Labeless Part 2: Installation

In this part we will be guiding you through the installation of Labeless. Post install steps to verify that installation was done correctly are also provided below.

Of course, if you’re new to all the Labeless stuff, please refer to the previous article in this series as it will be helpful in explaining what’s going on here.

A quick link to drop down to the sections mentioned in this guide are provided below. So let’s get started and help you get Labeless installed on your machine.

Environment

Setup

Version: Latest Stable or Development?

Latest release

Latest development version

Installation steps

Host Side With IDA

Backend Side With Debugger

Connecting IDA to Debugger

Upgrading Labeless

Summary

Links

Credits

Environment

First of all, let’s negotiate some terminology issues. We will use the following terms:

HOST: The machine where IDA resides

BACKEND: The machine with debugger

While the host and backend may be the same, it’s not recommended for this to be so. In practice it’s better to use one machine for debugging with snapshots and another for storing the research database. By doing this, if you want to revert to some of the saved machine states you will not lose research results – which are safely stored in IDA database on another machine, usually on the host. You can then propagate them back to the debugger and continue from this point.

Setup

In this section we will cover all the necessary steps to ensure Labeless is installed correctly.

Version: Latest Stable or Development?

First you have to choose which version of Labeless to use: the latest stable without the newest features or the one in development (the one not yet released and with possible bugs).

Latest release

The archive with the latest release versions of binaries can be found here.

This archive contains all the necessary binaries for debuggers and IDA in the appropriate folders:

For example, binary for Olly 1.10 resides in `.\OllyDbg110\plugins`:

The `AdvancedOlly` plugin prevents Olly 1.10 from crashing on Windows 7. That’s why it also resides in the archive, in case you want to test Labeless with Olly 1.10 on this OS.

And, for example, the binaries for IDA 7.x are in `.\IDA7X\plugins\`:

Latest Development Version

The archive with the binaries is left as a build artifact on an `appveyor` service and can be found by following the next steps.

First, go to the Labeless’ `devel` branch commits GitHub page here:

Click the green check mark near the latest commit:

 

The following options will then appear. We are interested in the details of the first one:

Then we go to the `appveyor` site and click `Artifacts` button:

The binaries can now be downloaded right there:

The archive contains all the necessary Labeless binaries, both for IDA and debuggers:

Installation Steps

After getting the archive with the binaries, the installation steps should be performed both on the host and the backend. They are described in the next sections below.

Host Side With IDA

Now for the most simple part. Just copy the IDA side plugins – both for x86 and x64 version – to the plugin folder:

Restart IDA and you will now see the Labeless menu:

Please keep in mind that many options in Labeless are active only when a database is opened in IDA.

Backend Side With Debugger

This section consists of two parts:

  1. One time Labeless environment deployment.
  2. Using debugger with Labeless plugin.

As debuggers that are supported by Labeless are running on Windows, this very OS is considered. Note that IDA for Linux is also supported.

 

Labeless Environment Deployment

Everything described in this section must be done only once, before starting to use Labeless.
After doing so, a VM snapshot can be taken to not have to repeat this process over and over again.

First of all, Python 2.7.x must be installed. It can be downloaded here.

Then make sure that `pip` is installed. It’s included in the package above so it should not be an issue.

Now Labeless deployment is required. Two separate install sections are provided below: one for Windows XP and the other for Windows Vista+.

Note that if you want to use x64 version of the debugger all the steps below must be repeated for Python x64.

Windows Vista+

The `Labeless` package may be installed as any other package via `pip install` command:

pip install labeless

The output shown in console windows is as follows:

Note: this installation variant will not work on Windows XP because it is not officially supported yet and misses the latest versions of issued trusted root certificates which results in the following error:

There are some workarounds for this issue but we have decided that the simplest one is to provide separate installation instructions for Windows XP.

Windows XP

Download the latest release archive from GitHub:https://github.com/a1ext/labeless/releases/latest

Take the `deploy` folder and copy it to any place on the machine:

We will use `C:\Temp\deploy` folder:

Now it’s Python time. First, `protobuf` must be installed by executing these commands in `cmd`:

cd C:\Temp\deploy
c:\Python27\python.exe setup_protobuf.py

The result should look like this:

Then Labeless itself must be installed from the included `*.whl` file:

c:\Python27\Scripts\pip install labeless-1.1.2.48-py2.py3-none-any.whl

Please be attentive with the version of Labeless release when using `pip install` command (`1.1.2.48` in the command above but it is subject to change with later releases).

Successful installation is indicated by this output:

Using Labeless with the Debugger

Now the plugin must be copied to the appropriate `plugin` directory of the chosen debugger. Any debugger from the list (which was also shown above) may be taken:

  • OllyDbg 1.10
  • OllyDbg 2.01
  • x64dbg

Let’s take Olly 1.10, for example:

At this point the new entry in the plugin menu should appear:

Note: if you don’t have Python27 path set in environment variables and have installed Python for the current user only , make sure that `python27.dll` is placed in the root debugger folder:

Connecting IDA to Debugger

We have to be sure that IDA sees the debugger instance.

IDA wants to know the IP and port of the backend machine.

The IP is obtained from the `ipconfig` command:

The Port is set in a debugger instance:

It is equal to 3852 by default:

 

Open the executable in IDA and go to Labeless settings (Alt+Shift+E):

Input the given values in the appropriate fields and press `Test connection`:

The below window should then appear:

The message inside indicates a successful connection from IDA to the debugger instance. Now information from debugger may be grabbed with IDA and in its turn IDA may propagate information to the debugger.

Don’t forget to save input data by pressing the `Save & Close` button at the bottom of the options window:

 

Updating Labeless

To keep the Labeless plugin on your backend up-to-date, just type and execute

pip install –upgrade labeless

in the command line. It will perform all the necessary steps for updating Labeless plugin.

Updated binaries for IDA on the host side have to be copied manually.

 

Summary

In this part we’ve shown how to install Labeless both for IDA and popular debuggers.

In the next part we will cover the topic of the auto restoring of WinAPI calls in a malicious code dumped by LockPoS Point-of-Sale malware.
While this particular case will be discussed, the feature of auto-restoring WinAPI calls instead of manual restoring IAT is applicable to other researches as well.

So, let’s proceed to the next lesson in Labeless where we will show you how to dump and auto-resolve WinAPI calls in LockPost point-of-sale malware – have fun!

 

Links

Labeless GitHub repository:
https://github.com/a1ext/labeless

Latest release version:
https://github.com/a1ext/labeless/releases/latest

 

Credits

All credits go to Alexander Trafimchuk (a1ex.t), author of Labeless and an all-round jolly good fellow.