I needed to generate a .sig to load into IDA and identify some certificate store functions in an executable.
This project in particular used OpenSSL 1.0.2r built for x64, identified by disassembling and looking for strings containing “OpenSSL”
I grabbed some things:
- openssl-1.0.2r.tar.gz from OpenSSL’s FTP
- Strawberry Perl
- NASM
- FLAIR tools from IDA
I placed Perl, NASM, and FLAIR into my path. I selected all the default options during those installations.
OpenSSL
I already had Visual Studio 2022 installed so I used “x64 Native Tools Command Prompt for VS 2022” for this. You need to launch this or specify 64-bit to the underlying vcvarsall.bat, so it’s easier to use the start menu shortcut. nmake will generate 32-bit binaries otherwise.
Always follow the readme. Based on INSTALL.W64 and some StackOverflow posts, I ran:
perl Configure VC-WIN64A no-shared
ms\do_win64a
nmake -f ms\ntdll.mak
We want a static library, so we specify no-shared
. If you omit that you’ll create a dynamic library which FLAIR won’t generate signatures for.
FLAIR
Once this is done, you can open a new command prompt or cd into the out32
directory and run:
pcf libeay32.lib
sigmake -n"OpenSSL 1.0.2r x64 VS2022 LIBEAY32" libeay32.pat
You should run into an error when you run sigmake, it’ll create a .exc file that you have to open in a text editor. Remove the first four lines and save it. Then run sigmake again and it should work.
With libeay32 done, repeat the same process for ssleay32:
pcf ssleay32.lib
sigmake -n"OpenSSL 1.0.2r x64 VS2022 SSLEAY32" ssleay32.pat
IDA
Now place the .sig files inside your IDA directory under sig/pc/
.
Open IDA (if it’s already open that’s fine), then go to View -> Subviews -> Signatures (Shift + F5).
Add the two new ones we created: Select and press OK.
You should see your signatures populate with the # of matched functions now.
Looks like IDA picked up on the library functions!
We’re pretty much done now. Repeat the same process for other dependency libraries, etc.
Notes
pcf
= parse COFF. This will generate a .pat file for us to create a .sig file from.
References
- https://blogs.blackberry.com/en/2019/07/flirting-with-ida-and-apt28
- https://rioasmara.com/2021/10/24/create-sig-file-from-lib-for-ida/
- https://stackoverflow.com/a/64876777
- https://reverseengineering.stackexchange.com/a/8901