Plugins
Each plugin has a dispatch mode: off (kill switch — never runs), manual (on-demand only — run it per object via reprocess; never auto-fires), or auto (runs on matching ingest, and on demand).
Binary similarity via basic-block semantic hashing (BBSH) over IDA microcode.
accepts: application/x-ida-i64, application/x-ke-simple-bbsh-fixture
Parses an IDA database to recover its source binary's hashes and link them; exposes no query operations.
accepts: application/x-ida-i64
Binary and function similarity via FLAKE flow-graph vector embeddings.
accepts: application/x-ida-i64
Library identification via FLIRT pattern-based signature matching, plus signature download.
accepts: application/x-ida-sig, application/x-ida-i64
Indexes function names across the corpus and searches them by substring.
accepts: application/x-ida-i64
On-demand IDA/Hex-Rays operations that compute at request time against an .i64 (the worked example of an `exec` operation).
accepts: application/x-ida-i64
Creates and analyzes an IDA database (.i64) from a raw executable; exposes no query operations.
accepts: application/x-executable
Extracts and queries binary metadata (format/arch, CPU, file type, compiler) and corpus facets.
accepts: application/x-executable, application/x-ida-i64, application/x-ke-simple-metadata-fixture
Semantic binary and function similarity via ML pseudocode embeddings (pgvector cosine).
accepts: application/x-ida-i64
Binary and function similarity by matching extracted string content.
accepts: application/x-ida-i64
On-demand VirusTotal enrichment: looks a binary up by its sha256 (no bytes uploaded) and stores the verdict, fuzzy hashes, and the full report. Manual mode — never auto-fires on ingest; run it per object via `kcli object reprocess <bucket> <sha256> --plugin kep-vt`.
accepts: application/x-executable