idenLib - Library Function Identification

When analyzing malware or 3rd party software, it's challenging to identify statically linked libraries and to understand what a function from the library is doing.

idenLib.exe is a tool for generating library signatures from .lib files.

idenLib.dp32 is a x32dbg plugin to identify library functions.

idenLib.py is an IDA Pro plugin to identify library functions.

Any feedback is greatly appreciated: @_qaz_qaz

How does idenLib.exe generate signatures?

1. Parse input file(.lib file) to get a list of function addresses and function names.
2. Get the last opcode from each instruction and generate MD5 hash from it (you can change the hashing algorithm).

3. Save the signature under the SymEx directory, if the input filename is zlib.lib, the output will be zlib.lib.sig, if zlib.lib.sig already exists under the SymEx directory from a previous execution or from the previous version of the library, the next execution will append different signatures. If you execute idenLib.exe several times with different version of the .lib file, the .sig file will include all unique function signatures.

Signature file format:

hash function_name

Generating library signatures

x32dbg, IDAPro plugin usage:

1. Copy SymEx directory under x32dbg/IDA Pro's main directory
2. Apply signatures:

x32dbg:

IDAPro:

Only x86 is supported (adding x64 should be trivial).

Useful links:

• Detailed information about C Run-Time Libraries (CRT);

Credits

• Disassembly powered by Zydis
• Icon by freepik