Friday 2 October 10:00 - 10:30, Red roomAliaksandr Chailytko (Check Point)
Aliaksandr Trafimchuk (Check Point) download slides (PDF)Use case How many times have you been in this situation: you've dumped a decrypted body of really hardcore malware after unpacking, and several hours of work later you have a perfectly documented IDA database (IDB), with some 'blind spots' that need to be investigated dynamically. You drop the executable to Olly and... have absolutely no idea what's going on, since there are no labels, function names or comments. All you've got is jmp loc_00401000, call 0040135F, etc.One possible answer is to export a '*.map' file from IDA, and use the 'mapimp' plug-in for Olly to import it. However, there is one strong limitation: the plug-in does not support rebasing of the module, making work with packed malware (especially if it injects itself into other processes) basically impossible. Another disadvantage of 'mapimp' is that when you make changes to your IDB, you cannot update information in Olly in real time.What's the solution? Meet 'Labeless'.Overview Labeless is a plug-in for dynamic, seamless and real-time synchronization between Olly and IDA. Synchronization is performed correctly even if the malware has been relocated, which is usually the case with multistage packed malware or following injections.Labeless, which is based on our PyExCore project, consists of two parts: the IDA plug-in and the OllyDbg plug-in.Executing Python scripts in OllyDbg and feeding results back to IDA (PyExCore) These are the key features of PyExCore: