alt+V or right-click → "Find Possible Vulnerability"
# Example output:
"""
POTENTIAL VULNERABILITIES:
1. Buffer overflow in strcpy operation
CWE: CWE-120 | Severity: High
Mitigation: Replace strcpy with strncpy and validate buffer sizes
2. Integer overflow in arithmetic operation
CWE: CWE-190 | Severity: Medium
Mitigation: Add overflow checks before arithmetic operations
"""# Command line batch scan
ida64.exe -A -S"BinAIVulHunter.py --scan-all --output vuln_report.json" malware.exe
# Results in vuln_report.json:
{
"scan_results": {
"total_functions": 245,
"vulnerable_functions": 12,
"functions": [
{
"name": "sub_401000",
"address": "0x401000",
"vulnerabilities": [
{
"description": "Unsafe string function used",
"cwe_id": "CWE-120",
"severity": "High",
"mitigation": "Use safe string functions"
}
]
}
]
}
}# Set environment variables
os.environ['VULCHAT_PROVIDER'] = 'ollama'
os.environ['OLLAMA_MODEL'] = 'codellama'
# Or use Control Panel in IDA Pro:
# Edit → VulChat → Control Panel → Provider Menu → Ollama-
"Provider not available" error:
# Check environment variables echo %OPENAI_API_KEY% echo %GEMINI_API_KEY% # Verify API keys are valid # Restart IDA Pro after setting variables
-
Ollama connection failed:
# Check if Ollama is running curl http://localhost:11434/api/tags # Start Ollama if needed ollama serve # Verify models are installed ollama list
-
Memory issues during batch processing:
# Reduce batch size in Control Panel or headless mode --batch-size 1 --function-pause 10
-
API rate limits:
# Increase pause times --function-pause 10 --batch-pause 30 # Or switch to Ollama for unlimited local processing
Check IDA Pro's output window for detailed logs:
- Provider initialization status
- API request/response information
- Memory usage statistics
- Error messages and stack traces
| Provider | Model | Best For | Cost |
|---|---|---|---|
| OpenAI | gpt-4 |
Comprehensive analysis | $$$ |
| OpenAI | gpt-3.5-turbo |
Fast general analysis | $$ |
| Gemini | gemini-pro |
Balanced performance | $$ |
| Ollama | codellama |
Code-focused analysis | Free |
| Ollama | deepseek-coder |
Vulnerability detection | Free |
| Ollama | llama2 |
General purpose | Free |
| Provider | Speed | Accuracy | Privacy | Cost |
|---|---|---|---|---|
| OpenAI GPT-4 | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐ | ⭐ |
| Gemini Pro | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐ | ⭐⭐ |
| Ollama | ⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
We welcome contributions! Please see our Contributing Guidelines for details.
- Fork the repository
- Clone your fork:
git clone https://github.com/yourusername/BinAIVulHunter.git
- Install development dependencies:
pip install -e .[dev]
- Make your changes
- Submit a pull request
- Additional AI provider integrations
- Enhanced vulnerability detection patterns
- New CWE category support
- Performance optimizations
- Documentation improvements
- Test coverage expansion
This project is licensed under the MIT License - see the LICENSE file for details.
- IDA Pro: https://www.hex-rays.com/products/ida/
- OpenAI API: https://platform.openai.com/
- Google Gemini: https://aistudio.google.com/
- Ollama: https://ollama.ai/
- CWE Database: https://cwe.mitre.org/
- Hex-Rays for the excellent IDA Pro platform
- OpenAI, Google, and Ollama teams for their AI technologies
- MITRE for the comprehensive CWE taxonomy
- The reverse engineering and cybersecurity community