Fast Library Identification and Recognition

[Nytro]

Fast Library Identification and Recognition Technology (FLIRT) Signature File Database

What is FLIRT?

Fast Library Identification and Recognition Technology, also known as FLIRT, is IDA's internal symbols identifier that searches through disassembled binaries in order to locate, rename, and highlight known library subroutines. FLIRT elimates the need to analyze functions that could be understood simply by reading documentation or source code from the library it came from and reduces the amount of work required in order to reverse and understand symbol-stripped binaries by a considerable amount.

 

For more information visit: https://www.hex-rays.com/products/ida/tech/flirt/index.shtml

How does FLIRT work?

Here's an oversimplified diagram on FLIRT's internal workings:

 

 

The input to the system is a library file (.lib on Windows) from a library of choice while the output is a signature file (.sig) stored under /sig (and only there or else IDA won't find it). Using one of the tools (plb/pcf/pelf) (provided here for paying customers) you convert all the functions in the library to signatures stored in a PAT file (.pat). The final stage in creating a signature file involves converting the generated PAT file into a .sig file usable by IDA with the use of sigmake. The problem with this is that sometimes collisions will exist for signatures since the method Hex-Rays uses is not fool proof. When an error occurs an EXC (.exc) file is created. In order to ignore collisions, simply edit this file by removing the first few comments (lines that start with ';') and re-run sigmake.

 

For more information look inside the readme inside the FLAIR tools directory.

 

Link: https://github.com/Maktm/FLIRTDB