API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 13th, 2016
123
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.54 KB | None | 0 0
raw download clone embed print report
  1. Contributed By Check Point Software Technologies LTD.
  2.  
  3. Features
  4. ========
  5.  
  6. ## 1. Seamless synchronization of labels, function names, comments and global variables (w/wo demangling)
  7.  
  8. * Synchronization modes
  9. * On demand
  10. * On rename (update on-the-fly)
  11. * Supports image base-independent synchronization
  12.  
  13. ## 2. Dynamic dumping of debugged process memory regions
  14. It can be useful in the following cases:
  15.  
  16. * When debugged process has extracted/temporary/injected module which doesn't appear in modules list
  17. * When it doesn't have a valid PE header
  18. * When it have corrupted import table, etc.
  19.  
  20. ## 3. Python scripting
  21.  
  22. We support the following list of debug backends for now:
  23.  
  24. * [OllyDbg 1.10](http://www.ollydbg.de/), DeFixed 1.10 (FOFF's team mod)
  25. * [OllyDbg 2.01](http://www.ollydbg.de/)
  26. * [x64dbg](https://github.com/x64dbg/x64dbg) (x32, x64)
  27.  
  28. Overview
  29. ========
  30.  
  31. Labeless is a plugin system for **dynamic, seamless and realtime synchronization between IDA Database and debug backend**.
  32. It consists of two parts: IDA plugin and debug backend's plugin.
  33.  
  34. Labeless significantly reduces time that researcher spends on transferring already reversed\documented code information from IDA (static) to debugger (dynamic). It saves time, preventing from doing the same job twice. Also, you can document and add data to the IDB on the fly and your changes will be automatically propagated to debug backend, even if you will restart the virtual machine or instance of debug backend will crash. So, you will never lose your research.
  35.  
  36. This solution is highly upgradable. You can implement any helper scripts in Python on debug backend's side and then just call them from IDA with one line of code, parsing the results and automatically propagating changes to IDB.
  37.  
  38. **We can take that memory region** and put it in the IDB, fixing imports 'on-the-fly', using debug backend's functionality. No more need in ImpRec or BinScylla, searching for the regions in memory that contain the real IAT, because we get that information dynamically from the debugged process itself.
  39.  
  40. As a result we have a lot of memory regions that may represent even different modules (if the unpacking process if multistage) with valid references between them, which gives us a possibility to build a full control flow graph of the executable. Basically, we will end up with one big IDB, containing all the info on the specific case.
  41.  
  42. ## Virus Bulletin 2015
  43.  
  44. * [Presentation](https://www.youtube.com/watch?v=bMQlu-lL6oY)
  45. * [Slides](https://github.com/a1ext/labeless/blob/master/vb2015_presentation/vb2015_labeless.pptx)
  46. * Dumping multiple injections video on [YouTube](https://youtu.be/M5K5Ldaq284)
  47. * Python scripting video on [YouTube](https://youtu.be/SkcM8Hz2dT4)
  48. * Basic labels sync video on [YouTube](https://youtu.be/iqipmqE2Znk)
  49.  
  50.  
  51. Installation
  52. ============
  53. ## Usage of precompiled binaries (release version)
  54. If you want to use both x86 and x86_64 targets, then you should do the following steps for each python distro.
  55.  
  56. * Set up Python 2.7 (x86/x86_64)
  57. * Copy ```deploy``` direcotry to target machine, where you want to use a debugger backend
  58. * Set up protobuf 2.6.1 using the following commands:
  59.  
  60. ```bat
  61. cd c:\deploy
  62. c:\Python27\python.exe setup_protobuf.py
  63. ```
  64. * Install "labeless" python module using the following commands:
  65.  
  66. ```bat
  67. cd c:\deploy
  68. c:\Python27\python.exe setup.py install
  69. ```
  70.  
  71. * Configure your debugger backend: set up ```plugins``` directory
  72.  
  73. ## Configuring of your IDA PRO:
  74. Copy IDA plugins ```IDA[XX]\plugins\labeless_ida.plw``` and ```IDA[XX]\plugins\labeless_ida.p64``` to IDA's ```plugins``` directory, for example ```c:\IDA68\plugins```
  75.  
  76. ## Configuring of debug backends
  77. ### 1. OllyDbg 1.10
  78. You may find prepared debugger in the following directory ```OllyDbg110```. (Note!: Don't forget to set up debugger's ```plugins``` directory).
  79.  
  80. ### 1.1 DeFixed 1.10 (FOFF's team mod)
  81. Copy ```DeFixed110\plugins\labeless_olly_foff.dll``` to DeFixed ```plugins``` directory (Note!: Don't forget to set up debugger's ```plugins``` directory)
  82.  
  83. ### 2. OllyDbg 2.01
  84. You may find prepared debugger in the following directory ```OllyDbg201```. (Note!: Don't forget to set up debugger's ```plugins``` directory).
  85.  
