secrary / Idenlib
Programming Languages
Projects that are alternatives of or similar to Idenlib
idenLib - Library Function Identification
When analyzing malware or 3rd party software, it's challenging to identify statically linked libraries and to understand what a function from the library is doing.
idenLib.exe
is a tool for generating library signatures from .lib
/.obj
/.exe
files.
idenLib.dp32
/idenLib.dp64
is a x32dbg
/x64dbg
plugin to identify library functions.
idenLib.py
is an IDA Pro
plugin to identify library functions.
@_qaz_qaz
Any feedback is greatly appreciated:How does idenLib.exe generate signatures?
- Parses input file(
.lib
/.obj
file) to get a list of function addresses and function names. - Gets the last opcode from each instruction
-
Compresses the signature with zstd
-
Saves the signature under the
SymEx
directory, if the input filename iszlib.lib
, the output will bezlib.lib.sig
orzlib.lib.sig64
, ifzlib.lib.sig(64)
already exists under theSymEx
directory from a previous execution or from the previous version of the library, the next execution will append different signatures. If you executeidenLib.exe
several times with different version of the.lib
file, the.sig
/sig64
file will include all unique function signatures.
Inside of a signature (it's compressed):
Usage:
- Generate library signatures:
idenLib.exe /path/to/file
oridenLib.exe /path/to/directory
- Generate
main
function signature:idenLib.exe /path/to/pe -getmain
Generating library signatures
x32dbg
/x64dbg
, IDA Pro
plugin usage:
- Copy
SymEx
directory underx32dbg
/x64dbg
/IDA Pro
's main directory - Apply signatures:
main
function signature:
Generating If you want to generate a signature for main
function compiled using MSVC 14
you need to create a hello world
application with the corresponding compiler and use the application as input for idenLib
main
function signature files are EntryPointSignatures.sig
and EntryPointSignatures.sig64
main
Function Signatures
Notes Regarding to -
idenLib
uses theDIA APIs
to browse debug information stored in a PDB file. To runidenLib
with-getmain
parameter you will need to ensure that the msdia140.dll (found inMicrosoft Visual Studio\2017\Community\DIA SDK\bin
) is registered as a COM component, by invoking regsvr32.exe on the dll.
Applying Signatures
There are two ways to apply signatures, exact match and using Jaccard index
Useful links:
- Detailed information about
C Run-Time Libraries (CRT)
Third-party
-
Zydis (MIT License)
-
Zstandard (BSD License)
-
Icon by freepik