Log in

View Full Version : Analyze .lib file

benno
October 17th, 2011, 09:46
Hello,
im new to this field i try to hide process in ollydbg by hooking ntreadvirtualmemory and ntqueryvirtualmemory but i still view memory by attaching to it, what else do i need to hook? Hope you get me.
blabberer
October 18th, 2011, 22:41
what does the title have to do with your question ??

anyway if what you ask in title is relevent you can do some thing like this if this is what you meant

Code:




C:\>cd "c:\Program Files\Microsoft SDKs\Windows\v7.1\Lib"



C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>type dumplib.bat

dumpbin /symbols %1 | grep -i comp | sed s/ABS.*// | sed s/....//



C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>dumplib.bat AclUI.Lib



C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>dumpbin /symbols AclUI.Lib   |

grep -i comp   | sed s/ABS.*//   | sed s/....//

00937809

00937809

00937809



C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>dumplib.bat User32.Lib



C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>dumpbin /symbols User32.Lib   |

 grep -i comp   | sed s/ABS.*//   | sed s/....//

00937809

00937809

00937809



C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>echo/|set /p =id = & set /a  "0

x00937809 >>16" & echo/|set /p= minver =  &set /a "0x00937809 & 0xffff"

id = 147 minver =  30729

C:\Program Files\Microsoft SDKs\Windows\v7.1\Lib>



C:\Program Files\Microsoft Visual Studio 9.0\VC>cl

Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86

Copyright (C) Microsoft Corporation.  All rights reserved.


and iirc a lib file can contain objects compiled by different versions of compiler and each symbol is represented by a comp.id coff_symbol struct

anyway the latest sdk shows the lib files are compiled with all these compilers

by using the above bat file with an input of *.lib

Code:


00937809  my example lib viz user32.lib is compiled with 

000A1FE8

00837809

00847809

00131FBC

0023209E

001923FA

00132359  refer daniel pistellis thread for rich signature 



COFF SYMBOL TABLE

000 00132359 ABS    notype       Static       | @comp.id



00957809

007BC627

001C227E

00060820

0093521E

007EC627  you can see the lowword in daniel pistelli's thread about undocumented rich signature in exe




Quote:


Brief summary of what this function does. The first part of the function creates 

a linked list of structures containing (not counting the linking pointer) two dwords 

which I called "data1" and "data2". This list contains one fixed item (data1=0x78C627 and data2=1)



On person made me notice that the low word of the comp.id value was the same as 

part of the version number of his VC++ compiler. Let's analyze for a second the fixed

value inserted in the Rich Signature and let's consider its low word 0xC627 (50727)


http://www.woodmann.com/forum/showthread.php?11367-Microsoft-s-Rich-Signature-%28undocumented%29&highlight=rich