K Knowledge Engine

Analysis

Bundled plugins

Each plugin is a static package: an extractor plus SQL. Extractors that need IDA run it headless and accept application/x-ida-i64; the others run without IDA.

Reference

PluginDoesOperations
kep-bbshBasic-block structural hashing over IDA microcode — semantic similarity.match_resource
kep-stringsSimilarity by embedded string literals.match_resource, match_function
kep-flakeFlow-graph vector embeddings (pgvector nearest-neighbour).match_resource, match_function
kep-flirtFLIRT signature matching; stores the .sig for download.match_resource, get_signature
kep-funcnamesFunction-name index across the corpus.search_function_name
kep-metadataBinary metadata (cpu, file type, compiler, …) used to filter matches.get_metadata
kep-idb-metaJS-only IDB parser — reads the source binary's hashes and records an idb_for relation (handles the legacy 900 and IDA 9.x 920 formats).

Invoking an operation

From the CLI:

# similarity, with an optional metadata filter
bun run operation kep-bbsh match_resource '{"bucket":"corpus","key":"a.i64","cpu":"arm","limit":10}'

# function-name search across every bucket
bun run operation kep-funcnames search_function_name '{"name":"decrypt_payload","limit":20}'

# download a FLIRT signature (base64 .sig) to apply in IDA
bun run operation kep-flirt get_signature '{"bucket":"libs","key":"libcrypto.sig"}'

…or over REST — the same operations power the web UI's Find similar panel and any script or IDA plugin:

POST /plugins/{plugin}/operations/{operation}
curl -X POST -H 'content-type: application/json' \
  -d '{"bucket":"corpus","key":"a.i64","limit":10}' \
  http://127.0.0.1:3000/plugins/kep-bbsh/operations/match_resource

Extractor runtimes

Plugins are self-contained: the binary-similarity algorithms are vendored into the repo, so there is no dependency on any sibling project. A new plugin is a directory with a plugin.json, an extractor, and SQL.