BinAIVulHunter

November 10, 2025 ยท View on GitHub

An IDA PRO plugin to help in finding vulnerabilites in binaries.

Use IDA PRO HexRays decompiler with OpenAI(ChatGPT) to find possible vulnerabilities in binaries

Disclaimer, possible replies while trying to find binary vulnerabilites using an AI may lead to false positives, however it has worked in many CTFs I have worked on (simple/medium ... some hard)

Inspired by Gepetto : https://github.com/JusticeRage/Gepetto

Install:

Drop python script on IDA Pro Plugin location.

To Use:

Right click on decompiled code , select "Find possible vulnerability in function"

image

image

Updated with create sample python exploit (Sometime Good, Sometime Sh!t)

image

Updated with Gepetto's rename and explain functions

image

BinAIVulHunter - AI-Powered Vulnerability Analysis Plugin for IDA Pro

Python IDA Pro License

BinAIVulHunter is an advanced IDA Pro plugin that leverages multiple AI providers (OpenAI GPT, Google Gemini, and Ollama) to perform intelligent vulnerability analysis, code explanation, and security assessment of decompiled functions.

๐Ÿš€ Features

  • Multi-AI Provider Support: Choose between OpenAI GPT, Google Gemini, or Ollama
  • Vulnerability Detection: Automated scanning based on CWE (Common Weakness Enumeration) taxonomy
  • Code Explanation: AI-powered analysis and explanation of decompiled functions
  • Variable Renaming: Intelligent suggestions for better variable and function names
  • Batch Processing: Scan all functions in a binary with memory management
  • CWE Reference Integration: Built-in CWE lookup and detailed vulnerability categorization
  • Headless Mode: Command-line support for automated analysis
  • Local AI Support: Privacy-focused analysis with Ollama (no cloud dependencies)

๐Ÿ“‹ Table of Contents

๐Ÿ›  Installation

  1. Download the plugin:

    # Save BinAIVulHunter.py to your IDA Pro plugins directory
    # Typically: C:\Program Files\IDA Pro X.X\plugins\
    
  2. Install base dependencies:

    pip install psutil
    
  3. Install AI provider libraries (choose one or more):

    # For OpenAI
    pip install openai
    
    # For Google Gemini
    pip install google-generativeai
    
    # For Ollama (local AI)
    pip install requests
    
  4. Restart IDA Pro to load the plugin

๐Ÿค– AI Provider Setup

OpenAI

  1. Get API Key:

  2. Set Environment Variable:

    # Windows Command Prompt
    set OPENAI_API_KEY=sk-your-openai-key-here
    
    # PowerShell
    $env:OPENAI_API_KEY="sk-your-openai-key-here"
    
    # Linux/Mac
    export OPENAI_API_KEY="sk-your-openai-key-here"
    
  3. Restart IDA Pro

Google Gemini

  1. Get API Key:

  2. Set Environment Variable:

    # Windows Command Prompt
    set GEMINI_API_KEY=your-gemini-key-here
    
    # PowerShell
    $env:GEMINI_API_KEY="your-gemini-key-here"
    
    # Linux/Mac
    export GEMINI_API_KEY="your-gemini-key-here"
    
  3. Restart IDA Pro

Ollama (Local AI)

  1. Install Ollama:

    • Visit Ollama.ai and download the installer
    • Or use package managers:
      # Linux
      curl -fsSL https://ollama.ai/install.sh | sh
      
      # macOS
      brew install ollama
      
  2. Start Ollama Service:

    ollama serve
    
  3. Pull AI Models:

    # For general code analysis
    ollama pull llama2
    
    # For coding tasks (recommended)
    ollama pull codellama
    
    # Other specialized models
    ollama pull mistral
    ollama pull deepseek-coder
    
  4. Optional Environment Variables:

    # Custom Ollama server (if not localhost:11434)
    set OLLAMA_BASE_URL=http://your-server:11434
    
    # Set default model
    set OLLAMA_MODEL=codellama
    

โš™๏ธ Configuration

Environment Variables

VariableDescriptionDefaultRequired
OPENAI_API_KEYOpenAI API keyNoneFor OpenAI
GEMINI_API_KEYGoogle Gemini API keyNoneFor Gemini
OLLAMA_BASE_URLOllama server URLhttp://localhost:11434No
OLLAMA_MODELDefault Ollama modelllama2No
VULCHAT_PROVIDERAI provider to useopenaiNo
VULCHAT_MODELSpecific model nameProvider defaultNo
OPENAI_BASE_URLCustom OpenAI endpointOfficial APINo