  86. ### 3. x64dbg (x32,x64)
  87. You may find prepared debugger in the following directory ```x64dbg```.
  88.  
  89. # Checking if everything works
  90. * Start debug backend (debugger) and check for _Labeless_ item presence in the _Plugins_ menu. If there is any problem, then check Olly's log window for details. Open the log window and check for ```LL: ok, binded at <IP>:<PORT>``` message, its presence means that debug backend-side plugin is initialized successfully. Note: if you start many debuggers, you may see that the following message appears
  91.  
  92. ![port_auto_select.png](docs/port_auto_select.png)
  93.  
  94. Also, you may see the firewall alert
  95.  
  96. ![allow_firewall.png](docs/allow_firewall.png)
  97.  
  98. If you want to access the debug backend from another computer, you should allow the backend to listen by this dialog or manually.
  99.  
  100. * Start working with existing IDA database or use ```Labeless``` -> ```Load stub database...``` from the menu
  101. * Open Labeless settings dialog using any of the following actions:
  102. * menu ```Edit``` -> ```Plugins``` -> ```Labeless```
  103. * main menu ```Labeless``` -> ```Settings...```
  104. * hotkey ```Alt+Shift+E```
  105. * Enter **IP address** and **port** of the guest machine (where debug backend is set up), then click on '_Test connection'_ button
  106. * If IDA displays the message ```Successfully connected!```, then configuration is done correctly.
  107.  
  108.  
  109. ## Development
  110.  
  111. * Set up Python 2.7 (x86/x86_64)
  112. * protobuf 2.6.1
  113. * Visual Studio 2010 + Qt 4.8.4 (built with "QT" namespace) - required by **IDA's 6.8** plugin (to proper use IDA's Qt). You can configure Qt by yourself with the following command:
  114.  
  115. ```configure -platform win32-msvc2010 -shared -release -no-webkit -opensource -no-qt3support -no-phonon -no-phonon-backend -opengl desktop -nomake demos -nomake examples -nomake tools -no-script -no-scripttools -no-declarative -qtnamespace QT```
  116.  
  117. * Visual Studio 2015 + Qt 5.4.1 to build IDA's 6.9 and debug backend plugins. You should build Qt 5.4.1 from sources. Do the following steps to do that:
  118. * Download sources of Qt 5.4.1 from [http://download.qt.io/official_releases/qt/5.4/5.4.1/single/](http://download.qt.io/official_releases/qt/5.4/5.4.1/single/qt-everywhere-opensource-src-5.4.1.7z)
  119. * Check [this article](http://doc.qt.io/qt-5/windows-requirements.html) out to set up Qt 5 requirements
  120. * Check the [Hex blog](http://www.hexblog.com/?p=969) about compiling Qt 5.4.1, grab the patch and apply it on Qt5 root dir. Then compile Qt 5
  121. * Set up [Qt VS-Addin](http://download.qt.io/official_releases/vsaddin/qt-vs-addin-1.2.5.exe)
  122.  
  123.  
  124. # How to use
  125. * If you want to enable synchronization of labels (names) and comments from IDA to Olly you should check '_Enable labels & comments sync_' in Labeless settings dialog in IDA. There is one required field called '_Remote module base_', which should be set to the current module base of the analyzed application. You can find out that information in the debugger
  126. * Select needed features, like _Demangle name_, _Local labels_, _Non-code names_
  127. * Select comments synchronization type:
  128. * \<Disabled\>
  129. * Non-repeatable
  130. * Repeatable
  131. * All
  132.  
  133. Repeatable - are comments, which IDA shows in any referenced place.
  134.  
  135. * If you want to sync labels right now - press '_Sync now_' button. Labeless will sync all found names in your IDB with Olly. Settings dialog will be automatically closed, while saving all settings
  136. * Also, you may use ```Labeless``` -> ```Sync labels now``` from IDA's main menu
  137. * If you want to customize settings for IDADump engine, do it in the '_IDADump_' tab.
  138. * To save changed settings, click on '_Save & Close_'
  139.  
  140. # Things automatically performed in the background
  141. * If you enabled '_Enable labels & comments sync_' option, then Labeless will automatically synchronize all the data on any rename operation in IDA
  142.  
  143. # Troubleshooting
  144. Issue with Python 2.7.11 is described [here](http://bugs.python.org/issue26998?), so avoid usage of this version. The latest stable supported version is 2.7.10.
  145.  
  146.  
  147. # Download
  148. * [Download latest release of Labeless](https://github.com/a1ext/labeless/releases/latest)
  149. * (old) [Download Labeless 1.0.0.7 (include IDA 6.6 build)](https://github.com/a1ext/labeless/releases/download/v_1_0_0_7/Labeless.v.1.0.0.7_with_IDA66_build.zip)
  150.  
  151. # Credits
  152. * **Axel Souchet** aka [0vercl0k](https://github.com/0vercl0k)
  153. * **Duncan Ogilvie** aka [mrexodia](https://github.com/mrexodia)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!