Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

When analyzing malware or 3rd party software, it's challenging to identify statically linked libraries and to understand what a function from the library is doing.

idenLib.exe is a tool for generating library signatures from .lib/.obj/.exe files.

idenLib.dp32/idenLib.dp64 is a x32dbg/x64dbg plugin to identify library functions.

idenLib.py is an IDA Pro plugin to identify library functions.

Any feedback is greatly appreciated: @_qaz_qaz

How does idenLib.exe generate signatures?

Parses input file(.lib/.obj file) to get a list of function addresses and function names.
Gets the last opcode from each instruction

Compresses the signature with zstd
Saves the signature under the SymEx directory, if the input filename is zlib.lib, the output will be zlib.lib.sig or zlib.lib.sig64, if zlib.lib.sig(64) already exists under the SymEx directory from a previous execution or from the previous version of the library, the next execution will append different signatures. If you execute idenLib.exe several times with different version of the .lib file, the .sig/sig64 file will include all unique function signatures.

Inside of a signature (it's compressed):

Usage:

Generate library signatures: idenLib.exe /path/to/file or idenLib.exe /path/to/directory
Generate main function signature: idenLib.exe /path/to/pe -getmain

Generating library signatures

`x32dbg`/`x64dbg`, `IDA Pro` plugin usage:

Copy SymEx directory under x32dbg/x64dbg/IDA Pro's main directory
Apply signatures:

x32dbg/x64dbg:

IDA Pro:

Generating `main` function signature:

If you want to generate a signature for main function compiled using MSVC 14 you need to create a hello world application with the corresponding compiler and use the application as input for idenLib

main function signature files are EntryPointSignatures.sig and EntryPointSignatures.sig64

Notes Regarding to `main` Function Signatures

idenLib uses the DIA APIs to browse debug information stored in a PDB file. To run idenLib with -getmain parameter you will need to ensure that the msdia140.dll (found in Microsoft Visual Studio\2017\Community\DIA SDK\bin) is registered as a COM component, by invoking regsvr32.exe on the dll.

Applying Signatures

There are two ways to apply signatures, exact match and using Jaccard index

Useful links:

Detailed information about C Run-Time Libraries (CRT)

Third-party

Zydis (MIT License)
Zstandard (BSD License)
Icon by freepik

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 322

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (4) 🔗

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

secrary / Idenlib

Programming Languages

Labels

Projects that are alternatives of or similar to Idenlib

idenLib - Library Function Identification