Reference
| Plugin | Does | Operations |
|---|---|---|
kep-bbsh | Basic-block structural hashing over IDA microcode — semantic similarity. | match_resource |
kep-strings | Similarity by embedded string literals. | match_resource, match_function |
kep-flake | Flow-graph vector embeddings (pgvector nearest-neighbour). | match_resource, match_function |
kep-flirt | FLIRT signature matching; stores the .sig for download. | match_resource, get_signature |
kep-funcnames | Function-name index across the corpus. | search_function_name |
kep-metadata | Binary metadata (cpu, file type, compiler, …) used to filter matches. | get_metadata |
kep-idb-meta | JS-only IDB parser — reads the source binary's hashes and records an idb_for relation (handles the legacy 900 and IDA 9.x 920 formats). | — |
Invoking an operation
From the CLI:
# similarity, with an optional metadata filter
bun run operation kep-bbsh match_resource '{"bucket":"corpus","key":"a.i64","cpu":"arm","limit":10}'
# function-name search across every bucket
bun run operation kep-funcnames search_function_name '{"name":"decrypt_payload","limit":20}'
# download a FLIRT signature (base64 .sig) to apply in IDA
bun run operation kep-flirt get_signature '{"bucket":"libs","key":"libcrypto.sig"}'
…or over REST — the same operations power the web UI's Find similar panel and any script or IDA plugin:
POST /plugins/{plugin}/operations/{operation}
curl -X POST -H 'content-type: application/json' \
-d '{"bucket":"corpus","key":"a.i64","limit":10}' \
http://127.0.0.1:3000/plugins/kep-bbsh/operations/match_resource
Extractor runtimes
- ida-python — runs headless IDA (
idat -A) for microcode, flow graphs, FLIRT, function metadata. Needs a licensed IDA on the worker host. - python — plain Python extractors (no IDA), e.g. file-level metadata.
- node — JS/TS extractors run under Bun, e.g. the Kaitai-based IDB parser.
Plugins are self-contained: the binary-similarity algorithms are vendored into the repo,
so there is no dependency on any sibling project. A new plugin is a directory with a
plugin.json, an extractor, and SQL.