Provider Selection

Set your preferred AI provider:

# Use OpenAI (default)
set VULCHAT_PROVIDER=openai

# Use Google Gemini
set VULCHAT_PROVIDER=gemini

# Use Ollama (local)
set VULCHAT_PROVIDER=ollama

๐ŸŽฏ Usage

Interactive Mode

  1. Open IDA Pro with your binary file
  2. Navigate to the decompiler view (F5)
  3. Access VulChat via:
    • Menu: Edit โ†’ VulChat
    • Context menu: Right-click in decompiler view
    • Hotkeys (see below)

Context Menu

Right-click in the decompiler view to access:

  • Find Possible Vulnerability - Analyze current function for security issues
  • Explain - Get AI explanation of function behavior
  • Rename Variables - Get intelligent variable naming suggestions
  • Generate Safe Test Inputs - Create test cases for the function
  • Scan All - Batch vulnerability scan of entire binary
  • CWE Info - Look up CWE vulnerability details
  • Control Panel - Switch AI providers and configure settings

Control Panel

Access via Edit โ†’ VulChat โ†’ Control Panel or Ctrl+Alt+P:

  • Switch AI Providers: Change between OpenAI, Gemini, and Ollama
  • Model Selection: Choose specific models for each provider
  • Status Information: View current configuration and provider availability
  • Setup Guide: Get detailed setup instructions

Hotkeys

HotkeyAction
Ctrl+Alt+VFind Vulnerabilities
Ctrl+Alt+GExplain Function
Ctrl+Alt+RRename Variables
Ctrl+Alt+XGenerate Test Inputs
Ctrl+Alt+SScan All Functions
Ctrl+Alt+WCWE Reference Lookup
Ctrl+Alt+PControl Panel
Ctrl+F5Decompile All Functions

Headless Mode

For automated analysis and CI/CD integration:

# Scan all functions for vulnerabilities
ida64.exe -A -S"BinAIVulHunter.py --scan-all --output results.json" binary.exe

# Decompile all functions with caching
ida64.exe -A -S"BinAIVulHunter.py --decompile-all --cache-dir ./cache" binary.exe

# Custom batch settings
ida64.exe -A -S"BinAIVulHunter.py --scan-all --batch-size 5 --function-pause 3 --batch-pause 15" binary.exe

Headless Parameters

ParameterDescriptionDefault
--scan-allScan all functions for vulnerabilities-
--decompile-allDecompile all functions-
--batch-sizeFunctions per batch3
--function-pausePause between functions (seconds)5
--batch-pausePause between batches (seconds)10
--outputJSON output file for resultsNone
--cache-dirDirectory for decompilation cacheNone

๐Ÿ›ก๏ธ Vulnerability Categories

BinAIVulHunter analyzes code based on the CWE-699 Software Development taxonomy:

CategoryCWE IDExamples
Memory Buffer ErrorsCWE-1218Buffer overflows, use-after-free
Numeric ErrorsCWE-189Integer overflow, divide by zero
Resource ManagementCWE-399Memory leaks, file handle leaks
Data ValidationCWE-1215Input validation, injection flaws
AuthenticationCWE-1211Weak authentication, bypass
AuthorizationCWE-1212Privilege escalation, access control
Cryptographic IssuesCWE-310Weak crypto, key management
Information LeaksCWE-199Data exposure, side channels
Error HandlingCWE-389Uncaught exceptions, error states
InitializationCWE-452Uninitialized variables, cleanup

