Author: xorhex
Copyright: 2026
Various features to make windows malware analysis easier.
Various features to make windows malware analysis easier. Currently includes:
- Adding function prototypes
- Local instance of HashDB (New)
NEW: Can now apply types to struct members and global variables.
- Rename the variable or struct member name to the API name
- Right click on the variable or struct member name (has to be in the binaryview) and select
BinjaExtrasand clickApply Type
Sometimes a custom function will resolve an API and then jump to it. The function prototype of the function that contains this code that both resolves and calls/jumps to the API function matches the corrisponding API function prototype being resolved - simply rename the function and the type is auto applied.
For those that need a local instance of OALab's HashDB, this plugin allows for folks to create one; otherwise I'd recommend using cxiao's excellent HashDB Binary Ninja plugin. This feature is also good for testing new hashing algorithms. Add the new hash algorithm to the local clone of hashddb just as if you were going to submit it for a pull request (highly recommend a pull request to hashdb be done after testing - sharing is caring!) and update the local database.
- Checkout https://github.com/OALabs/hashdb.git
- Update the setting
hashdb folderto point to the directory just checked out. - Add any additional library names to the
Local HashDB DLLs; by default these are added:- kernel32.dll
- user32.dll
- ws2_32.dll
- shell32.dll
- ntdll.dll
- advapi32.dll
- gdi32.dll
- wininet.dll
- urlmon.dll
- ole32.dll
- oleaut32.dll
- psapi.dll
- shlwapi.dll
- The database still needs to be generated, go to Plugins -> LocalHashDb -> Generate API Database
- For the inital DB generation, don't change anything and hit Ok. The additional options allow for more focused database changes to shorten the time taken when updating the database.
- This will take sometime, but only needs to be done once or whenever a new hash algorithm or dll is added.
Now it's ready to use!
WARNING: The hash database is generated locally by using the type system in BinaryNinja. Some of the types are incomplete like ntdll.dll, so not all ntdll.dll apis will get hashed. Create a BinaryNinja Issue or thumbs up one of the issues below when this occurs:
This feature adds 2 options to the context menu.
Right click on a hex value and select LocalHashDB -> Hunt for algorithm used. If a match is found, it will present a screen with a dropdown with all of the aligorithms the hash matched upon. 
After selecting and clicking Ok, then the library's API enumaration structure needs to be added. Right click and go to LocalHashDB -> Add APIs for DLL as Enum. 
Click Ok if you want them added. Once added, use the Dislay as Enum Member or the m key to change the constant to a matching enum value.
All of the features can be controlled (enabled/disabled) via the settings.
Nothing special, just install through the Binary Ninja plugin manager.
Nothing special, just install through the Binary Ninja plugin manager.
Nothing special, just install through the Binary Ninja plugin manager.
- Can now apply types to global variables
- Can now apply types to struct members (has to be done from binaryview)
- Local API HashDB utilizing OALabs HashDB
- move the Usage content into the readme so that it will render in BinaryNinja's plugin manager
This plugin requires the following minimum version of Binary Ninja:
- 6455
This plugin is released under a MIT license.
2
- Create additional options for creating the local hash db:
- Add support for cancelation
- Add to the about box what git commit version from hashdb is being used