IDAssist

AI-Powered Reverse Engineering Plugin for IDA Pro

Author: Jason Tang

Description

IDAssist is an IDA Pro plugin that integrates LLM-powered analysis directly into IDA's interface, providing AI-assisted binary reverse engineering through configurable LLM providers, semantic knowledge graphs, RAG document search, and supports a wide diversity of LLM providers.

Built with Python and PySide6, IDAssist runs as a dockable panel inside IDA Pro 9.0+ and communicates with LLM providers (OpenAI, Anthropic, Ollama, LiteLLM, and more) to analyze functions, suggest renames, answer questions about code, and build a searchable knowledge graph of an entire binary.

<!-- SCREENSHOT: IDAssist main interface showing the Explain tab with a function explanation and security analysis panel -->

Core Features

Function Explanation — Generate detailed natural-language explanations of decompiled functions with automatic security analysis including risk level, activity profile, security flags, and API detection.

Interactive Query Chat — Ask questions about the binary with persistent chat history. Use context macros (#func, #addr, #line, #range) to inject function code, addresses, or disassembly ranges into queries.

Automated Actions — AI-powered rename suggestions for functions, variables, and types. Review proposed changes in a table with confidence scores, then apply selected actions back to the IDB.

Semantic Knowledge Graph — Build and explore a knowledge graph of the binary's functions, call relationships, data flows, and security characteristics. Includes visual graph rendering, semantic search, and community detection.

RAG Document Search — Upload reference documents (.txt, .md, .rst, .pdf) and use them as context during LLM queries. Supports hybrid text+vector search via Whoosh indexing.

SymGraph Integration — Push and pull function names, variable names, types, and graph data to the SymGraph collaborative platform. Includes a multi-step wizard with conflict resolution for pulls.

Settings Management — Configure multiple LLM and MCP providers, manage SymGraph API credentials, customize the system prompt, and set database paths.

Advanced Capabilities

ReAct Agent

The Query tab supports an autonomous ReAct (Reasoning + Acting) agent mode. When enabled, the LLM plans an investigation strategy, executes tools to gather information, reflects on findings, and synthesizes a comprehensive answer — all automatically across multiple reasoning rounds.

Extended Thinking

Configure reasoning effort levels to control how much the LLM "thinks" before responding:

| Level | Thinking Budget | Best For | |-------|----------------|----------| | None | Disabled | Fast, simple queries | | Low | ~2K tokens | Straightforward analysis | | Medium | ~10K tokens | Moderate complexity | | High | ~25K tokens | Deep analysis, complex code |

MCP Integration

IDAssist can connect to external MCP servers for tool-augmented LLM interactions where the model can programmatically inspect functions, read disassembly, query cross-references, and modify the IDB during reasoning. IDAssist also provides built-in internal tools for function calling without requiring an external MCP server.

Function Calling

LLM providers with tool-calling support can invoke IDA analysis functions mid-conversation, enabling iterative investigation without manual intervention.

RLHF Feedback

Provide thumbs-up/thumbs-down feedback on explanations and query responses. Feedback is stored locally and can be used to improve prompt engineering and model selection.

Architecture

IDAssist follows an MVC (Model-View-Controller) pattern:

• Views (src/views/) — PySide6 tab widgets that emit signals on user interaction
• Controllers (src/controllers/) — Connect view signals to service calls, manage state
• Services (src/services/) — Business logic, LLM providers, database access, graph analysis
• Internal Tools (src/services/internal_tools.py) — IDA-specific tool definitions for LLM function calling
• Graph Tools (src/services/graphrag/graphrag_tools.py) — Semantic graph read/write tools for LLM interaction

Key design principles:

• All IDA API calls execute on the main thread via execute_on_main_thread()
• LLM responses stream incrementally to the UI
• Local SQLite databases for persistence (no external database required)
• Singleton service registry with thread-safe initialization

Quick Start

1. Install the plugin (recommended — IDA Plugin Manager):

   hcli plugin install idassist
   

   This automatically installs the plugin and its Python dependencies into IDA's environment.

2. Or install manually (from release tarball):

   Download the latest release zip from GitHub Releases and extract it into your IDA plugins directory:

   Linux / macOS:

   unzip IDAssist-*.zip -d ~/.idapro/plugins/
   

   Windows: Extract the zip into %APPDATA%\Hex-Rays\IDA Pro\plugins\.

   Then install dependencies using IDA's bundled Python (not your system Python):

   Linux / macOS:

   <IDA_INSTALL_DIR>/python3/bin/pip3 install -r ~/.idapro/plugins/IDAssist/requirements.txt
   

   Windows:

   "<IDA_INSTALL_DIR>\python3\python.exe" -m pip install -r "%APPDATA%\Hex-Rays\IDA Pro\plugins\IDAssist\requirements.txt"
   

   Replace <IDA_INSTALL_DIR> with your IDA Pro installation path (e.g., /opt/idapro-9.0 or C:\Program Files\IDA Pro 9.0).

   Tip: You can also set the IDAUSR environment variable to a custom directory containing a plugins/ subdirectory.

3. Open IDAssist: Launch IDA Pro, open a binary, and press Ctrl+Shift+A (or Edit > Plugins > IDAssist).

4. Configure a provider: Go to the Settings tab, click Add under LLM Providers, and configure your preferred provider.

5. Analyze a function: Navigate to any function, click the Explain tab, and press Explain Function.

For detailed setup instructions, see Getting Started.

LLM Provider Setup

IDAssist supports the following provider types:

| Type | Auth Method | Notes | |------|-------------|-------| | anthropic_platform | API Key | Anthropic API direct | | anthropic_oauth | OAuth (browser) | Browser-based authentication | | anthropic_claude_cli | Local CLI | Uses the claude CLI binary | | openai_platform | API Key | OpenAI API direct | | openai_oauth | OAuth (browser) | Browser-based authentication | | ollama | None (local) | Self-hosted models | | litellm | Proxy URL | Multi-provider proxy |

Recommended Models

| Provider | Model | Strengths | |----------|-------|-----------| | Anthropic | claude-sonnet-4-6 | Strong code analysis, extended thinking | | OpenAI | gpt-5.3-codex | Fast, good general analysis | | Ollama | qwen2.5-coder:32b | Local, no API key needed |

Using the Semantic Graph

The Semantic Graph tab provides a knowledge graph of the binary:

1. ReIndex Binary — Extracts function structure, call graph, and cross-references
2. Semantic Analysis — Generates LLM summaries for each function
3. Security Analysis — Detects vulnerability patterns and security-relevant APIs
4. Network Flow — Tracks network operations across the call graph
5. Community Detection — Groups related functions into modules

Explore the graph via the List View (callers, callees, edges, flags), Visual Graph (interactive node diagram with N-hop expansion), or Search (7 query types including semantic search, similar functions, and call context).

Context Menu Actions

Right-click in any Disassembly or Pseudocode view to access:

| Action | Hotkey | Effect | |--------|--------|--------| | Explain Function | Ctrl+Shift+E | Opens Explain tab and generates explanation | | Ask About Selection | Ctrl+Shift+Q | Opens Query tab with #func context | | Rename Suggestions | — | Opens Actions tab and generates suggestions |

Requirements

• IDA Pro 9.0+ with Python 3 and PySide6
• Hex-Rays Decompiler (recommended for pseudocode features)
• Python packages listed in requirements.txt

Documentation

• Documentation Index
• Getting Started
• Tab References: Explain | Query | Actions | Semantic Graph | RAG | Settings
• Workflows: Explain | Query | Semantic Graph

Homepage

https://symgraph.ai

License

See LICENSE file for details.