๐Ÿ“š Examples

Example 1: Basic Vulnerability Scan

# Navigate to a function in IDA Pro
# Press Ctrl+Alt+V or right-click โ†’ "Find Possible Vulnerability"

# Example output:
"""
POTENTIAL VULNERABILITIES:

1. Buffer overflow in strcpy operation
   CWE: CWE-120 | Severity: High
   Mitigation: Replace strcpy with strncpy and validate buffer sizes

2. Integer overflow in arithmetic operation
   CWE: CWE-190 | Severity: Medium  
   Mitigation: Add overflow checks before arithmetic operations
"""

Example 2: Batch Scanning

# Command line batch scan
ida64.exe -A -S"BinAIVulHunter.py --scan-all --output vuln_report.json" malware.exe

# Results in vuln_report.json:
{
  "scan_results": {
    "total_functions": 245,
    "vulnerable_functions": 12,
    "functions": [
      {
        "name": "sub_401000",
        "address": "0x401000", 
        "vulnerabilities": [
          {
            "description": "Unsafe string function used",
            "cwe_id": "CWE-120",
            "severity": "High",
            "mitigation": "Use safe string functions"
          }
        ]
      }
    ]
  }
}

Example 3: AI Provider Switching

# Set environment variables
os.environ['VULCHAT_PROVIDER'] = 'ollama'
os.environ['OLLAMA_MODEL'] = 'codellama'

# Or use Control Panel in IDA Pro:
# Edit โ†’ VulChat โ†’ Control Panel โ†’ Provider Menu โ†’ Ollama

๐Ÿ”ง Troubleshooting

Common Issues

  1. "Provider not available" error:

    # Check environment variables
    echo %OPENAI_API_KEY%
    echo %GEMINI_API_KEY%
    
    # Verify API keys are valid
    # Restart IDA Pro after setting variables
    
  2. Ollama connection failed:

    # Check if Ollama is running
    curl http://localhost:11434/api/tags
    
    # Start Ollama if needed
    ollama serve
    
    # Verify models are installed
    ollama list
    
  3. Memory issues during batch processing:

    # Reduce batch size in Control Panel or headless mode
    --batch-size 1 --function-pause 10
    
  4. API rate limits:

    # Increase pause times
    --function-pause 10 --batch-pause 30
    
    # Or switch to Ollama for unlimited local processing
    

Debug Information

Check IDA Pro's output window for detailed logs:

  • Provider initialization status
  • API request/response information
  • Memory usage statistics
  • Error messages and stack traces

For Security Analysis

ProviderModelBest ForCost
OpenAIgpt-4Comprehensive analysis$$$
OpenAIgpt-3.5-turboFast general analysis$$
Geminigemini-proBalanced performance$$
OllamacodellamaCode-focused analysisFree
Ollamadeepseek-coderVulnerability detectionFree
Ollamallama2General purposeFree

Performance Comparison

ProviderSpeedAccuracyPrivacyCost
OpenAI GPT-4โญโญโญโญโญโญโญโญโญโญโญ
Gemini Proโญโญโญโญโญโญโญโญโญโญโญโญ
Ollamaโญโญโญโญโญโญโญโญโญโญโญโญโญโญโญ

๐Ÿค Contributing

We welcome contributions! Please see our Contributing Guidelines for details.

Development Setup

  1. Fork the repository
  2. Clone your fork:
    git clone https://github.com/yourusername/BinAIVulHunter.git
    
  3. Install development dependencies:
    pip install -e .[dev]
    
  4. Make your changes
  5. Submit a pull request

Areas for Contribution

  • Additional AI provider integrations
  • Enhanced vulnerability detection patterns
  • New CWE category support
  • Performance optimizations
  • Documentation improvements
  • Test coverage expansion

๐Ÿ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

๐Ÿ™ Acknowledgments

  • Hex-Rays for the excellent IDA Pro platform
  • OpenAI, Google, and Ollama teams for their AI technologies
  • MITRE for the comprehensive CWE taxonomy
  • The reverse engineering and cybersecurity community

โš ๏ธ Disclaimer: This tool is for educational and legitimate security research purposes only. Always ensure you have proper authorization before analyzing any software. The AI-generated analysis should be manually verified and is not a substitute for expert human review.