IDA Feeds
Last updated
Was this helpful?
Last updated
Was this helpful?
This feature is available only in IDA Pro, as it depends on idalib for full functionality.
Starting with IDA 9.0, we introduced IDA Feeds (aka FLIRT Signature Manager), the tool designed to ease the application of new signatures through updatable libraries (known as IDA FLIRT Signature Bundles), shipped alongside other IDA plugins out-of-the-box. You can run IDA Feeds directly through the IDA Pro UI by navigating to Edit → Plugins → IDA Feeds. All related IDA Feeds files are located in the plugins/ida_feeds directory within your IDA installation folder.
IDA Feeds helps you identify which signatures to apply when analyzing binary files, especially when you don't know which static libraries were linked to them. Rather than manually applying signatures, IDA Feeds automatically scans and applies many signatures in seconds. Just open the signature folder, allow IDA to scan and find the possible matches, and then bulk apply the suggested signatures.
IDA Feeds uses the FLIRT Signature Bundles, which are going to be regularly updated and released to keep you up to date with the newest recognizable signatures.
Besides managing FLIRT signatures, IDA Feeds can generate Rust signatures on demand.
You can download the latest IDA FLIRT Signature Bundle from our Download Center in My Hex-Rays portal under SDK and utilities.
Although IDA Feeds plugin basic options works out-of-the-box, to experience it full functionality, you may need to install some dependencies.
idalib configured properly (check and ) if you want to use fully functional IDA Feeds plugin (including parallel probing and generating Rust signatures) or run IDA Feeds as a standalone app
RPyc 5.x for parallel probing
Rust installed, if you want to generate Rust signatures
Path to flair Correctly settled in the config.json file inside your ida_feeds folder
Check readme file inside ida_feeds folder for detailed info.
Install requirements for Python modules in the interpreter that IDA is using or from within your virtual environment (venv).
Navigate to the plugin/ida_feeds folder within the IDA Pro installation directory and install the requirements.
Create symbolic link (optional)
Linux & OSX
Windows
Go to the Edit -> Plugins -> IDA Feeds. IDA Feeds will open in a new IDA Feeds subview.
In the Signature Tools window, click Open signatures folder and select the folder with the downloaded FLIRT signature bundle (1), or leave the preloaded signatures already provided with your IDA instance.
Select chosen signature files, pick the type of probing from the dropdown menu: Parallel probing or Sequential probing (2), and then click Run probe (3) to match functions in the binary against a specific selected signature file(s).
Parallel probing runs multiple probing processes on the copies of IDB, and although is faster, it's also more resource intensive. It requires idalib, idapro module and RPyC 5.x to work. Parallel type is available only when all prerequisites and dependencies are correctly installed. If any are missing, you can still use Sequential probing as a slower alternative.
Check the results and click Apply signatures to bulk apply (4) correct matches to selected signatures.
idalib with idapro module installed
Correctly settled a path to flair in the config.json file inside your ida_feeds folder
Go to the Edit -> Plugins -> IDA Feeds. In the IDA Feeds subview, navigate to the folder tree view (Signatures panel) on the left and find FLIRT for Rust libraries at the bottom of the view.
Click Create and apply signature.
After generation:
you can find the .sig file in your .idapro/cache/rust folder.
Q: What's the difference between signatures shipped with IDA installer (in the sig folder) and FLIRT signatures bundle?
IDA comes with a set of standard FLIRT signatures, which you can find in the sig folder in the IDA installation directory.
The signature bundles for IDA FEEDS (downloadable from My Hex-Rays portal) provide additional signatures to improve function recognition for various libraries and frameworks. What's more, these bundles are available with additional metadata files that may enhance your analysis.
Q: Should I place the additional signatures, like these from the FLIRT signature bundles, always in the sig folder?
It's up to you whether to keep some signatures separate or store them in the sig folder inside IDA installation directory.
Placing them in the sig folder makes them available globally for all IDBs opened in IDA and pre-loaded whenever you run the IDA Feeds plugin. It can be convenient if you usually work with the same set of libraries, but it can clutter the space if you don't need all signatures handy all the time.
Q: What is the difference between signature bundle with metadata and the one without?
The signature bundle with metadata contains a txt file for each signature (.sig file) that explains in details what is inside that particular signature (listing libraries and versions). If this information is useful for your analysis, opting for bundles with metadata can be beneficial. However, if you don’t require these details for your regular reverse engineering tasks, you may prefer a more lightweight bundle without metadata.
Check the rust compiler version
Your binary/executable may be compiled with a rust compiler that is not known by IDA Feeds, meaning that it is not included in the rust-git-tags.json file in ida-feeds folder. Before you proceed, verify that the rust compiler version is present in rust-git-tags.json.
When you encounter unexpected errors, set IDA_FEEDS_LOG_LEVEL environment variable to DEBUG, and then restart IDA and try again to obtain additional information from the Output Window.
