Claude Code skills for IDA

For those of you using Claude Code, we put together a marketplace and some skills to make it work better with IDA.

There’s two main skills:

• ida-domain — lets Claude write and run analysis scripts against your database (in headless mode)
• ida-plugin — helps Claude build actual IDAPython plugins. Comes with templates (dockable views, choosers, debugger views, etc.) and handles packaging with hcli.

Basically, you can ask Claude to analyze a binary or create a plugin and it knows what it’s doing.

Install from the Claude Code marketplace or clone from: https://github.com/HexRaysSA/ida-claude-plugins

You’ll need IDA 9.x and latest hcli installed.

Let us know if you build something cool with it or tell us if something breaks or doesn’t work for you.

In response to @pal_hexrays ‘s effort, I went through my collection of IDA plugins ( idawilli and some private ones) and updated the skills further.

You can install this into Claude Code via:

/plugin marketplace add HexRaysSA/ida-claude-plugins
/plugin install ida-plugin-development@ida-claude-plugins

which gives you access to the ida-plugin-develop and package-ida-plugin skills.

The key concepts covered in the skill are:

• Use the IDA Domain API - prefer the high-level Pythonic interface
• Plugin Manager Integration - packaging and distribution
• Plugin Entry Point - version checking and conditional loading
• Hook Registration - pairwise register/unregister pattern
• Save/Load state from netnodes - persist plugin data in IDB
• Respond to current address and selection change - UI location hooks
• Find widgets by prefix - managing multiple widget instances
• Context Menu Entries - “Send to Foo” patterns
• User Defined Prefix - add contextual markers in disassembly
• Viewer Hints - hover popups with context
• Overriding rendering - custom colors and mnemonics
• Custom Viewers - tagged lines with clickable addresses

While the immediate audience is Claude (or Gemini or Codex or whatever), there are a lot of concrete code snippets and patterns that should be applicable to many project, and can be consumed by humans, too.

Any chance for a version that will work with IDA Home? It need not be headless.

Hex-Rays doesn’t distribute IDAPython with IDA Free, so there’s not an immediately obvious way to connect an AI agent to IDA Free.

Observer: He said “Home” not “Free”. Home is also a paid version, albeit with some limitations; annoying limitations.

Ah of course, thanks for highlighting that @Special-K

Let me summarize what I know you can do with LLMs/Agents, broken down by IDA capability, so anyone can mix and match based on what they have available to them:

IDA with Qt GUI and IDAPython (IDA Pro)

You can use an MCP server (like mrexodia/ida-pro-mcp) to let an agent interact with the currently opened database, and if it makes changes (sets a name, comments, etc.) you’ll see them reflected in the UI.

You can also try the IDA Chat plugin by @pal_hexrays (IDA Chat plugin - AI assistant inside IDA) that gives you a chat window within IDA to ask Claude to take actions on the currently opened database, like with an MCP server. There are other alternatives, too, like Gepetto (JusticeRage/gepetto), ReCopilot (XingTuLab/recopilot), and others.

idalib

You can ask your agent to write IDAPython scripts or ida-domain scripts and invoke them via idalib. That’s the skill referenced here: analyze-with-ida-domain-api

I currently really like this strategy, because doing code generation/evaluation often reduces token usage, leading to longer sessions or lower cost. See also here: Your MCP Doesn’t Need 30 Tools: It Needs Code | Armin Ronacher's Thoughts and Writings

idat/headless IDA

You could also use the above skill analyze-with-ida-domain-api to have an AI Agent write temporary Python scripts to the temp directory and then invoke IDA headlessly to execute the script, either with idat or ida -B (batch mode), reading results from stdout or temporary output text files.

Aside, I’d encourage most users to migrate from using idat/ida- B to using idalib (probably with Python), but it’s not strictly necessary.

with and without decompilers

AI Agents, such as Claude Code, seem to do a reasonably good job of analyzing both pseudocode produced by the Hex-Rays Decompilers, but also the raw disassembly when this isn’t available. So, I believe you can still experiment with these systems without a decompiler license (though perhaps in a production setting have the decompiler might work better - I’d like to test this and/or hear about your results!).

IDA Free

As mentioned above, Hex-Rays doesn’t distribute IDAPython or idat with IDA Free. I think you could possibly use pre-compiled native plugins with IDA Free, perhaps like ida-chat-cpp (again, I haven’t tested this but it might work).

disclaimer: in this thread we’re discussing evaluating code generated by an LLM that’s working with untrusted data (possibly even malware). Please make sure you understand the threat model and risk, and sandbox the environment appropriately. We’ll share more about our experiments soon, and would love to hear what you’ve tried. sprites.dev is interesting, for example.

I’ve consolidated the above plugins and marketplaces into a single source under Hex-Rays (basically where @pal_hexrays already mentioned): GitHub - HexRaysSA/ida-claude-plugins: IDA Claude Code Plugins

/plugin marketplace add HexRaysSA/ida-claude-plugins
/plugin install ida-plugin-development@ida-claude-plugins
# unsafe: /plugin install reverse-engineering-with-code-eval-and-ida-domain@ida-claude-plugins

Which gives you access to:

• plugin: ida-plugin-development
  • skill: ida-plugin-development
  • skill: package-ida-plugin
• plugin: reverse-engineering-with-code-eval-and-ida-domain
  • agent: ida-domain-expert
  • skill: ida-domain-scripting

image2124×390 37.7 KB

image2282×466 51.4 KB