Triage 1000s of functions in seconds, not hours.
IDA Spotlight is an intelligent function triage plugin for IDA Pro that helps malware analysts and reverse engineers quickly identify high-value functions in large binaries using configurable signal patterns and historical sample correlation.
Modern malware samples often contain thousands of functions. Reverse engineers spend hours manually scanning through code, trying to identify interesting functions that warrant deeper analysis. This creates a significant bottleneck in malware analysis workflows.
IDA Spotlight automatically scores and prioritizes functions based on:
- API calls β Detects calls to suspicious APIs (networking, injection, persistence, crypto)
- String references β Matches strings against known malicious patterns (URLs, registry keys, commands)
- Context relationships β Boosts functions that call other high-scoring functions
- Historical correlation β Links current sample to previously analyzed IDBs
Instead of manually reviewing 5,000+ functions, analysts can focus on the top 50 that matter.
Functions are scored across 7 signal categories:
| Category | Example Signals |
|---|---|
| Networking | WSAStartup, InternetOpenUrl, curl_easy_perform, HTTP headers |
| Persistence | RegSetValueEx, CreateService, registry Run keys, schtasks |
| Injection | VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, shellcode patterns |
| Crypto | CryptEncrypt, BCryptDecrypt, CryptProtectData, AES/RSA strings |
| Anti-Analysis | IsDebuggerPresent, NtQueryInformationProcess, sandbox detection |
| Files | CreateFile, DeleteFile, shadow copy deletion, ransomware markers |
| Other | Privilege escalation, clipboard access, process enumeration |
Each signal has a configurable weight (1-10) that contributes to the final score.
Functions are automatically classified into priority tiers:
- π΄ Critical β Top 10% of scored functions (immediate attention)
- π High β Top 30% of scored functions (review soon)
- π‘ Medium β Remaining scored functions (worth checking)
- βͺ Low β No signals detected
- Detects library functions using IDA's FLIRT signatures
- Library functions are automatically deprioritized
- Priority tiers are calculated only for non-library code
- Visual distinction with colored rows
Functions that call high-scoring functions receive a context bonus:
final_score = base_score + (best_callee_score Γ 0.15)
This ensures wrapper functions and orchestration code don't get lost.
IDA Spotlight maintains a SQLite knowledge base of previously analyzed samples. When you scan a new binary, it correlates against historical data using:
- Import fingerprints β MD5 of normalized import list
- Import function overlap β Shared imported APIs
- Section name profiles β Unusual section patterns
- Function name matching β User-defined function names
This enables rapid identification of related samples and malware families.
IDA Spotlight View β Main results table
- Sortable columns (Function, Score, Priority, Categories)
- Search filtering by function name
- Toggle visibility of low-priority and library functions
- Context menu with copy, jump, and export actions
IDA Spotlight Quick Inspector β Synchronized detail panel
- Syncs with
IDA View-A/B/CorPseudocode-A/B/C - Follows cursor movement like native IDA subviews
- Shows full score breakdown with reasons
- Back/Forward navigation history
- Pin to freeze current function
Export results for external tools and reports:
- CSV β For spreadsheets and data analysis
- JSON β For automation and integration
Exports include: function name, address, length, score, priority, library flag, top reason, and all categories.
-
Copy the plugin directory to your IDA plugins folder:
%APPDATA%\Hex-Rays\IDA Pro\plugins\ida-spotlight\ -
Ensure all files are present:
ida-spotlight/ βββ spotlight.py # Main plugin entry point βββ spotlight_actions.py # IDA action handlers βββ spotlight_config.py # Configuration and constants βββ spotlight_kb.py # Knowledge base operations βββ spotlight_kb_index.py # KB indexing βββ spotlight_scanner.py # Function scanning and scoring βββ spotlight_ui.py # PySide6 UI components βββ spotlight_utils.py # Utility functions βββ spotlight.json # Signal patterns config βββ ida-plugin.json # IDA metadata -
Install
idalibusing this guide -
Launch IDA Pro 9.2
- Run following command:
C:\Users\User>python "C:\Program Files\IDA Professional 9.2\plugins\ida-spotlight-0.1.2\spotlight_kb_index.py" --idb Z:\idb
Using Python: C:\Program Files\Python311\python.exe
KB database: C:\Users\User\AppData\Roaming\Hex-Rays\Ida Pro\IDA Spotlight\ida-spotlight-kb.sqlite
[1/2] Indexing Z:\idb\ktControl_Panel.exe.i64
[2/2] Indexing Z:\idb\ktControl_Panel_Tools.exe.i64
Spotlight KB indexing complete
- Open a binary in IDA Pro
- Navigate to:
View β Open subviews β IDA Spotlight β IDA Spotlight View - Click Scan to analyze all functions
- Review results sorted by score
- Double-click or press Enter to jump to a function
- Right-click for context menu options
| Action | Description |
|---|---|
Enter |
Jump to selected function |
Double-click |
Jump to selected function |
Customize scoring rules by editing spotlight.json:
{
"signals": {
"networking": {
"functions": {
"WSAStartup": 2,
"connect": 6,
"InternetOpenUrlA": 6
},
"strings": {
"https?://": 8,
"User-Agent:": 5
}
}
}
}- functions β Maps API names to weights
- strings β Maps regex patterns to weights
Exclude noise from analysis:
{
"filters": {
"functions": ["^sub_[0-9a-fA-F]+$"],
"sections": [".text", ".data", ".rdata"],
"dlls": ["kernel32.dll", "ntdll.dll"]
}
}Fine-tune scoring behavior:
{
"context_bonus_factor": 0.15,
"library_score_penalty": 3.0
}- IDA Pro 9.2 or later
- Python 3.x (bundled with IDA)
- PySide6 and shiboken6 (auto-installed by IDA or via pip)
- Windows x86_64 (primary platform)
spotlight.py # Plugin entry point
βββ spotlight_config.py # Configuration and constants
βββ spotlight_utils.py # Utility functions
βββ spotlight_scanner.py # Function scanning and scoring
βββ spotlight_ui.py # PySide6 UI components
βββ spotlight_actions.py # IDA action handlers
βββ spotlight_kb.py # Knowledge base operations
βββ spotlight_kb_index.py # KB batch indexing script
"I have 300 samples to analyze this week. IDA Spotlight helps me identify the 10 functions worth reversing in each sample."
"When I find a new sample, Spotlight correlates it with our historical KB to identify malware family relationships."
"Quickly locate functions handling network input, file operations, or crypto β the most likely targets for vulnerabilities."
"During time-limited competitions, Spotlight immediately highlights interesting functions instead of manual searching."
- Cross-platform support (macOS, Linux)
- Yara rule generation from high-scoring functions
- Team KB sharing via remote database
- Machine learning-based signal suggestions
- Integration with threat intelligence feeds
Askar Dyussekeyev
π§ dyussekeyev@yandex.kz
π github.com/dyussekeyev
This project is licensed under the Apache License 2.0 β see the full license text at apache.org/licenses/LICENSE-2.0.
- Hex-Rays for IDA Pro and the IDAPython API
- The reverse engineering community for inspiring signal patterns
- All malware analysts who shared their workflows and pain points
β Star this repository if IDA Spotlight helps your workflow! β