danigargu /
deREferencing
IDA Pro plugin that implements more user-friendly register and stack views
Loading repository data…
marcosd4h / repository
IDA plugin that extracts PE binaries into SQLite databases and C++ code for AI-powered vulnerability research
DeepExtract is an IDA Pro 9.x plugin that bridges the gap between compiled PE binaries and AI coding agents. It extracts the full structural context of a binary (PE metadata, function signatures, disassembly, decompiled C/C++ code, cross-references, control flow, and more), and writes it in formats that agents like Claude Code, Codex, and Cursor can directly ingest and reason over. The goal is to let these agents read, navigate, and understand PE files the same way they understand source code repositories, enabling AI-assisted vulnerability research and reverse engineering at scale.
Results are written to a per-binary SQLite database, generated as C++ source files organized by module, and optionally as assembly (.asm) files, with rich per-function metadata headers designed for AI agent consumption. DeepExtract operates in two modes: headless for automated batch processing of large binary datasets, and interactive for targeted single-binary analysis within the IDA GUI.
For a deep dive into the motivation and design journey behind DeepExtract, from the initial experiments with raw decompiled C++ dumps through the challenges of making agents reason over disconnected binary data, to the structured extraction pipeline and agent runtime architecture, read the full writeup: Making Compiled Binaries Accessible to AI Coding Agents. The post covers why traditional agent code-navigation tools break on decompiler output, what led to the SQLite-backed structured approach, and how the DeepExtractRuntime extends coding agents with vulnerability research capabilities.
The extraction pipeline has three stages:
PE Binary (.exe/.dll/.sys)
|
v
IDA Pro 9.x + DeepExtract Plugin
(disassembly, decompilation, analysis)
|
v
Structured Output:
- SQLite database (per-binary)
- C++ source files (optional, --generate-cpp)
- Assembly files with AI metadata headers (optional, --generate-asm)
- JSON metadata (module_profile, function_index, file_info)
Stage 1 - Binary Loading. IDA Pro loads the PE file, performs auto-analysis, and builds its internal database (IDB). If PDB symbols are available, IDA resolves function names and type information.
Stage 2 - Extraction. DeepExtract iterates over every function in the IDB and extracts:
At the file level, it extracts PE headers, imports, exports, sections, security features, Rich header data, TLS callbacks, and .NET CLR metadata.
Stage 3 - Output. All extracted data is written to a SQLite database. When C++ generation is enabled (--generate-cpp), the plugin groups decompiled functions into source files organized by class and module, and generates JSON metadata files (function_index.json, module_profile.json, file_info.json) alongside a human-readable report (file_info.md). When assembly generation is enabled (--generate-asm), the plugin writes .asm files containing raw disassembly grouped by class membership and address order, with structured per-function headers (callers, callees, strings, dangerous APIs) for AI agent analysis. Library/CRT functions are separated into dedicated files. Assembly output is independent of decompiler availability.
PE (Portable Executable): The binary format used by Windows for executables (.exe), dynamic libraries (.dll), and drivers (.sys). PE files contain code sections, import/export tables, resource data, and metadata headers.
IDA Pro: A disassembler and reverse engineering platform. IDA loads a binary, identifies functions, resolves cross-references, and builds a navigable representation of the code. The analysis results are stored in an IDA database (.idb / .i64).
Hex-Rays Decompiler: An IDA Pro component that converts disassembled machine code into a C-like pseudo-code representation. DeepExtract stores this output as decompiled_code for each function.
Cross-references (xrefs): Records of which functions call which other functions. Inbound xrefs list all callers of a function; outbound xrefs list all functions it calls. These form the binary's call graph.
Headless mode: Running IDA Pro from the command line without a GUI, using idat.exe / idat64.exe with the -A flag. DeepExtract detects this mode and runs the full extraction pipeline automatically on startup.
Structured output: The SQLite database and optional C++ files produced by DeepExtract. The database contains three tables (file_info, functions, function_xrefs) and is designed for programmatic queries by SQL, Python, or AI agent frameworks.
Install the plugin:
hcli plugin install DeepExtract
Extract a single binary (headless):
"C:\Program Files\IDA Professional 9.2\idat.exe" -A -L"C:\output\log.txt" -S"main.py --sqlite-db C:\output\kernel32.db --generate-cpp" "C:\Windows\System32\kernel32.dll"
Batch-extract a directory:
.\headless_batch_extractor.ps1 -ExtractDirRecursive "C:\Windows\System32" -StorageDir "C:\Analysis"
Interactive mode: Open a binary in IDA Pro, then Edit > Plugins > DeepExtract (or Ctrl-Shift-E).
