# Signature Maker Plugin for IDA Pro 9.0+
<img src="https://github.com/mahmoudimus/ida-sigmaker/blob/main/assets/sigmaker-logo.png?raw=true" width="104px" height="100px" alt="Magnifying glass with the word 'sigmaker' and a cross-hair over the 'A' in sigmaker" /> [](https://github.com/mahmoudimus/ida-sigmaker/actions/workflows/python.yml)
An IDA Pro 9.0+ cross-platform signature maker plugin that works on MacOS/Linux/Windows. The primary goal of this plugin is to work with future versions of IDA without needing to compile against the IDA SDK as well as to allow for easier community contributions.
## Installation
sigmaker's main value proposition is its cross-platform (Windows, macOS, Linux) Python 3 support. It uses zero third party dependencies, making the code both portable and easy to install.
### Quick Install
- Copy [`src/sigmaker/__init__.py`](./src/sigmaker/__init__.py) into the /plugins/ folder to the plugin directory!
- Rename it to `sigmaker.py`
- Restart your disassembler.
### From Releases
- Download the latest release from the [Releases page](https://github.com/mahmoudimus/ida-sigmaker/releases)
- Extract `sigmaker.py` from the release package
- Copy it to your IDA Pro plugins directory
- Restart IDA Pro
That's it!
### Need to find your plugin directory?
From IDA's Python console run the following command to find its plugin directory:
```python
import idaapi, os; print(os.path.join(idaapi.get_user_idadir(), "plugins"))
```
### Where and what is my default user directory?
The user directory is a location where IDA stores some of the global settings and which can be used for some additional customization.
Default location:
- On Windows: `%APPDATA%/Hex-Rays/IDA Pro`
- On Linux and Mac: `$HOME/.idapro`
## Requirements
- IDA Pro 9.0+
- IDA Python
- Python 3.10+
## What is a "sigmaker"?
Sigmaker stands for "signature maker." It enables users to create unique binary pattern signatures that can identify specific addresses or routines within a binary, even after the binary has been updated.
In malware analysis or binary reverse engineering, a common challenge is pinpointing an important address, such as a function or global variable. However, when the binary is updated, all the effort spent identifying these locations can be lost if their addresses change.
To preserve this work, reverse engineers take advantage of the fact that most programs do not change drastically between updates. While some functions or data may be modified, much of the binary remains the same. Most often, previously identified addresses are simply relocated. This is where `sigmaker` comes in.
Sigmaker lets you create unique patterns to track important parts of a program, making your analysis more resilient to updates. By generating signatures for specific functions, data references, or other critical locations, you can quickly relocate these points in a new version of the binary, saving time and effort in future reverse engineering tasks.
## Usage
In disassembly view, select a line you want to generate a signature for, and press
**CTRL+ALT+S**
The generated signature will be printed to the output console, as well as copied to the clipboard:
___
| Signature type | Example preview |
| --- | ----------- |
| IDA Signature | E8 ? ? ? ? 45 33 F6 66 44 89 34 33 |
| x64Dbg Signature | E8 ?? ?? ?? ?? 45 33 F6 66 44 89 34 33 |
| C Byte Array Signature + String mask | \xE8\x00\x00\x00\x00\x45\x33\xF6\x66\x44\x89\x34\x33 x????xxxxxxxx |
| C Raw Bytes Signature + Bitmask | 0xE8, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xF6, 0x66, 0x44, 0x89, 0x34, 0x33 0b1111111100001 |
___
### Finding XREFs
Generating code Signatures by data or code xrefs and finding the shortest ones is also supported:
___
### Signature searching
Searching for Signatures works for supported formats:
Just enter any string containing your Signature, it will automatically try to figure out what kind of Signature format is being used:
Currently, all output formats you can generate are supported.
Match(es) of your signature will be printed to console:
## Acknowledgements
Thank you to to [@A200K](https://github.com/A200K)'s [IDA-Pro-SigMaker](https://github.com/A200K/IDA-Pro-SigMaker) plugin which served as an inspiration and the initial port of this plugin.
## Development & Releases
### Contributing
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Test thoroughly
5. Submit a pull request
## Contact
ping me on x [@mahmoudimus](https://x.com/mahmoudimus) or you may contact me from any one of the addresses on [mahmoudimus.com](https://mahmoudimus.com).
