Recently, VirusTotal announced their official plugin for IDA Pro 7.x, which brings new capabilities to IDA and allows convenient use of the VTGrep API, including:
- Search for bytes: search for the bytes contained in the selected area “AS IS”.
- Search for similar code: identify memory offsets or addresses in the currently selected area and ignore them when searching.
- Search for similar code (strict): as above, but also ignore all constants in the currently selected area.
- Search for the same signer: search for files signed with the same certificate as the loaded file.
- Search for ImpHash: search for files with the same import hash.
- Search similar-to: search for files using the “similar-to” attribute on VT.
- Customizations: a convenient GUI to customize queries by masking/unmasking opcodes and operands before searching on VT
We decided to create a similar plugin for GHIDRA, an open source alternative to Hexray’s IDA. Our plugin has all the functionality you’ll find in the VirusTotal plugin for IDA, and a few extra capabilities as well.
We created a nice GUI interface with extended capabilities to tweak the data into a query that VTGrep understands before querying VirusTotal, while showing you all the data included in the final query and allowing you to add or remove data, among other features.
This plugin already includes several items from the VirusTotal plugin’s to-do list. We also let you search files signed by the same certificate that was used to sign the loaded file into GHIDRA.
Watch this short video for a tour of the essentials using a sample of Ryuk ransomware:
We welcome pull requests and comments for other features you’d like to see included. You can find the plugin and code on our Github page here:
https://github.com/Sentinel-One/VTgrepGHIDRA
Please note that subscription to VT Intelligence is required to view the query results.