Labeless - no more

Friday 2 October 10:00 - 10:30, Red room

Aliaksandr Chailytko (Check Point)
Aliaksandr Trafimchuk (Check Point)

  download slides (PDF)

Use case
How many times have you been in this situation: you've dumped a decrypted body of really hardcore malware after unpacking, and several hours of work later you have a perfectly documented IDA database (IDB), with some 'blind spots' that need to be investigated dynamically. You drop the executable to Olly and... have absolutely no idea what's going on, since there are no labels, function names or comments. All you've got is jmp loc_00401000, call 0040135F, etc.

One possible answer is to export a '*.map' file from IDA, and use the 'mapimp' plug-in for Olly to import it. However, there is one strong limitation: the plug-in does not support rebasing of the module, making work with packed malware (especially if it injects itself into other processes) basically impossible. Another disadvantage of 'mapimp' is that when you make changes to your IDB, you cannot update information in Olly in real time.

What's the solution? Meet 'Labeless'.

Labeless is a plug-in for dynamic, seamless and real-time synchronization between Olly and IDA. Synchronization is performed correctly even if the malware has been relocated, which is usually the case with multistage packed malware or following injections.

Labeless, which is based on our PyExCore project, consists of two parts: the IDA plug-in and the OllyDbg plug-in.

Executing Python scripts in OllyDbg and feeding results back to IDA (PyExCore)
These are the key features of PyExCore:

  • The Python wrappers around the OllyDbg API allow us to control the debugging process and internal data structures (memory map, SEH, stack, call stack, context, etc.) that provide almost unlimited functionality.
  • Any data available to OllyDbg can easily be sent to IDA and vice versa. As a result, the information contained in the IDB is the best of both worlds (static and dynamic).

Another application of PyExCore: IDADump
PyExCore can be used for many different tasks. One of these is dynamic dumping of debugged process memory regions. We can take a memory region and put it in the IDA IDB, fixing imports on the fly. There is no need in ImpRec or BinScylla, searching for the regions in memory that contain the real IAT, as we get that information dynamically from the debugged process itself.

As a result, we have a lot of memory regions that may even represent different modules (if the unpacking process is multistage) with valid references between them. We will end up with one large IDB which contains all the information on the specific research case.

Labeless significantly reduces the time spent transferring already reversed/documented code information from the IDA (static) to the debugger (dynamic). There is no need to do the same job twice. In addition, you can document and add data to the IDB on the fly. Your changes are automatically propagated to Olly, even if you restart the virtual machine or Olly crashes. You will never lose your research.

Click here for more details about the conference.

Aliaksandr Chailytko

Aliaksandr Chailytko

Aliaksandr Chailytko was born in Minsk, Belarus in 1989. He has had a strong passion for malware reverse engineering since the age of 14. He joined Check Point Software Technologies at the end of 2012 as a malware reverse engineer. Now, he is a team leader for the malware reverse engineering team, guiding the team's research efforts and innovations. His hobbies include building race engines, reverse engineering of automotive ECUs and attending sanctioned racing events.

Aliaksandr Trafimchuk

Aliaksandr Trafimchuk

Aliaksandr Trafimchuk was born in Pruzhany, Belarus in 1986. After having worked as software developer for about nine years, he joined Check Point Software Technologies in the middle of 2014. Now, he is working as a malware reverse engineer. He has a cat and his hobbies include development and reversing.