Jump to content

idenLib - Library Function Identification

Recommended Posts

idenLib - Library Function Identification

When analyzing malware or 3rd party software, it's challenging to identify statically linked libraries and to understand what a function from the library is doing.

idenLib.exe is a tool for generating library signatures from .lib files.

idenLib.dp32 is a x32dbg plugin to identify library functions.

idenLib.py is an IDA Pro plugin to identify library functions.

Any feedback is greatly appreciated: @_qaz_qaz

How does idenLib.exe generate signatures?

  1. Parse input file(.lib file) to get a list of function addresses and function names.
  2. Get the last opcode from each instruction and generate MD5 hash from it (you can change the hashing algorithm).


  1. Save the signature under the SymEx directory, if the input filename is zlib.lib, the output will be zlib.lib.sig, if zlib.lib.sig already exists under the SymEx directory from a previous execution or from the previous version of the library, the next execution will append different signatures. If you execute idenLib.exe several times with different version of the .lib file, the .sig file will include all unique function signatures.

Signature file format:

hash function_name


Generating library signatures


x32dbg, IDAPro plugin usage:

  1. Copy SymEx directory under x32dbg/IDA Pro's main directory
  2. Apply signatures:





Only x86 is supported (adding x64 should be trivial).

Useful links:



Sursa: https://github.com/secrary/idenLib

  • Upvote 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...