FLIRT Signature Bundle

With FLIRT Signature Bundle, designed to be used with IDA Feeds (aka FLIRT Signature Manager), you can analyze thousands of signatures and bulk apply them to your binary.

The bundle contains signatures for modern languages like Golang and Rust, as well as updates for classic compilers. The latest version of the FLIRT Signature Bundle can be downloaded from My Hex-Rays portal under SDK and utilities.

Flirt Signature Bundles will be regularly updated and released independently whenever there is a new compiler, language, or library release.

Released versions

2024/09/12 FLIRT Signature Bundle

Golang

• Versions: stable versions from 1.10.0 to 1.23

• Operating Systems: Linux, Windows, MacOS

• Architectures: arm64 (Windows, Linux, MacOS), arm (Windows, Linux, MacOS), x86 (Windows, Linux) , x86-64 (Windows, Linux)

C/C++

• Windows (MSVC):

  • Architectures: arm, arm64, i386, amd64

  • Packages: ATL, CTL, MFC, Windows SDK 10, Windows SDK 11

• Linux:

  • Distribution: Ubuntu & Debian

  • Architectures: i386, amd64, arm64, armhf, armel, arm, s390x, mips64el, mipsel, mips, ppc64el

  • Packages: libc6, libselinux1, libpcre2, libidn2, libssl, zlib1g, lib32z1, libunistring, libcurl4-gnutls, libcurl4-nss, libcurl4-openssl, libnghttp2, libidn2, librtmp, libssh, libssh-gcrypt, libpsl, libldap, libzstd, libbrotli, libgnutls28, nettle, libgmp, comerr, libsasl2, libbrotli, libtasn1-6, libkeyutils, libffi, uuid, libprotobuf, heimdal-multidev, musl, libplib, libsdl1.2-bundle (libsdl-console, libsdl-sge, libsdl1.2, libsdl-ocaml, libsdl-image1.2, libsdl-kitchensink, libsdl-mixer1.2, libsdl-net1.2, libsdl-sound1.2, libsdl-ttf2.0, libsdl1.2-compat, libsdl-gfx1.2, libsdl-pango), libsdl2-bundle (libsdl2, libsdl2-gfx, libsdl2-image, libsdl2-mixer, libsdl2-net, libsdl2-ttf) Rust

• Versions 1.77 to 1.81

  • Architectures: arm64, arm, x86, x86-64

  • Operating Systems: Linux, Windows, MacOS

  • Compilers: GCC, LLVM, MSVC

IDA Feeds

Starting with IDA 9.0, we introduced IDA Feeds (aka FLIRT Signature Manager), the tool designed to ease the application of new signatures through updatable libraries, (known as IDA FLIRT Signature Bundles), shipped alongside other IDA plugins just out-of-the-box.

What is IDA Feeds?

Ida Feeds helps you identify which signatures to apply when analyzing binary files, especially when you don't know which static libraries were linked to them. Rather than manually applying signatures, IDA Feeds automatically scans and applies many signatures in seconds. Just open the signature folder, allow IDA to scan and find the possible matches, and then bulk apply the suggested signatures.

IDA Feeds uses the FLIRT Signature Bundles, which are going to be regularly updated and released to keep you up to date with the newest recognizable signatures.

IDA Feeds configuration and setup

The proper configuration of the plugin is required to start using IDA Feeds and make it visible in the plugins list under Edit -> Plugins submenu.

Prerequisites

• idalib configured properly (check idalib installation and activation steps)

• Downloaded the latest IDA FLIRT Signature Bundle. You can get it from our Download Center in My Hex-Rays portal under SDK and utilities.

Install and activate your virtual environment

We recommend using IDA Feeds from within your Python virtual environment (venv). To do so, ensure you have created and activated your virtual environment before proceeding.

Linux & macOS

1. Create a Python virtual environment at your preferred location

   Copy

   `python -m venv ~/.idapro/venv`

   Replace ~/.idapro/venv with your path.

2. Activate your virtual environment

   Copy

   source ~/.idapro/venv/bin/activate

Windows

1. Create a Python virtual environment at your preferred location

   Copy

   python -m venv %YOURPROFILE%\.idapro\venv
   

   Replace .idapro\venv with your path.

2. Activate your virtual environment

   Copy

   %YOURPROFILE%\.idapro\venv\Scripts\activate
   

Installing requirements/dependencies

Install requirements for Python modules from within your virtual environment.

1. Navigate to the plugin/ida_feeds folder within the IDA Pro installation directory and install the requirements.

python3 -m pip install -r requirements.txt

1. Create symbolic link (optional)

Linux & OSX

ln -s $(pwd) $HOME/.idapro/plugins/ida_feeds

Windows

mklink /D "%APPDATA%\Hex-Rays\IDA Pro\plugins\ida_feeds" "%cd%"

After successfully performing these steps, IDA Feeds plugin should be visible in the Edit -> Plugins submenu and ready to try.

How to use IDA Feeds?

To use IDA Feeds, you need to configure the plugin first.

1. Go to the Edit -> Plugins -> IDA Feeds. IDA Feeds will open in a new Signature Tools subview.

2. In the Signature Tools window, click Open signatures folder and select the folder with the downloaded FLIRT signature bundle (1), or leave the preloaded signatures already provided with your IDA instance.

1. Select all or chosen signature files, and then click Run multi-core analysis (2).

2. Check the results and click Apply signatures to bulk apply (3) correct matches.