Project FIRST is lead by Angel M. Villegas. This post is authored by Holger Unterbrink.
Talos is pleased to announce the release of the Function Identification and Recovery Signature Tool (FIRST). It is an open-source framework that allows sharing of knowledge about similar functions used across file types that IDA Pro can analyze. The aim is to create a community for the infosec analysts and reverse engineers that promotes the sharing of information.
The main idea behind FIRST is to preserve an engineer’s analysis of certain functions (name, prototype, comment, etc) by using methods like opcode hashing, mnemonic hashing, locality sensitive hashing, etc. By collecting and storing these signatures centrally the framework can provide them later to the community via the API/Plugin. The goal is to provide quick lookups for similar functions (see Fig. A) to avoid losing time with analysing a function which was already analysed before in another sample or by another engineer.
For the client side we are providing an IDA Python plugin with the following capabilities:
- Add annotations (single or multiple functions)
- Check for annotations (single or all functions)
- Update applied annotations
- View applied annotations
- View annotation history
- Manage metadata
- Script FIRST with IDA Python
The FIRST framework architecture is built out of the following components.
FIRST was and will be presented at the following conferences:
MALCON - Fajardo, Puerto Rico October 19
PACSEC - Tokyo, Japan October 27
ZeroNights - Moscow, Russia November 18
Botconf - Lyon, France December 1
You can find more information at:
Homepage - Register and Infos