ID FLIRT / FLAIR
FLIRT is a function recognition technology provided by IDA, namely 库文件快速识别与鉴定技术(Fast Library Identification and Recognition Technology). This technology enables IDA to automatically find the calling function in a series of compiler standard library files, making the disassembly list clear. For example, a MFClibrary function may be disassembled call 40a936, but IDA can identify the function feature through FLIRT, thereby marking the function and displaying it in the disassembly window call CWnd::DestroyWindow, greatly increasing the readability of the code and speeding up the analysis.
FLIRT technology needs to use a sig signature file provided by IDA, which is the key to IDA's function identification. IDA installation package carry a lot of popular development libraries relevant signature files, such as MFC, OWL, BCLand so on. Some SIG files are shown in the figure:
But what if the library used in the analyzed program does not have a corresponding SIG in IDA? At this time, you can use the FLAIRtool. This tool can be used to generate the FLIRT database, that is, make a corresponding SIG file yourself.
Let's take a look at how to use existing SIG files to identify library functions, and then look at how to generate SIG files for unincluded libraries.
1. Use the existing SIG file recognition function
Sometimes IDA does not automatically identify the library functions that can be supported. At this time, you need to manually add the SIG file to force the identification of related functions. For example, the following situation:
Then look at the string window to see the strings related to the MFC library functions, or if you are familiar with the related functions, visually identify what library functions belong to the following.
Then join the manual SIG file (shift + f5), you can view the used SIG signature file and the recognized function (#func) in the signature window. After the addition, most of the MFC functions are successfully identified in the disassembly window, which greatly increases the efficiency of program analysis.
Second, generate SIG files
In addition to using existing SIG files, IDA also provides tools FLAIRto facilitate users to make identification library files. The tool is released separately.
The steps to create a signature are as follows:
-
Obtain a static library that needs to create a signature file
*.lib; -
Create a pattern file (
.pat) for the library with the FLAIR parser . The pattern file is a text file that contains the extracted patterns representing the functions in the parsed library.-
plb.exe: parser for OMF library (commonly used by Borland compilers).
-
pcf.exe: parser for COFF library (commonly used by Microsoft compilers).
-
pelf.exe: parser for ELF library (commonly used on UNIX systems).
-
ppsx.exe: parser for Sony PlayStation PSX library.
-
ptmobj.exe: Parser for TriMedia library.
-
pomf166.exe: A parser for Kiel OMF 166 object files.
If you want to create a pattern file for a library, you need to specify a parser corresponding to the library format. If there is no corresponding static library file for LIB, you can use IDB2PAT to create and convert the
.LIBfile to a.PATfile. -
-
Use sigmake.exe to turn the
.PATfile into a*.sigsigned file, and then you can use the file.
Now for the actual operation. For example, when analyzing ransomware viruses, some family viruses will use CryptoPP encryption library for data encryption, and IDA does not have related signature files, so you can make a SIG file yourself.
Download the project on Github , and VS compiles the static library Cryptlib.lib (if it is another existing lib library, it can be used directly). When compiling, you must choose the debugway to compile, because when generating the PAT file, the parser mainly analyzes based on the symbol. If it is the release version, the symbol will be removed because the symbol is removed, and the relevant function will be skipped.
lib -> PAT
Execute the following command (here windows platform selection pcf.exe):
pcf.exe Cryptlib.lib Cryptlib.pat
PATActually is a text file, the records extracted features related files in the file lib, such as: 558BEC83EC44535657894DFC8B45FCC700........8B4DFC83C110E8........ 04 4256 002F :0000 ??1Exception@CryptoPP@@UAE@XZ ^0011 ??_7Exception@CryptoPP@@6B@ ^001C ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ^0024 ??1exception@std@@UAE@XZ ........5F5E5B8BE55DC3.
The PAT record feature method is described in detail in the FLIAT toolkit pat.txt, such as in the above example:
-
The first 64 hexadecimal strings
558BEC83EC44535657894DFC8B45FCC700........8B4DFC83C110E8........correspond to the first 32 bytes of the mark (function) module,.indicating any character; -
04 4256TheCRC16check value of the following 4 bytes0x4256; -
002F :0000The length of the (function) module (0x2f bytes) and the offset of the function name in the module (offset: 0x0000) are indicated before and after colon -
1Exception@CryptoPP@@UAE@XZIs the symbolic name of the function; -
^0011 ??_7Exception@CryptoPP@@6B@Indicates that the symbol _7Exception @ CryptoPP @@ 6B @ is referenced at the offset of function 0x11; -
........5F5E5B8BE55DCFor the remaining bytes of the module, because of this, the characteristics of some long functions are very long.
PAT -> SIG
After successfully generating the PAT file, execute the following command (for compatibility, the output file name should not exceed 8 bytes):
sigmake.exe Cryptlib.lib Cryptlib.sig
Many times, due to the same characteristics of some functions in PAT, that is, the operation is the same, but the function names are inconsistent, this time there will be conflicts.
In this case, sigmake will write the conflict group to an EXC(exclude) text file with the same name in the same directory ( Cryptlib.exec in this example). If there is already an exec file with the same name, it will be appended to the end of the file.
We need to modify the conflict group in this file. In each group:
- The logo
+means that the specified symbol name is used when the signature is detected;- The logo
-is not to modify the function name in the IDA disassembly, but is displayed as a comment;- If no processing is performed, no action is performed after the specified tag is recognized.
Then execute the same command to generate the sig file, if there are conflicts, repeat the above operation. If there are too many expressions during modification, you can replace them with regular matching in the editor.
have to be aware of is:
-
To minimize conflicts, delete
*.excthe 4 comment lines at the beginning of the excluded file ( ); -
At most, only one function in the conflicting function group can be attached
+/-; -
If a conflicting function contains only one function, do not add
+/-it before the function and leave it as it is;
reference:
Chapter 3 of "Encryption and Decryption (4th Edition)"
Chapter 12 of the "IDA Pro Definitive Guide"