Log in

View Full Version : Analyze .lib file


benno
October 17th, 2011, 09:46
Hello,
im new to this field i try to hide process in ollydbg by hooking ntreadvirtualmemory and ntqueryvirtualmemory but i still view memory by attaching to it, what else do i need to hook? Hope you get me.

blabberer
October 18th, 2011, 22:41
what does the title have to do with your question ??

anyway if what you ask in title is relevent you can do some thing like this if this is what you meant

Code:


C:\>cd "c:\Program Files\Microsoft SDKs\Windows\v7.1\Lib"

C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>type dumplib.bat
dumpbin /symbols %1 | grep -i comp | sed s/ABS.*// | sed s/....//

C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>dumplib.bat AclUI.Lib

C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>dumpbin /symbols AclUI.Lib |
grep -i comp | sed s/ABS.*// | sed s/....//
00937809
00937809
00937809

C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>dumplib.bat User32.Lib

C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>dumpbin /symbols User32.Lib |
grep -i comp | sed s/ABS.*// | sed s/....//
00937809
00937809
00937809

C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>echo/|set /p =id = & set /a "0
x00937809 >>16" & echo/|set /p= minver = &set /a "0x00937809 & 0xffff"
id = 147 minver = 30729
C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>

C:\Program Files\Microsoft Visual Studio 9.0\VC>cl
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.


and iirc a lib file can contain objects compiled by different versions of compiler and each symbol is represented by a comp.id coff_symbol struct

anyway the latest sdk shows the lib files are compiled with all these compilers

by using the above bat file with an input of *.lib

Code:

00937809 my example lib viz user32.lib is compiled with
000A1FE8
00837809
00847809
00131FBC
0023209E
001923FA
00132359 refer daniel pistellis thread for rich signature

COFF SYMBOL TABLE
000 00132359 ABS notype Static | @comp.id

00957809
007BC627
001C227E
00060820
0093521E
007EC627 you can see the lowword in daniel pistelli's thread about undocumented rich signature in exe

Quote:

Brief summary of what this function does. The first part of the function creates
a linked list of structures containing (not counting the linking pointer) two dwords
which I called "data1" and "data2". This list contains one fixed item (data1=0x78C627 and data2=1)

On person made me notice that the low word of the comp.id value was the same as
part of the version number of his VC++ compiler. Let's analyze for a second the fixed
value inserted in the Rich Signature and let's consider its low word 0xC627 (50727)




http://www.woodmann.com/forum/showthread.php?11367-Microsoft-s-Rich-Signature-%28undocumented%29&highlight=rich