idenLib is a toolset for generating and applying library function signatures to identify statically linked library functions in malware and third-party software analysis.
idenLib - Library Function Identification [This project is not maintained anymore]
Security analysts and malware researchers use idenLib to detect and identify library functions embedded within binaries, aiding in reverse engineering and malware analysis. It helps to recognize known library code in executables, improving understanding of the analyzed software's behavior and facilitating exploitation or security automation tasks.
idenLib is no longer maintained, so users should be aware of potential compatibility issues with newer platforms. Generating main function signatures requires registration of msdia140.dll from the DIA SDK. Signature application supports both exact and approximate matching methods, improving flexibility in identifying library functions.
Download or clone the idenLib repository
Copy the SymEx directory to the main directory of x32dbg, x64dbg, or IDA Pro for plugin usage
For main function signature generation, ensure msdia140.dll is registered as a COM component using regsvr32.exe
Build or obtain idenLib.exe for signature generation
Place the generated signature files (.sig/.sig64) under the SymEx directoryidenLib.exe /path/to/file
Generates library signatures from a specified .lib, .obj, or .exe file
idenLib.exe /path/to/directory
Generates library signatures from all applicable files within a directory
idenLib.exe /path/to/pe -getmain
Generates a signature for the main function of a PE file compiled with MSVC
Copy SymEx directory to x32dbg/x64dbg/IDA Pro main directory
Installs the signature database for use with the debugger or disassembler plugins
Apply signatures in x32dbg/x64dbg or IDA Pro
Identifies library functions during debugging or static analysis using the generated signatures