/idenLib

idenLib - Library Function Identification

Primary LanguageC++MIT LicenseMIT

idenLib - Library Function Identification

When analyzing malware or 3rd party software, it's challenging to identify statically linked libraries and to understand what a function from the library is doing.

idenLib.exe is a tool for generating library signatures from .lib files.

idenLib.dp32/idenLib.dp64 is a x32dbg/x64dbg plugin to identify library functions.

idenLib.py is an IDA Pro plugin to identify library functions.

Any feedback is greatly appreciated: @_qaz_qaz

How does idenLib.exe generate signatures?

  1. Parses input file(.lib file) to get a list of function addresses and function names.
  2. Gets the last opcode from each instruction

sig

  1. Compresses the signature with zstd

  2. Saves the signature under the SymEx directory, if the input filename is zlib.lib, the output will be zlib.lib.sig or zlib.lib.sig64, if zlib.lib.sig(64) already exists under the SymEx directory from a previous execution or from the previous version of the library, the next execution will append different signatures. If you execute idenLib.exe several times with different version of the .lib file, the .sig/sig64 file will include all unique function signatures.

Inside of a signature (it's compressed): signature

Generating library signatures

lib

x32dbg/x64dbg, IDA Pro plugin usage:

  1. Copy SymEx directory under x32dbg/x64dbg/IDA Pro's main directory
  2. Apply signatures:

x32dbg/x64dbg:

xdb

IDA Pro:

ida_boost_2

Supports x86 and AMD64/x86-64 architectures.

Useful links:

Credits

  • Disassembly powered by Zydis
  • Compression/Decompression by zstd
  • Icon by freepik