REVEN-Axion 2017v1.4.2
Axion Overview

Axion's GUI provides the user with a view of the execution trace, and various means of extracting information and analysing it.

Navigation - basics

The Instruction View

This central view represents the flow of instructions of the execution trace.

trace_view.png
The Trace view

It is divided into sequences in run: you can see above three sequences, each with their identifier, symbol name and offset within that symbol. To know more about Symbol in Reven see the concerning documentation.

The Trace View

This widget presents the sequences as a hierarchy based on calls and returns.

tree_view.png
The Call Tree View

You can use this view to filter the instruction view using the Filter button:

pmfilter.png
Filtering

By activating it, the instruction view will hide sequences that are hidden in the tree's collapsed branches.

Boorkmarks

You can store named bookmarks to keep track of interesting places.

bookmark_widget.png
Bookmarks widget

You can use the contextual menu of the instruction and trace views or use the appropriate keyboard shortcut to add a bookmark, and then the widget or the shortcuts to navigate through them.

seq_bookmark.png
Adding a Bookmark from Trace

Navigation - advanced

Previous / Next

You can easily follow accesses (reads, writes, or both) of registers and memory locations. First, you need to select what to follow. You can select an instruction's first or second operand by clicking on an instruction

previousnext-select.png
Selecting an operand

You can also select a register through the cpu widget, or a memory location from the hex dump view, both through their repsective contextual menus.

Once an operand is selected, select Read and or Write and navigate using the Previous and Next buttons:

previousnext-next.png
Going to the next use

Tainting

The tainter highlights dependencies between memory locations and/or registers. It can work forward (highlight data that is dependant on what you selected) or backward (highlight what your selected operand is dependant on).

The selection process is exactly the same as for the Previous / Next:

taint-select.png
Selecting an operand for tainting

Once your operand is selected, click on the Taint button, then on Forward or Backward in the now opened Tainter widget:

taint-backward.png
Configuring the taint

Now you should see operands being highlighted in the instruction view.

taint-propagated.png
A backward taint

Memory history

The hexdump view can also display the history of accesses of any memory buffer, as long as the memory history inspector has been selected prior to execution:

memory_history.png
The Hexdump widget with memory history

Select a byte, word or even whole buffer and check "Show access history". You should see the list of accesses to that buffer, on which a double click would take you directly to that part of the execution trace.

Search

The search widget will search for items in the execution trace. You can search for addresses, binaries, symbols or device accesses.

search-basic.png
The search widget

It presents the results in two different ways: A combo-box for quick access and a horizontal bar representing the entire trace.

Note that, should you work on big traces (hundreds of millions of sequences), searching through the entire trace can take quite a long time. You can easily select an execution range to search in by right-clicking and dragging in the horizontal bar:

search-range.png
Reducing search to a particular range

Current symbol graph

You can display a graph of the current symbol and location.

graph-symbol.png
A symbol's graph

What you see are the different possible paths the execution could take: it's static view of the symbol. It also highlights the actual path taken by the execution.

Contextual information

Part of the information you will see is only relevant to the selected instruction or sequence:

CPU

The CPU widget displays the state of CPU registers.

cpu-view.png
The CPU view

Note the contextual menu in which you can select what group of register you want to see.

Backtrace

The backtrace widget simply displays the current backtrace, as with any debugger.

backtrace.png
The Backtrace view

Framebuffer

The framebuffer is a view of the machine's screen state

framebuffer.png
The Framebuffer view

Note that Axion cannot display the framebuffer if you didn't start the binary "dump_process" prior to your binary when you created the scenario.

Aggregated information

There is also information that is not contextual but rather about the entire execution trace:

Strings

The string widget summarize every memory buffer that has been accessed during the execution and that looked like a valid string.

Akin to the memory history widget, you can select a string and see its accesses. You can also filter on the strings you want displayed, if you're looking for a particular pattern. Note that this filter can be slow on huge traces.

strings.png
The String view

It requires the string inspector to be activated prior to execution.

Symbols

Pretty much self-explanatory, this widgets gives a list of symbols that were encountered during the execution.

symbols.png
The Symbols view

Binary dependency graph

Displays the known binaries and their dependencies

binaries.png
The binary dependencies

Hot points

This hot points list is a central widget where certain inspectors will push data about execution points that require your attention. For exemple you can find about use-after-frees, providing you activated the appropriate inspector.

hotpoints.png
Various hot points

Technical information

List of inspectors

This widget reminds what inspectors where activated for this trace.

inspectors.png
Inspectors

Information log

This is where Axion will display warnings, errors, or important messages. It's a good idea to give it a look after an execution is complete, to make sure everything is okay.

log.png
The log