Externalist
October 3rd, 2008, 04:13
Hi,
I'm trying to create a FLIRT signature of a binary that's statically linked with mfc90.dll and msvcr90.dll. I could think of 2 ways to do it. Either create a .pat of the 2 dll files with idb2sig and feed them to sigmake, or find the corresponding .lib files and use pcf then sigmake. I've tried the 1st and here's what I got.
http://i34.tinypic.com/2lx6ujk.jpg
Not bad but would be better if all of them could be resolved. This requires the .lib files of the .dll files which I had in my posession.
So I first started with mfc90.lib included in VS2008 lib directory and fed it to pcf.exe after using link.exe to make it into a static library, but pcf prints an error saying :
Fatal [mfc90.lib] (objr\i386\_alias0.obj): not a coff module
I don't know what that object file is(google doesn't either) and neither can find them anywhere. I found out there were about 500 of those included in the .lib file, but compared to the number of functions imported from mfc90.dll the rate was low so I decided it won't be that much of a big influence and excluded all of them using a simple script and LIB.exe. After that, pcf and sigmake creates a nice .sig file with a total of 6500 signatures and I used it on a simple test MFC dll I made statically linked with mfc90.lib.
And the result... 0 signatures identified.
I'm not sure if I went through the right steps, but I did everything the Manual said. The two vc32rtf.sig & vc32mfc.sig files initially included in the IDA sig directory identifies a statically linked MFC binary most of the time. But I have no clue what procedure was used to build them...
Hence, my question is, is there a way to create properly working sig files from the lib files included in Visual Studio?
I'm trying to create a FLIRT signature of a binary that's statically linked with mfc90.dll and msvcr90.dll. I could think of 2 ways to do it. Either create a .pat of the 2 dll files with idb2sig and feed them to sigmake, or find the corresponding .lib files and use pcf then sigmake. I've tried the 1st and here's what I got.
http://i34.tinypic.com/2lx6ujk.jpg
Not bad but would be better if all of them could be resolved. This requires the .lib files of the .dll files which I had in my posession.
So I first started with mfc90.lib included in VS2008 lib directory and fed it to pcf.exe after using link.exe to make it into a static library, but pcf prints an error saying :
Fatal [mfc90.lib] (objr\i386\_alias0.obj): not a coff module
I don't know what that object file is(google doesn't either) and neither can find them anywhere. I found out there were about 500 of those included in the .lib file, but compared to the number of functions imported from mfc90.dll the rate was low so I decided it won't be that much of a big influence and excluded all of them using a simple script and LIB.exe. After that, pcf and sigmake creates a nice .sig file with a total of 6500 signatures and I used it on a simple test MFC dll I made statically linked with mfc90.lib.
And the result... 0 signatures identified.
I'm not sure if I went through the right steps, but I did everything the Manual said. The two vc32rtf.sig & vc32mfc.sig files initially included in the IDA sig directory identifies a statically linked MFC binary most of the time. But I have no clue what procedure was used to build them...
Hence, my question is, is there a way to create properly working sig files from the lib files included in Visual Studio?