For more than a decade, IDA plugins that extract signatures from programs loaded into IDA Pro have been freely available online. Notably, idb2pat and idb2sig are shared library plugins that you can download here. Illustration 2 shows a reverse engineer generating a pattern file from ntdll.dll using idb2sig in IDA Pro. These plugins are fast and well-tested. However, since they are written in C++, they must be recompiled with each update to the IDA Pro SDK. Also, many plugins have limited support for 64-bit programs.

FULL IDA Pro 7.2 Leaked Update

The IDAPython script idb2pat.py generates FLAIR patterns from IDB files. It works on both 32- and 64-bit programs. It is a very close port of the C++ idb2sig (by mercury, and updated by TQN) to Python.

I was motivated to develop idb2pat.py while considering how to reverse engineer Go binaries. As an example, I compiled the "Hello, World!" sample program available on the Go tutorial website here, for 64-bit Linux. The Go compiler includes copious debugging information and symbols in the default executable format, and IDA Pro's analysis helpfully renamed all 1,777 functions in the binary file. However, after stripping the file, IDA Pro was unable to rename any functions and I had a difficult time differentiating support code from the main function's disassembly. Illustration 3 and Illustration 4 show the before and after function listings when stripping the Go binary.

You can use the IDAPython script idb2pat.py to quickly and easily generate function patterns for IDA Pro FLIRT signatures. This helps IDA automatically rename common functions in compiled programs. The script works on both 32- and 64-bit programs, and because it is written in Python, it can be easily updated and modified by users. I hope you'll give this free tool a shot by downloading it from the FLARE team's Github repository!

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. 2ff7e9595c