Skip to content
/ idenLib Public

idenLib - Library Function Identification [This project is not maintained anymore]

License

MIT license
388 stars 72 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

secrary/idenLib

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
idenLib
idenLib
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
idenLib.sln
idenLib.sln
 
 

Repository files navigation

idenLib - Library Function Identification

When analyzing malware or 3rd party software, it's challenging to identify statically linked libraries and to understand what a function from the library is doing.

idenLib.exe is a tool for generating library signatures from .lib/.obj/.exe files.

idenLib.dp32/idenLib.dp64 is a x32dbg/x64dbg plugin to identify library functions.

idenLib.py is an IDA Pro plugin to identify library functions.

Any feedback is greatly appreciated: @_qaz_qaz

How does idenLib.exe generate signatures?

  1. Parses input file(.lib/.obj file) to get a list of function addresses and function names.
  2. Gets the last opcode from each instruction

sig

  1. Compresses the signature with zstd

  2. Saves the signature under the SymEx directory, if the input filename is zlib.lib, the output will be zlib.lib.sig or zlib.lib.sig64, if zlib.lib.sig(64) already exists under the SymEx directory from a previous execution or from the previous version of the library, the next execution will append different signatures. If you execute idenLib.exe several times with different version of the .lib file, the .sig/sig64 file will include all unique function signatures.

Inside of a signature (it's compressed): signature

Usage:

  • Generate library signatures: idenLib.exe /path/to/file or idenLib.exe /path/to/directory
  • Generate main function signature: idenLib.exe /path/to/pe -getmain

Generating library signatures

lib

x32dbg/x64dbg, IDA Pro plugin usage:

  1. Copy SymEx directory under x32dbg/x64dbg/IDA Pro's main directory
  2. Apply signatures:

x32dbg/x64dbg:

xdb

IDA Pro:

ida_boost_2

Generating main function signature:

If you want to generate a signature for main function compiled using MSVC 14 you need to create a hello world application with the corresponding compiler and use the application as input for idenLib

getmain

main function signature files are EntryPointSignatures.sig and EntryPointSignatures.sig64

IDAProMain

x64dbg_main

Notes Regarding to main Function Signatures

  • idenLib uses the DIA APIs to browse debug information stored in a PDB file. To run idenLib with -getmain parameter you will need to ensure that the msdia140.dll (found in Microsoft Visual Studio\2017\Community\DIA SDK\bin) is registered as a COM component, by invoking regsvr32.exe on the dll.

Applying Signatures

There are two ways to apply signatures, exact match and using Jaccard index

x32dbg_jaccard

Useful links:

Third-party

About

idenLib - Library Function Identification [This project is not maintained anymore]

Topics

windows debugging cpp reverse-engineering malware-analysis binary-analysis

Resources

Readme

License

MIT license
Activity

Stars

388 stars

Watchers

30 watching

Forks

72 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages