REVEN-Axion 2015v1.1-r3
GUI Addons

Python binding

Axion can easily be extended in python thanks to the python API. Moreover, Axion is shipped with a few plugins and external scripts:

Percent addon

The percent addon add the capability of jumping between stack memory accesses. If the currently selected instruction writes something on the stack, percent will go to the next instruction reading the memory, on the other way, if the current instruction is reading some value on the stack, percent will jump on the previous instruction writting the memory. In practice, this is very useful to follow push/pop operands or call/ret boundaries.

The addon is named percent as it has been designed to work like the vim editor percent keybinding on curly brackets.

To use this addon, you must map a key to the to plugin in the shortcut configuration panel.

Gdbserver addon

The Gdbserver addon provides compatibility with the common gdb serial protocol api and migth be useful to users who need to use their favorite gdb compatible debugger as REVEN frontend. You can start the listening server via a graphical widget accessible through the Window menu.

To simply test the addon, start the service through the widget, and then connect to it with gdb command line.

1 $ gdb mybinary
2 (gdb) target remote <host>:<port>

Qb-sync addon

Qb-sync enables synchronisation between an IDA instance and a backend debugger. More information can be found on the QuarksLab blog at http://blog.quarkslab.com/qb-sync.html.

Axion Qb-sync addon provides a graphical widget to use REVEN as a Qb-sync debugger backend, so you can have both a dynamic view (Axion) and a static view (IDA) synced for an unmatched ease of analysis!

To use the addon, you have to install Qb-sync first. Then, you can start the Axion Qb-sync backend through the widget and launch the SyncPlugin.py IDA script to start the analysis.

Qb-Sync activates syncronization only when the right binary is being debugged, based on the name of the executable module. The information must therefore be available in REVEN; this means the scenario must contain processes information.

RvnKd addon

The RvnKd addon provides a python library allowing to create a full memory dump at a specific execution point which will be compatible with Microsoft KD/WindDbg debuggers.

A command line tool called genDump.py is provided to show case the library usage.

The run, sequence and instruction arguments are used to specify at which moment of the trace the dump will be generated, and needs to match to a kernel sequence. The reason is, in order to perform physical address translation and access kernel virtual memory, rvnkd needs to know a ring0 directory table base value. The genDump.py extracts it from the cr3 cpu context register while executing a kernel process.

1 $ python /usr/lib/python2.7/dist-packages/reven-scripts/rvnkd/genDump.py --help
2 usage: genDump.py [-h] [--host host] [--port port] [-r run] [-s sequence]
3  [-i instruction]
4  output
5 
6 Create a Windbg full kernel-dump file (a.k.a. MEMORY.DMP) of a reven instance.
7 
8 positional arguments:
9  output the output file
10 
11 optional arguments:
12  -h, --help show this help message and exit
13  --host host the reven host
14  --port port the reven server port
15  -r run the reven execution run name. Default: Execution run
16  -s sequence the reven execution sequence. Default: 0
17  -i instruction the reven execution instruction. Default: 0
18 
19 $ python /usr/lib/python2.7/dist-packages/reven-scripts/rvnkd/genDump.py --host 192.168.1.254 --port 13370 -s 34567 /tmp/MEMORY.dmp
20 
21 Looking for windows kernel objects
22 ----------------------------------
23 [*] KPCR: 8273cc00
24 [*] KdVersionBlock: 8273bbc0
25 [-] Error: page fault exception, while trying to access memory at 23:[82981fec]
26 [-] Error while getting KdDebuggerDataBlock from KdVersionBlock: page fault exception
27 Scanning physical memory (273B000))
28 [*] KdDebuggerDataBlock: 8273bbe8
29 
30 Writing DMP header
31 ------------------
32 Filling header 100%
33 [-] Invalid Windows PAE status: 0 (expect 1)
34 
35 Loading physical address space
36 ------------------------------
37 Number of run: 2
38 Number of pages: 130958
39 Run 1/2: Writing page 158/158 100%
40 Run 2/2: Writing page 130800/130800 100%
41 [+] Successfully created DMP file `/tmp/MEMORY.dmp`.

The generated dump file size will be equal to the physical memory amount configured in the virtual machine used to generate the scenario.

The genDump.py script tries several methods to recover the needed kernel structures, some attempt may fail and produce errors. This is the normal behavior and the generated dump file will be completely valid anyway.

Wireshark launcher addon

pcap_launcher.py enables the user to inspect either network or usb traffic, based on the project's scenario hardware information.

This plugin adds two buttons in REVEN-Axion toolbar. Clicking on one of them will generate the relevant pcap-ng file on the server side, retrieve it back and launch wireshark on the client side.

The default command for starting wireshark is the following, but a small configuration tuning may be necessary for it to work with your actual setup (see source file for full customization):

1 pcap_launchcmd = "(wireshark -r $HOME/reven_data/%u/%p/output/%c)&"

Moreover, since the pcap-ng file is generated on the server, you may want to use sshfs to have access to your projects data as if they were on your local filesystem:

1 sshfs reven@your_reven_server_hostname:reven_data $HOME/reven_data

Wireshark to axion sync addon

You might also want to enable synchronization between the selected packet in Wireshark and the selected sequence and physical buffer in Axion. This requires two plugins, one on the Axion side and one on the Wireshark side, and the latter requires manual activation:

wireshark plugin

The wireshark plugin is installed but disabled by default.

Start by checking your plugin installation: verify you have a menu entry Tools > axion_sync. If not, install the debian package wireshark-axion_sync from your REVEN release repository. It will install axion_sync plugin for wireshark system wide.

Then enable it: in wireshark, go to Edit > Preferences > Statistics and check Enable axion_sync on packet selection. This setting will be kept across wireshark restarts.

Click on any frame to sync' axion.

axion_sync plugin

axion_sync plugin is enabled by default and you should have nothing to do on this side.

It will launch a server listenning on port 9000 for any selection request from wireshark's plugin.

On frame selection from wireshark, axion will:

  • append to physical history widget all sub-buffers used by the network card for the selected frame (header and content are usually in separate buffers)
  • select the instruction on which the network card access occured.

From the physical history widget you can track network buffer uses. Then, in the instruction view, on the accessing instruction operands you can easily invoke an hex dump window to see the logical buffer and use memory history to continue your track.

TETRANE © 2015 Last update on: Wed Nov 4 2015