MIT License
Copyright (c) 2024 Mahmoud Abdelkader (@mahmoudimus)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Raw data
{
"_id": null,
"home_page": null,
"name": "sigmaker",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": "ida pro, signature, sigmaker, reverse engineering, binary analysis, pattern matching, disassembler, malware analysis, function identification",
"author": null,
"author_email": "Mahmoud Abdelkader <m{_no-spam_}@mahmoudimus.com>",
"download_url": "https://files.pythonhosted.org/packages/b7/87/907883ce24f177e38eed4d86ce2d27222ba33ecdfff7553ec897195b2195/sigmaker-1.4.0.tar.gz",
"platform": null,
"description": "# Signature Maker Plugin for IDA Pro 9.0+\n\n<img src=\"https://github.com/mahmoudimus/ida-sigmaker/blob/main/assets/sigmaker-logo.png?raw=true\" width=\"104px\" height=\"100px\" alt=\"Magnifying glass with the word 'sigmaker' and a cross-hair over the 'A' in sigmaker\" /> [](https://github.com/mahmoudimus/ida-sigmaker/actions/workflows/python.yml)\n\nAn IDA Pro 9.0+ cross-platform signature maker plugin that works on MacOS/Linux/Windows. The primary goal of this plugin is to work with future versions of IDA without needing to compile against the IDA SDK as well as to allow for easier community contributions.\n\n## Installation\n\nsigmaker's main value proposition is its cross-platform (Windows, macOS, Linux) Python 3 support. It uses zero third party dependencies, making the code both portable and easy to install.\n\n### Quick Install\n\n- Copy [`src/sigmaker/__init__.py`](./src/sigmaker/__init__.py) into the /plugins/ folder to the plugin directory!\n- Rename it to `sigmaker.py`\n- Restart your disassembler.\n\n### From Releases\n\n- Download the latest release from the [Releases page](https://github.com/mahmoudimus/ida-sigmaker/releases)\n- Extract `sigmaker.py` from the release package\n- Copy it to your IDA Pro plugins directory\n- Restart IDA Pro\n\nThat's it!\n\n### Need to find your plugin directory?\n\nFrom IDA's Python console run the following command to find its plugin directory:\n\n```python\nimport idaapi, os; print(os.path.join(idaapi.get_user_idadir(), \"plugins\"))\n```\n\n### Where and what is my default user directory?\n\nThe user directory is a location where IDA stores some of the global settings and which can be used for some additional customization.\nDefault location:\n\n- On Windows: `%APPDATA%/Hex-Rays/IDA Pro`\n- On Linux and Mac: `$HOME/.idapro`\n\n## Requirements\n\n- IDA Pro 9.0+\n- IDA Python\n- Python 3.10+\n\n## What is a \"sigmaker\"?\n\nSigmaker stands for \"signature maker.\" It enables users to create unique binary pattern signatures that can identify specific addresses or routines within a binary, even after the binary has been updated.\n\nIn malware analysis or binary reverse engineering, a common challenge is pinpointing an important address, such as a function or global variable. However, when the binary is updated, all the effort spent identifying these locations can be lost if their addresses change.\n\nTo preserve this work, reverse engineers take advantage of the fact that most programs do not change drastically between updates. While some functions or data may be modified, much of the binary remains the same. Most often, previously identified addresses are simply relocated. This is where `sigmaker` comes in.\n\nSigmaker lets you create unique patterns to track important parts of a program, making your analysis more resilient to updates. By generating signatures for specific functions, data references, or other critical locations, you can quickly relocate these points in a new version of the binary, saving time and effort in future reverse engineering tasks.\n\n## Usage\n\nIn disassembly view, select a line you want to generate a signature for, and press\n**CTRL+ALT+S**\n\n\nThe generated signature will be printed to the output console, as well as copied to the clipboard:\n\n\n___\n\n| Signature type | Example preview |\n| --- | ----------- |\n| IDA Signature | E8 ? ? ? ? 45 33 F6 66 44 89 34 33 |\n| x64Dbg Signature | E8 ?? ?? ?? ?? 45 33 F6 66 44 89 34 33 |\n| C Byte Array Signature + String mask | \\xE8\\x00\\x00\\x00\\x00\\x45\\x33\\xF6\\x66\\x44\\x89\\x34\\x33 x????xxxxxxxx |\n| C Raw Bytes Signature + Bitmask | 0xE8, 0x00, 0x00, 0x00, 0x00, 0x45, 0x33, 0xF6, 0x66, 0x44, 0x89, 0x34, 0x33 0b1111111100001 |\n\n___\n\n### Finding XREFs\n\nGenerating code Signatures by data or code xrefs and finding the shortest ones is also supported:\n\n\n___\n\n### Signature searching\n\nSearching for Signatures works for supported formats:\n\n\n\nJust enter any string containing your Signature, it will automatically try to figure out what kind of Signature format is being used:\n\n\n\nCurrently, all output formats you can generate are supported.\n\nMatch(es) of your signature will be printed to console:\n\n\n\n## Acknowledgements\n\nThank you to to [@A200K](https://github.com/A200K)'s [IDA-Pro-SigMaker](https://github.com/A200K/IDA-Pro-SigMaker) plugin which served as an inspiration and the initial port of this plugin.\n\n## Development & Releases\n\n### Contributing\n\n1. Fork the repository\n2. Create a feature branch\n3. Make your changes\n4. Test thoroughly\n5. Submit a pull request\n\n## Contact\n\nping me on x [@mahmoudimus](https://x.com/mahmoudimus) or you may contact me from any one of the addresses on [mahmoudimus.com](https://mahmoudimus.com).\n\nMIT License\n\nCopyright (c) 2024 Mahmoud Abdelkader (@mahmoudimus)\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n",
"bugtrack_url": null,
"license": null,
"summary": "Sigmaker is an IDA Pro 9.0+ cross-platform signature maker plugin that works on MacOS/Linux/Windows. It creates unique binary pattern signatures to identify specific functions or addresses within binaries, even after updates. It helps reverse engineers preserve their analysis work by generating resilient signatures that can quickly relocate important code locations in new binary versions.",
"version": "1.4.0",
"project_urls": {
"Documentation": "https://github.com/mahmoudimus/ida-sigmaker/blob/main/README.md",
"Homepage": "https://mahmoudimus.com",
"Issues": "https://github.com/mahmoudimus/ida-sigmaker/issues",
"Source": "https://github.com/mahmoudimus/ida-sigmaker"
},
"split_keywords": [
"ida pro",
" signature",
" sigmaker",
" reverse engineering",
" binary analysis",
" pattern matching",
" disassembler",
" malware analysis",
" function identification"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "fc9287d9f9b8abecb4019675376092305279ad8ecddd4fc1048f6704eae88441",
"md5": "174b6979cbaeac47597e721abb87470e",
"sha256": "c70c382b86b128dc4221aed43faff615f3d80f5cc76b08bb81f07595bf20dcb6"
},
"downloads": -1,
"filename": "sigmaker-1.4.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "174b6979cbaeac47597e721abb87470e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 20316,
"upload_time": "2025-09-05T22:41:12",
"upload_time_iso_8601": "2025-09-05T22:41:12.440501Z",
"url": "https://files.pythonhosted.org/packages/fc/92/87d9f9b8abecb4019675376092305279ad8ecddd4fc1048f6704eae88441/sigmaker-1.4.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "b787907883ce24f177e38eed4d86ce2d27222ba33ecdfff7553ec897195b2195",
"md5": "875e562b77785a3349def7f88e94db1c",
"sha256": "5c45e58f712b151311730bd1570fb9d97e00934796c055bb5a81d62990400a27"
},
"downloads": -1,
"filename": "sigmaker-1.4.0.tar.gz",
"has_sig": false,
"md5_digest": "875e562b77785a3349def7f88e94db1c",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 22804,
"upload_time": "2025-09-05T22:41:13",
"upload_time_iso_8601": "2025-09-05T22:41:13.616859Z",
"url": "https://files.pythonhosted.org/packages/b7/87/907883ce24f177e38eed4d86ce2d27222ba33ecdfff7553ec897195b2195/sigmaker-1.4.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-09-05 22:41:13",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "mahmoudimus",
"github_project": "ida-sigmaker",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"lcname": "sigmaker"
}
JSON
