After you have extracted the tools, you will
Chapter 13: Advanced Static Analysis with IDA Pro
315
PART IV
Figure 13-1 IDA library signature selection dialog
Gray Hat Hacking: The Ethical Hacker??™s Handbook
316
find the entire body of existing FLAIR documentation in the three files named pat.txt,
readme.txt, and sigmake.txt. You are encouraged to read through these files for more
detailed information on creating your own signature files.
The first step in creating signatures for a new library involves the extraction of patterns
for each function in the library. FLAIR comes with pattern-generating parsers for
several common static library file formats. All FLAIR tools are located in FLAIR??™s bin subdirectory.
The pattern generators are named pXXX, where XXX represents various library
file formats. In the following example we will generate a sig file for the statically linked
version of the standard C library (libc.a) that ships with FreeBSD 6.2. After moving
libc.a onto our development system, the following command is used to generate a pattern
file:
# ./pelf libc.a libc_FreeBSD62.pat
libc_FreeBSD62.a: skipped 0, total 988
We choose the pelf tool because FreeBSD uses ELF format binaries. In this case, we are
working in FLAIR??™s bin directory.
Pages:
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568