The extractor operates at two levels: file-level metadata and per-function analysis.
The plugin extracts 30+ metadata points per binary:
For every identified function:
[reg+offset] call patterns, vtable slot inspection, and per-class method grouping from demangled names. Limited to single vtable at object offset 0; no multiple/virtual inheritance, thunk handling, or RTTI-based class hierarchy inferenceEach binary produces a SQLite database containing three tables.
file_info stores binary-level metadata:
file_path, file_name, file_extension, file_size_bytesmd5_hash, sha256_hashimports, exports, entry_pointfile_version, product_version, company_name, pdb_pathrich_header, tls_callbacks, is_net_assembly, clr_metadatadll_characteristics, security_features, exception_infofunctions stores per-function analysis data:
function_signature, mangled_name, function_nameassembly_code, decompiled_codeinbound_xrefs, outbound_xrefs (full and simple JSON)vtable_contexts, global_var_accesses, dangerous_api_callsstring_literals, stack_frame, loop_analysisanalysis_errors, created_atfunction_xrefs stores deduplicated cross-references for SQL-based call graph queries:
source_id, target_id (foreign keys into functions)target_name, target_modulefunction_type (generic, library, API, vtable, etc.)xref_type, direction (inbound/outbound)(source_id, target_id, target_name, target_module, xref_type, direction)When --generate-cpp is enabled, the plugin writes decompiled functions as grouped C++ source files:
{module}_{class}_group_N.cpp. Methods are ordered alphabetically; each is preceded by a comment block with its name and signature.{module}_standalone_group_N.cpp, with the same ordering and comment conventions.function_index.json: Maps every function name to its .cpp file and library tag (WIL, STL, WRL, CRT, ETW/TraceLogging, or null for application code). See the Function Index Format Reference.module_profile.json: Pre-computed module fingerprint covering identity, scale, library composition, API surface, complexity metrics, and security posture. See the Module Profile Format Reference.file_info.md / file_info.json: Human-readable and machine-readable analysis reports. See the Analysis Metadata and Reports Reference.Only functions with real Hex-Rays pseudocode are included in C++ output. Functions where decompilation failed (license unavailable, timeout, empty output, or decompiler returned None) are excluded from .cpp files and correctly reported as failed in module_profile.json and function_index.json.
When --generate-asm is enabled, the plugin writes raw disassembly into grouped .asm files. This output is independent of the Hex-Rays decompiler; it works with any IDA license that supports disassembly. Assembly files are written alongside C++ files in the same extracted_code/<module>/ directory by default, or to a custom directory via --asm-output-dir.
{module}_{class}_group_N.asm.{module}_standalone_group_N.asm.{module}_library.asm file(s) to avoid polluting application code analysis.Each function is preceded by a structured metadata header:
; ============================================================
; Function: sub_401000
; Address: 0x401000
; Signature: int __cdecl sub_401000(int a1, int a2)
; Callers: WinMain (id:1), sub_402300 (id:45)
; Callees: WSAStartup [WS2_32.dll], socket [WS2_32.dll], sub_4015A0 (id:12)
; Strings: "Failed to connect", "192.168.1.1"
; Dangerous APIs: connect, WSAStar
Selected from shared topics, language and repository description—not editorial ratings.
danigargu /
IDA Pro plugin that implements more user-friendly register and stack views
VoidSec /
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks
arizvisa /
A plugin based on IDAPython for a functional DWIM interface. Current development against most recent IDA is in the "persistence-refactor" branch, ancient (but stable) work is in "master", so... create an issue if you want/need something backported. Use "Wiki" or "Discussions" for examples, and smash that "Star" button if you like this.
nihilus /
IDASimulator is a plugin that extends IDA's conditional breakpoint support, making it easy to augment / replace complex executable code inside a debugged process with Python code. Specifically, IDASimulator makes use of conditional breakpoints in the IDA debugger to hijack the execution flow of a process and invoke Python handler functions whenever particular code blocks are executed. With support for multiple target architectures, it handles details such as register initialization, memory allocation, pointers, function arguments and return values seamlessly and transparently, making it easy to replace, modify and subvert existing functionality (or lack thereof) in the target process. IDASimulator also includes the IDASim python module, on which IDASimulator is based. This allows for all of the features of IDASimulator to be integrated into more complex IDAPython scripts. IDASimulator currently supports the x86, x86_64, ARM and MIPS32 architectures. Porting to other architectures is very easy.
Krietz7 /
An IDA Pro plugin that simulate time-travel debugging by emulating code execution with Unicorn.
sterrasec /
genpatch is IDA plugin that generates a python script for patching binary