In IDA, how to know the lib function belongs to which lib file?

[bridgeic]

In IDA, how to know the lib function(such as _alloca_probe) belongs to which lib file?

Is there any plugin/script can do this and give the summarize list for all the lib function used in analyzed PE file? Thanks.

[cnbragon]

maybe it can not, cause the library functions have been linked in the PE file during the build phase, and the PE file doesn't contain any information about the library itself.

[bridgeic]

Quote:

Originally Posted by cnbragon

maybe it can not, cause the library functions have been linked in the PE file during the build phase, and the PE file doesn't contain any information about the library itself.

But IDA can identify the function as library function, how IDA know this then?

push ebp
mov ebp, esp
mov eax, 10D0h
call __alloca_probe

[mcp]

I don't think you can retrieve this info from IDA. However, you might want to look into typeinf.hpp (specifically the til_t struct) in the IDA SDK.
You can however, get access to the currently used type library (global variable idati) as well as the list of applied signatures. But it seems to me that it doesn't give you a mapping from function names to the respective flirt library.

[bridgeic]

Quote:

Originally Posted by mcp

I don't think you can retrieve this info from IDA. However, you might want to look into typeinf.hpp (specifically the til_t struct) in the IDA SDK.
You can however, get access to the currently used type library (global variable idati) as well as the list of applied signatures. But it seems to me that it doesn't give you a mapping from function names to the respective flirt library.

I still don't fully understand, I'll have a study first, thanks a lot. :-)

[Av0id]

you need to know lib specific parameters like it's name, version, compiler flags and so on, and then you can make a flair-signature manually and apply it to target, there is no other way to get this info

functions like alloca_probe are guessed from autoanalysis, debug-info and built-in signatures for CRT

[bridgeic]

Quote:

Originally Posted by Av0id

you need to know lib specific parameters like it's name, version, compiler flags and so on, and then you can make a flair-signature manually and apply it to target, there is no other way to get this info

functions like alloca_probe are guessed from autoanalysis, debug-info and built-in signatures for CRT

Hi Av0id,

Sorry I'm not familiar with this.

I found there is a function _tolower in IDA like this.

.text:004653A8 _tolower proc near ; CODE XREF: sub_401046+F55p
.text:004653A8 ; _movein_date+7Ep ...
.text:004653A8
.text:004653A8 CharType = word ptr 4
.text:004653A8
.text:004653A8 call __getptd
.text:004653AD mov eax, [eax+64h]
.text:004653B0 cmp eax, off_53407C
.text:004653B6 jz short loc_4653BD
.text:004653B8 call ___updatetlocinfo
.text:004653BD
.text:004653BD loc_4653BD: ; CODE XREF: _tolower+Ej
.text:004653BD push dword ptr [esp+CharType] ; CharType
.text:004653C1 push eax ; MultiByteStr
.text:004653C2 call ___tolower_mt
.text:004653C7 pop ecx
.text:004653C8 pop ecx
.text:004653C9 retn
.text:004653C9 _tolower endp

I claim it as extern proc in asm as: EXTRN tolower:PROC

And when do LINK with VC, the "_tolower" function included in the generated new .exe file seems be different with original one

.text:00467BF9 _tolower proc near ; CODE XREF: sub_4B481B+7Ep
.text:00467BF9 ; sub_4B481B+9Fp ...
.text:00467BF9
.text:00467BF9 C = dword ptr 8
.text:00467BF9
.text:00467BF9 mov edi, edi
.text:00467BFB push ebp
.text:00467BFC mov ebp, esp
.text:00467BFE cmp dword_5911CC, 0
.text:00467C05 jnz short loc_467C17
.text:00467C07 mov eax, [ebp+C]
.text:00467C0A lea ecx, [eax-41h]
.text:00467C0D cmp ecx, 19h
.text:00467C10 ja short loc_467C23
.text:00467C12 add eax, 20h
.text:00467C15 pop ebp
.text:00467C16 retn
.text:00467C17 ; ---------------------------------------------------------------------------
.text:00467C17
.text:00467C17 loc_467C17: ; CODE XREF: _tolower+Cj
.text:00467C17 push 0 ; Locale
.text:00467C19 push [ebp+C] ; C
.text:00467C1C call __tolower_l
.text:00467C21 pop ecx
.text:00467C22 pop ecx
.text:00467C23
.text:00467C23 loc_467C23: ; CODE XREF: _tolower+17j
.text:00467C23 pop ebp
.text:00467C24 retn
.text:00467C24 _tolower endp

So, my question is:

Although IDA shows _tolower is a library function, but it is possible not a stardard library function, am I right?

Thanks,
bridgeic

[pp2]

IDA finds library functions by signature (mask of bytes from function's entrypoint) and yes, it is possible, that IDA can give "false positive". Also, there are many different realizations of standard functions (i.e. 10-ths variants of optimized memcpy/memset/etc.), which can be mixed in output code compiled with different optimization options for example, so you can have different code for the same function in your file.

[Shub-Nigurrath]

simplest method is to search for the __alloca_probe string inside each file of the IDA folder. The signatures are in external files.. that one which contains the string (not dlls which might contain that string but in the IAT) is the one used by IDA.