Home

Awesome

idenLib - Library Function Identification

When analyzing malware or 3rd party software, it's challenging to identify statically linked libraries and to understand what a function from the library is doing.

idenLib.exe is a tool for generating library signatures from .lib/.obj/.exe files.

idenLib.dp32/idenLib.dp64 is a x32dbg/x64dbg plugin to identify library functions.

idenLib.py is an IDA Pro plugin to identify library functions.

Any feedback is greatly appreciated: @_qaz_qaz

How does idenLib.exe generate signatures?

  1. Parses input file(.lib/.obj file) to get a list of function addresses and function names.
  2. Gets the last opcode from each instruction

sig

  1. Compresses the signature with zstd

  2. Saves the signature under the SymEx directory, if the input filename is zlib.lib, the output will be zlib.lib.sig or zlib.lib.sig64, if zlib.lib.sig(64) already exists under the SymEx directory from a previous execution or from the previous version of the library, the next execution will append different signatures. If you execute idenLib.exe several times with different version of the .lib file, the .sig/sig64 file will include all unique function signatures.

Inside of a signature (it's compressed): signature

Usage:

Generating library signatures

lib

x32dbg/x64dbg, IDA Pro plugin usage:

  1. Copy SymEx directory under x32dbg/x64dbg/IDA Pro's main directory
  2. Apply signatures:

x32dbg/x64dbg:

xdb

IDA Pro:

ida_boost_2

Generating main function signature:

If you want to generate a signature for main function compiled using MSVC 14 you need to create a hello world application with the corresponding compiler and use the application as input for idenLib

getmain

main function signature files are EntryPointSignatures.sig and EntryPointSignatures.sig64

IDAProMain

x64dbg_main

Notes Regarding to main Function Signatures

Applying Signatures

There are two ways to apply signatures, exact match and using Jaccard index

x32dbg_jaccard

Useful links:

Third-party