a1ext / labeless

Labeless is a multipurpose IDA Pro plugin system for labels/comments synchronization with a debugger backend, with complex memory dumping and interactive Python scripting capabilities.
Other
514 stars 82 forks source link
broken-pe-headers decryption-automation heap-spray ida labeless memorydumping ollydbg python-script reversing x64 x64dbg x64dbg-plugin x86 x86-64

Contributed By Check Point Software Technologies LTD.

PyPI Build status Total Downloads Telegram Channel Twitter URL Donate to this project using Patreon

Features

1. Seamless synchronization of labels, function names, comments and global variables (w/wo demangling)

2. Dynamic dumping of debugged process memory regions

It can be useful in the following cases:

3. Python scripting

We support the following list of debug backends for now:

Overview

Labeless is a multipurpose IDA Pro plugin system for labels/comments synchronization with a debug backend, with complex memory dumping and interactive Python scripting capabilities. It consists of two parts: IDA plugin and debug backend's plugin.

Labeless significantly reduces time that researcher spends on transferring already reversed/documented code information from IDA (static) to debugger (dynamic). It saves time, preventing from doing the same job twice. Also, you can document and add data to the IDB on the fly and your changes will be automatically propagated to debug backend, even if you will restart the virtual machine or instance of debug backend will crash. So, you will never lose your research.

This solution is highly upgradable. You can implement any helper scripts in Python on debug backend's side and then just call them from IDA with one line of code, parsing the results and automatically propagating changes to IDB.

We can take that memory region and put it in the IDB, fixing imports 'on-the-fly', using debug backend's functionality. No more need in ImpRec or BinScylla, searching for the regions in memory that contain the real IAT, because we get that information dynamically from the debugged process itself.

As a result we have a lot of memory regions that may represent even different modules (if the unpacking process if multistage) with valid references between them, which gives us a possibility to build a full control flow graph of the executable. Basically, we will end up with one big IDB, containing all the info on the specific case.

Virus Bulletin 2015

Videos

Installation

Usage of precompiled binaries (release version)

Debug-backend setup:

If you want to use both x86 and x86_64 targets, then you should do the following steps for each python distro.

cd c:\deploy
c:\Python27\python.exe setup_protobuf.py
pip install --upgrade labeless

In case you don't have an Internet connection, you could install prebuilt module from release archive:

cd c:\deploy
c:\Python27\Scripts\pip.exe install labeless-1.1.2.65-py2.py3-none-any.whl

Note: If you have already used Labeless before and you want to update it, don't forget to reinstall python module each time you have new release

Configuring of your IDA PRO:

Labeless supports Windows and Linux (starting from 6.9.5 version of) IDA PRO. Labeless handles only PE/AMD64 binaries. Labeless requires IDAPython plugin python.[plw|p64|plx|plx64] (it ships with IDA PRO, but make sure it works well).

There are plugins:

IDA[XX]\plugins\labeless_ida.plw - for IDA for Windows, handles 32-bit binaries (used with idaq)
IDA[XX]\plugins\labeless_ida.p64 - for IDA for Windows, handles 64-bit binaries (used with idaq64)
IDA[XX]\plugins\labeless_ida.plx - for IDA for Linux, handles 32-bit binaries (used with idaq)
IDA[XX]\plugins\labeless_ida.plx64 - for IDA for Linux, handles 64-bit binaries (used with idaq64)

Copy Labeless plugins to your IDA's plugins directory, for example c:\IDA68\plugins

Configuring of debug backends

1. OllyDbg 1.10

You may find prepared debugger in the following directory OllyDbg110. (Note!: Don't forget to set up debugger's plugins directory).

2. DeFixed 1.10 (FOFF's team mod)

Copy DeFixed110\plugins\labeless_olly_foff.dll to DeFixed plugins directory (Note!: Don't forget to set up debugger's plugins directory)

3. OllyDbg 2.01

You may find prepared debugger in the following directory OllyDbg201. (Note!: Don't forget to set up debugger's plugins directory).

4. x64dbg (x32,x64)

You may find prepared debugger in the following directory x64dbg.

Checking if everything works

port_auto_select.png

Also, you may see the firewall alert

allow_firewall.png

If you want to access the debug backend from another computer, you should allow the backend to listen by this dialog or manually.

Development

configure -platform win32-msvc2010 -shared -release -no-webkit -opensource -no-qt3support -no-phonon -no-phonon-backend -opengl desktop -nomake demos -nomake examples -nomake tools -no-script -no-scripttools -no-declarative -qtnamespace QT

How to use

Repeatable - are comments, which IDA shows in any referenced place.

Things automatically performed in the background

Troubleshooting

Issue with Python 2.7.11 is described here, so avoid usage of this version. The latest stable supported version is 2.7.10.

Download

Credits