grap TODO_GRAPVERSION

grap matches user-defined graph patterns within binaries.
It exists as a stand-alone CLI application (with a Capstone-based disassembler), as python bindings and as this IDA plugin.
https://github.com/AirbusCyber/grap/

Pattern Search

Within the Pattern Search tab, you can match existing patterns against the state of the binary being analyzed
Since the Control Flow Graph (CFG) is created from the current IDA database, you might want to do it again later in the analysis process

Patterns files should have the .grapp extension and may be located:

(Windows Only) in %APPDATA%\IDAgrap\patterns: user defined patterns
In an IDA plugin folder (for instance C:\Program Files\IDA 7.0\plugins\idagrap\patterns\test\misc\files): default patterns

Pattern Generation

Within the Pattern Generation tab, first parse the CFG with the "Load CFG" button
Then, within IDA View, add a root node and target nodes (with a right click)
Intermediate nodes are automatically colored and the pattern text field is filled
Alternatively you can disable the "Auto update" option and click on "Generate a pattern" to generate a pattern
You can save the generated pattern to a file
The created pattern file can be matched from the Pattern Search tab

Credits

grap is an open source project being mostly developped by Airbus - CyberSecurity (https://airbus-cyber-security.com/).

License

grap is licensed under the MIT license.
The full license text should have been distributed with the software. It can be also found in the file LICENSE on the repository.

Icons

Most of the icons used in the IDA plugin (those named icons8-* in the ui/icons/ folder):

come from icons8: https://icons8.com/,
are licensed under CC BY-ND - Creative Commons with attribution and no derivatives, see the full license here: https://creativecommons.org/licenses/by-nd/3.0/.