To improve understandability, REVEN can provide OS semantic information as binary and symbols. This page explains the various pieces of information and how it appears in AXION.
What is called binary information is all information related to a segment of memory that is mapped into a process address space. Most of the time, a segment of memory is a binary loaded in memory but it can be a stack, a heap, a part of memory allocated by a process, ... A segment of memory is valid for a process and defined by a base address (=start address), a size and a name. (The base address is important for the management of symbols)
Information is retrieved from process map files generated by the dump_process
tool during the generation of scenario. A process map file has the same format of linux map file and is indexed by pid.
Example:
For now, only paths are accessible and displayed.
If the binary information related to an address is not available, then a generated name is displayed. It has the following form:
There can be many reasons to that:
Binary information can be grouped in 2 categories:
Then information independent on the process is linked to each process that mapped the memory segment. In that way, duplication is avoided and more important, it becomes easy to propagate the modifications of information to all involved processes.
With the python API, it is possible to map memory segment in a process address space.
Example:
Process Address Space cr3 = 0x078c0000 | | | | | | | | | | 0x400000|-------------| | | | | | | | Example.exe | | | | | | | | | | | | | | | 0x402000|-------------| | | | | | | | |
Symbols are part of binary information. A symbol is linked to a memory segment and it is defined by a relative virtual address (RVA) and a name.
A RVA is an offset from the base address of the memory segment.
Using a RVA instead of a virtual memory address allows to be independent on where the memory segment is mapped in the process address space. (see)
There are four possible sources of symbols:
func_<rva>
are added at each target of a call instruction with no pre-existing symbol.No, a symbol has a unique name and there is only one symbol per RVA. If a symbol is modified, then the following priorities are applied between the various symbol sources:
lowest –(1)–(2)–(3)–(4)–> highest
The following example explains what will be displayed in various situations.
Process Address Space cr3 = 0x078c0000 | | | | Example.exe | | base address = 0x400000 | | | | rva symbol 0x400000|-------------| .-------------. 0x0 nil | | | | | | | | | | | | | Example.exe | |-------------| 0x300 Sym1 | | => | | | | | | | | |-------------| 0x1200 Sym2 | | | | | | | | | | | | | | | | 0x402000|-------------| '-------------' 0x2000 | | | | | | | |
Possible cases for symbol's name:
Example.exe_<rva>
.Sym1
.Sym1+0x<offset from rva>
.Sym2
.Sym2+0x<offset from rva>
.Through AXION, it is only possible to rename a symbol using the default shortcut N
on the selected one in the in instruction view.
Adding new symbols is only possible through the python API.
Example: