github.com/mcdulltii/obfDetect ↗

About mcdulltii/obfDetect

obfDetect is an IDA Pro plugin written in Python that automatically identifies obfuscated code and state machines within binary files. The plugin is designed for IDA 7.4 and later versions and uses heuristic analysis based on research into control-flow flattening and code obfuscation detection techniques documented in academic blog posts.

The plugin provides a PyQt5-based graphical interface that allows security researchers and reverse engineers to analyze functions within loaded binaries. Users can select from multiple heuristic detection methods, choose which functions to analyze, and optionally filter results by maximum node size. The tool calculates complexity scores for functions and displays them in a sortable table, where analysts can rename functions directly and export results to CSV format. Functions are ranked by their heuristic complexity scores, helping users prioritize the most suspicious or obfuscated code segments.

While the implementation offers powerful automated detection capabilities, it is computationally intensive due to the recursive nature of building dominator trees for every discovered function in a binary. To mitigate this, the plugin uses threading to distribute the workload. The plugin integrates seamlessly into IDA's workflow, accessible through the File menu or via keyboard shortcut, and outputs results immediately upon binary loading.