An IDA Pro 9.0+ cross-platform signature maker plugin that works on MacOS/Linux/Windows. The primary goal of this plugin is to work with future versions of IDA without needing to compile against the IDA SDK as well as to allow for easier community contributions.
sigmaker's main value proposition is its cross-platform (Windows, macOS, Linux) Python 3 support. It uses zero third party dependencies, making the code both portable and easy to install.
- Copy
src/sigmaker/__init__.pyinto the /plugins/ folder to the plugin directory! - Rename it to
sigmaker.py - Restart your disassembler.
- Download the latest conveniently renamed
sigmaker.pyrelease from the Releases page - Copy it to your IDA Pro plugins directory
- Restart IDA Pro
That's it!
From IDA's Python console run the following command to find its plugin directory:
import idaapi, os; print(os.path.join(idaapi.get_user_idadir(), "plugins"))The user directory is a location where IDA stores some of the global settings and which can be used for some additional customization. Default location:
- On Windows:
%APPDATA%/Hex-Rays/IDA Pro - On Linux and Mac:
$HOME/.idapro
- IDA Pro 9.0+
- IDA Python
- Python 3.10+
Sigmaker stands for "signature maker." It enables users to create unique binary pattern signatures that can identify specific addresses or routines within a binary, even after the binary has been updated.
In malware analysis or binary reverse engineering, a common challenge is pinpointing an important address, such as a function or global variable. However, when the binary is updated, all the effort spent identifying these locations can be lost if their addresses change.
To preserve this work, reverse engineers take advantage of the fact that most programs do not change drastically between updates. While some functions or data may be modified, much of the binary remains the same. Most often, previously identified addresses are simply relocated. This is where sigmaker comes in.
Sigmaker lets you create unique patterns to track important parts of a program, making your analysis more resilient to updates. By generating signatures for specific functions, data references, or other critical locations, you can quickly relocate these points in a new version of the binary, saving time and effort in future reverse engineering tasks.
In disassembly view, select a line you want to generate a signature for, and press
CTRL+ALT+S
The generated signature will be printed to the output console, as well as copied to the clipboard:
| Signature type | Example preview |
|---|---|
| IDA Signature | E8 ? ? ? ? 45 33 F6 66 44 89 34 33 |
| x64Dbg Signature | E8 ?? ?? ?? ?? 45 33 F6 66 44 89 34 33 |
| C Byte Array Signature + String mask | \xE8\x00\x00\x00\x00\x45\x33\xF6\x66\x44\x89\x34\x33 x????xxxxxxxx |
| C Raw Bytes Signature + Bitmask | 0xE8, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xF6, 0x66, 0x44, 0x89, 0x34, 0x33 0b1111111100001 |
Generating code Signatures by data or code xrefs and finding the shortest ones is also supported:
Searching for Signatures works for supported formats:
Just enter any string containing your Signature, it will automatically try to figure out what kind of Signature format is being used:
Currently, all output formats you can generate are supported.
Match(es) of your signature will be printed to console:
Thank you to to @A200K's IDA-Pro-SigMaker plugin which served as an inspiration and the initial port of this plugin.
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
ping me on x @mahmoudimus or you may contact me from any one of the addresses on mahmoudimus.com.