Labeless Part 2: InstallationAugust 23, 2018
In this part we will be guiding you through the installation of Labeless. Post install steps to verify that installation was done correctly are also provided below.
Of course, if you’re new to all the Labeless stuff, please refer to the previous article in this series as it will be helpful in explaining what’s going on here.
A quick link to drop down to the sections mentioned in this guide are provided below. So let’s get started and help you get Labeless installed on your machine.
First of all, let’s negotiate some terminology issues. We will use the following terms:
HOST: The machine where IDA resides
BACKEND: The machine with debugger
While the host and backend may be the same, it’s not recommended for this to be so. In practice it’s better to use one machine for debugging with snapshots and another for storing the research database. By doing this, if you want to revert to some of the saved machine states you will not lose research results – which are safely stored in IDA database on another machine, usually on the host. You can then propagate them back to the debugger and continue from this point.
In this section we will cover all the necessary steps to ensure Labeless is installed correctly.
First you have to choose which version of Labeless to use: the latest stable without the newest features or the one in development (the one not yet released and with possible bugs).
The archive with the latest release versions of binaries can be found here.
This archive contains all the necessary binaries for debuggers and IDA in the appropriate folders:
The `AdvancedOlly` plugin prevents Olly 1.10 from crashing on Windows 7. That’s why it also resides in the archive, in case you want to test Labeless with Olly 1.10 on this OS.
The archive with the binaries is left as a build artifact on an `appveyor` service and can be found by following the next steps.
First, go to the Labeless’ `devel` branch commits GitHub page here:
Click the green check mark near the latest commit:
The following options will then appear. We are interested in the details of the first one:
Then we go to the `appveyor` site and click `Artifacts` button:
The binaries can now be downloaded right there:
After getting the archive with the binaries, the installation steps should be performed both on the host and the backend. They are described in the next sections below.
Now for the most simple part. Just copy the IDA side plugins – both for x86 and x64 version – to the plugin folder:
Please keep in mind that many options in Labeless are active only when a database is opened in IDA.
This section consists of two parts:
- One time Labeless environment deployment.
- Using debugger with Labeless plugin.
As debuggers that are supported by Labeless are running on Windows, this very OS is considered. Note that IDA for Linux is also supported.
Labeless Environment Deployment
Everything described in this section must be done only once, before starting to use Labeless.
After doing so, a VM snapshot can be taken to not have to repeat this process over and over again.
First of all, Python 2.7.x must be installed. It can be downloaded here.
Then make sure that `pip` is installed. It’s included in the package above so it should not be an issue.
Now Labeless deployment is required. Two separate install sections are provided below: one for Windows XP and the other for Windows Vista+.
Note that if you want to use x64 version of the debugger all the steps below must be repeated for Python x64.
The `Labeless` package may be installed as any other package via `pip install` command:
pip install labeless
The output shown in console windows is as follows:
Note: this installation variant will not work on Windows XP because it is not officially supported yet and misses the latest versions of issued trusted root certificates which results in the following error:
There are some workarounds for this issue but we have decided that the simplest one is to provide separate installation instructions for Windows XP.
Download the latest release archive from GitHub:https://github.com/a1ext/labeless/releases/latest
Take the `deploy` folder and copy it to any place on the machine:
Now it’s Python time. First, `protobuf` must be installed by executing these commands in `cmd`:
The result should look like this:
Then Labeless itself must be installed from the included `*.whl` file:
c:\Python27\Scripts\pip install labeless-184.108.40.206-py2.py3-none-any.whl
Please be attentive with the version of Labeless release when using `pip install` command (`220.127.116.11` in the command above but it is subject to change with later releases).
Successful installation is indicated by this output:
Using Labeless with the Debugger
Now the plugin must be copied to the appropriate `plugin` directory of the chosen debugger. Any debugger from the list (which was also shown above) may be taken:
- OllyDbg 1.10
- OllyDbg 2.01
Let’s take Olly 1.10, for example:
Note: if you don’t have Python27 path set in environment variables and have installed Python for the current user only , make sure that `python27.dll` is placed in the root debugger folder:
We have to be sure that IDA sees the debugger instance.
IDA wants to know the IP and port of the backend machine.
The IP is obtained from the `ipconfig` command:
The Port is set in a debugger instance:
It is equal to 3852 by default:
Open the executable in IDA and go to Labeless settings (Alt+Shift+E):
Input the given values in the appropriate fields and press `Test connection`:
The below window should then appear:
The message inside indicates a successful connection from IDA to the debugger instance. Now information from debugger may be grabbed with IDA and in its turn IDA may propagate information to the debugger.
Don’t forget to save input data by pressing the `Save & Close` button at the bottom of the options window:
To keep the Labeless plugin on your backend up-to-date, just type and execute
pip install –upgrade labeless
in the command line. It will perform all the necessary steps for updating Labeless plugin.
Updated binaries for IDA on the host side have to be copied manually.
In this part we’ve shown how to install Labeless both for IDA and popular debuggers.
In the next part we will cover the topic of the auto restoring of WinAPI calls in a malicious code dumped by LockPoS Point-of-Sale malware.
While this particular case will be discussed, the feature of auto-restoring WinAPI calls instead of manual restoring IAT is applicable to other researches as well.
So, let’s proceed to the next lesson in Labeless where we will show you how to dump and auto-resolve WinAPI calls in LockPost point-of-sale malware – have fun!
Labeless GitHub repository:
Latest release version:
All credits go to Alexander Trafimchuk (a1ex.t), author of Labeless and an all-round jolly good fellow.