Presented at
VB2015,
Oct. 2, 2015, 10 a.m.
(30 minutes)
**Use case **
How many times have you been in this situation: you've dumped a decrypted body of really hardcore malware after unpacking, and several hours of work later you have a perfectly documented *IDA* database (IDB), with some 'blind spots' that need to be investigated dynamically. You drop the executable to *Olly* and... have absolutely no idea what's going on, since there are no labels, function names or comments. All you've got is jmp loc\_00401000, call 0040135F, etc.
One possible answer is to export a '*.map' file from *IDA*, and use the 'mapimp' plug-in for *Olly* to import it. However, there is one strong limitation: the plug-in does not support rebasing of the module, making work with packed malware (especially if it injects itself into other processes) basically impossible. Another disadvantage of 'mapimp' is that when you make changes to your IDB, you cannot update information in *Olly* in real time.
What's the solution? Meet 'Labeless'.
**Overview **
Labeless is a plug-in for dynamic, seamless and real-time synchronization between *Olly* and *IDA*. Synchronization is performed correctly even if the malware has been relocated, which is usually the case with multistage packed malware or following injections.
Labeless, which is based on our PyExCore project, consists of two parts: the *IDA* plug-in and the *OllyDbg* plug-in.
**Executing Python scripts in OllyDbg and feeding results back to IDA (PyExCore)**
These are the key features of PyExCore:
* The Python wrappers around the *OllyDbg* API allow us to control the debugging process and internal data structures (memory map, SEH, stack, call stack, context, etc.) that provide almost unlimited functionality.
* Any data available to *OllyDbg* can easily be sent to *IDA* and vice versa. As a result, the information contained in the IDB is the best of both worlds (static and dynamic).
**Another application of PyExCore: IDADump **
PyExCore can be used for many different tasks. One of these is dynamic dumping of debugged process memory regions. We can take a memory region and put it in the *IDA* IDB, fixing imports on the fly. There is no need in ImpRec or BinScylla, searching for the regions in memory that contain the real IAT, as we get that information dynamically from the debugged process itself.
As a result, we have a lot of memory regions that may even represent different modules (if the unpacking process is multistage) with valid references between them. We will end up with one large IDB which contains all the information on the specific research case.
**Summary **
Labeless significantly reduces the time spent transferring already reversed/documented code information from the *IDA* (static) to the debugger (dynamic). There is no need to do the same job twice. In addition, you can document and add data to the IDB on the fly. Your changes are automatically propagated to *Olly*, even if you restart the virtual machine or *Olly* crashes. You will never lose your research.
Presenters:
-
Aliaksandr Trafimchuk
- Check Point
Aliaksandr Trafimchuk Aliaksandr Trafimchuk was born in Pruzhany, Belarus in 1986. After having worked as software developer for about nine years, he joined Check Point Software Technologies in the middle of 2014. Now, he is working as a malware reverse engineer. He has a cat and his hobbies include development and reversing.
-
Aliaksandr Chailytko
- Check Point
Aliaksandr Chailytko Aliaksandr Chailytko was born in Minsk, Belarus in 1989. He has had a strong passion for malware reverse engineering since the age of 14. He joined Check Point Software Technologies at the end of 2012 as a malware reverse engineer. Now, he is a team leader for the malware reverse engineering team, guiding the team's research efforts and innovations. His hobbies include building race engines, reverse engineering of automotive ECUs and attending sanctioned racing events.
Links:
Similar Presentations: