IDA Feeds

Starting with IDA 9.0, we introduced IDA Feeds (aka FLIRT Signature Manager), the tool designed to ease the application of new signatures through updatable libraries, (known as IDA FLIRT Signature Bundles), shipped alongside other IDA plugins just out-of-the-box.

What is IDA Feeds?

Ida Feeds helps you identify which signatures to apply when analyzing binary files, especially when you don't know which static libraries were linked to them. Rather than manually applying signatures, IDA Feeds automatically scans and applies many signatures in seconds. Just open the signature folder, allow IDA to scan and find the possible matches, and then bulk apply the suggested signatures.

IDA Feeds uses the FLIRT Signature Bundles, which are going to be regularly updated and released to keep you up to date with the newest recognizable signatures.

IDA Feeds configuration and setup

The proper configuration of the plugin is required to start using IDA Feeds and make it visible in the plugins list under Edit -> Plugins submenu.

Prerequisites

idalib configured properly (check idalib installation and activation steps)
Downloaded the latest IDA FLIRT Signature Bundle. You can get it from our Download Center in My Hex-Rays portal under SDK and utilities.

Install and activate your virtual environment

We recommend using IDA Feeds from within your Python virtual environment (venv). To do so, ensure you have created and activated your virtual environment before proceeding.

Linux & macOS

Create a Python virtual environment at your preferred location
```
`python -m venv ~/.idapro/venv`
```
Replace ~/.idapro/venv with your path.
Activate your virtual environment
```
source ~/.idapro/venv/bin/activate
```

Windows

Create a Python virtual environment at your preferred location
```
python -m venv %YOURPROFILE%\.idapro\venv
```
Replace .idapro\venv with your path.

Activate your virtual environment

%YOURPROFILE%\.idapro\venv\Scripts\activate

Installing requirements/dependencies

Install requirements for Python modules from within your virtual environment.

Navigate to the plugin/ida_feeds folder within the IDA Pro installation directory and install the requirements.

python3 -m pip install -r requirements.txt

Create symbolic link (optional)

Linux & OSX

ln -s $(pwd) $HOME/.idapro/plugins/ida_feeds

Windows

mklink /D "%APPDATA%\Hex-Rays\IDA Pro\plugins\ida_feeds" "%cd%"

After successfully performing these steps, IDA Feeds plugin should be visible in the Edit -> Plugins submenu and ready to try.

How to use IDA Feeds?

To use IDA Feeds, you need to configure the plugin first.

Go to the Edit -> Plugins -> IDA Feeds. IDA Feeds will open in a new Signature Tools subview.
In the Signature Tools window, click Open signatures folder and select the folder with the downloaded FLIRT signature bundle (1), or leave the preloaded signatures already provided with your IDA instance.

Select all or chosen signature files, and then click Run multi-core analysis (2).
Check the results and click Apply signatures to bulk apply (3) correct matches.

Last updated 28 days ago