-
-
Notifications
You must be signed in to change notification settings - Fork 0
editor plugins
disrobe ships integration scaffolds for VS Code, IDA Pro, and Ghidra under editors/ in the repository root. Each plugin calls the disrobe binary already on your PATH; there is no language server or extension marketplace publish required.
All files under editors/ are generated by xtask plugins from the live CLI command catalog and are verified byte-identical in CI via xtask sync --check.
Clone the repository and run the auto-installer script for your platform:
Linux / macOS (bash):
bash editors/install.sh vscode
bash editors/install.sh ida
bash editors/install.sh ghidra
# optional overrides:
bash editors/install.sh ida --ida-dir /path/to/ida/plugins
bash editors/install.sh ghidra --ghidra-scripts ~/my-scriptsWindows (PowerShell):
.\editors\install.ps1 vscode
.\editors\install.ps1 ida
.\editors\install.ps1 ghidra
# optional overrides:
.\editors\install.ps1 ida -IDADir 'C:\IDA\plugins'
.\editors\install.ps1 ghidra -GhidraScripts 'C:\ghidra_scripts'The scripts require only the repository clone; they copy files into the standard per-editor location without network access.
Requirements: VS Code 1.85 or later. Build disrobe from source and add the binary to your PATH, or set disrobe.executablePath in VS Code settings.
Manual install steps:
- Copy the
editors/vscodedirectory to~/.vscode/extensions/disrobe-vscode(Linux/macOS) or%USERPROFILE%\.vscode\extensions\disrobe-vscode(Windows). - Reload VS Code.
The extension activates automatically and starts disrobe serve --stdio as an LSP daemon when disrobe.lsp.enable is true (the default). All commands appear under the disrobe category in the Command Palette and in the editor right-click context menu.
Settings:
| Setting | Default | Description |
|---|---|---|
disrobe.executablePath |
"disrobe" |
Path to the disrobe binary. |
disrobe.lsp.enable |
true |
Start the LSP daemon on activation. |
disrobe.lsp.trace |
"off" |
LSP trace level: off, messages, or verbose. |
disrobe.auto.outDir |
"" |
Output directory for disrobe auto. |
Commands (via Command Palette or right-click context menu):
| Command | Description |
|---|---|
disrobe.auto |
Auto: run full deobfuscation pipeline |
disrobe.detect |
Detect: identify obfuscator / packer |
disrobe.strings |
Strings: extract and deobfuscate strings |
disrobe.ioc |
IOC: extract indicators of compromise |
disrobe.behavior |
Behavior: summarize binary capabilities (MITRE) |
disrobe.identify |
Identify: compiler / packer / protector fingerprint |
disrobe.scan |
Scan: leak credentials scanner |
disrobe.startServer |
Manually start the LSP daemon |
disrobe.stopServer |
Stop the LSP daemon |
disrobe.showOutput |
Open the disrobe output channel |
Requirements: IDA Pro 7.6 or later with IDAPython 3 backend. disrobe binary on your PATH.
Manual install steps:
- Copy
editors/ida/disrobe_ida.pyto your IDA plugins directory:- Linux/macOS:
~/.idapro/plugins/ - macOS (app):
~/Library/Application Support/hex-rays/ida pro/plugins/ - Windows:
%APPDATA%\Hex-Rays\IDA Pro\plugins\
- Linux/macOS:
- Restart IDA Pro.
The plugin registers all disrobe subcommands as menu actions under Edit > Plugins > disrobe and assigns default hotkeys. Invoking an action runs disrobe <subcommand> <input_file_path> on the file IDA has open and prints the output to the IDA output window.
Actions and default hotkeys:
| Action | Hotkey |
|---|---|
| Auto: run full deobfuscation pipeline | Alt-Shift-A |
| Detect: identify obfuscator / packer | Alt-Shift-D |
| Strings: extract and deobfuscate strings | Alt-Shift-S |
| IOC: extract indicators of compromise | Alt-Shift-I |
| Behavior: summarize binary capabilities (MITRE) | Alt-Shift-B |
| Identify: compiler / packer / protector fingerprint | Alt-Shift-F |
| Scan: leak credentials scanner | Alt-Shift-C |
Requirements: Ghidra 10.3 or later. disrobe binary on your PATH.
Manual install steps:
- Copy
editors/ghidra/DisrobeAnalyzer.javato a directory listed in Ghidra's Script Manager search paths:- Default location:
~/ghidra_scripts/ - Or add a custom path via
Window > Script Manager > Manage Script Directories.
- Default location:
- In Ghidra:
Window > Script Manager, click the refresh icon to pick up the new script. - Double-click
DisrobeAnalyzerin the script list to run it.
When run, the script reads the path of the currently loaded program, shows a dialog to choose a disrobe action, shells out to the disrobe binary, and prints the output to the Ghidra console.
To assign a keybinding, right-click DisrobeAnalyzer in the script list and choose Assign Key Binding.
This wiki is generated from docs/src in the disrobe repository by scripts/wiki_sync.py. Edit the docs there, not the wiki pages here.
Getting started
Architecture
- Overview
- The five-rung IR ladder
- Passes and the capability model
- The chain runner
- The .dr envelope
- LLM sidecar and provenance
Reverse-engineering toolkit
Language and format guides
- Python
- JavaScript / TypeScript
- WebAssembly
- JVM and Android
- .NET / CIL
- Native (PE / ELF / Mach-O)
- Go
- Lua
- PHP
- Ruby
- BEAM (Erlang / Elixir)
- Swift / Objective-C
- ActionScript 3 / Flash
- Mobile (Hermes / Flutter)
- Python pickle
- Shell / PowerShell
- Containers and archives
Reference
- CLI overview
- Global flags
- Command reference
- Project configuration
- Batch directory processing
- Run reports
- Analysis-depth commands
- Diff and guard tooling
- The daemon: HTTP, gRPC, LSP, MCP
- Use it as a library
- Python bindings
- The browser playground
- Forensics and malware-safety posture
- Threat model
Integrations
Project