When analyzing malware or 3rd party software, it’s challenging to identify statically linked libraries and to understand what a function from the library is doing.
idenLib.exe is a tool for generating library signatures from .lib/.obj/.exe files.
idenLib.dp32/idenLib.dp64 is a x32dbg/x64dbg plugin to identify library functions.
idenLib.py is an IDA Pro plugin to identify library functions.
How does idenLib.exe generate signatures?
Parses input file(.lib/.obj file) to get a list of function addresses and function names.
Gets the last opcode from each instruction
Compresses the signature with zstd
Saves the signature under the SymEx directory, if the input filename is zlib.lib, the output will be zlib.lib.sig or zlib.lib.sig64, if zlib.lib.sig(64) already exists under the SymEx directory from a previous execution or from the previous version of the library, the next execution will append different signatures. If you execute idenLib.exe several times with different version of the .lib file, the .sig/sig64 file will include all unique function signatures.
Inside of a signature (it’s compressed):
Usage:
Generate library signatures: idenLib.exe /path/to/file or idenLib.exe /path/to/directory
Ge ..
Support the originator by clicking the read the rest link below.
