REVEN v2 - Auto-record on Vbox
This document isn't as complete as the QEMU one, as the auto-record isn't a feature currently available for Virtualbox in the Project Manager Python API. However, this document will explain to you how to build your own auto-record on Vbox without any manual interaction with the guest.
This document covers the following topics:
- how to record in Vbox without using the keyboard shortcuts
- how to autorun your binaries in the guest.
Warning: This mode of operation is based on the way REVEN v1 was doing its auto-record, and is subject to change in a later version. Also note that this document won't talk about some advanced features of the auto-record using Vbox.
You can find a complete example of auto-record in Virtualbox in the Project Manager Python API examples called vbox-automatic-record.py
.
ASM stubs
REVEN v1 has been using an hijacked instruction executed in the guest and interpreted differently in the hypervisor to control the record from the inside. This instruction is int3
with the magic value (0xDEADBABE
) in rdx
.
The commands are:
0xEFF1CAD6
to start the record (when started you won't be able to restart it)0xEFF1CAD1
to stop the record and stop the VM
Example
If you have a binary containing a function you want to record you can use ASM stubs:
void function_to_record() {
// ...
}
int main() {
// ...
// Start the record
unsigned ret;
__asm__ __volatile__("int3\n" : "=a"(ret) : "a"(0xEFF1CAD6), "d"(0xDEADBABE));
function_to_record();
// Stop the record and the VM
__asm__ __volatile__("int3\n" : : "a"(0xEFF1CAD1), "d"(0xDEADBABE));
// Can't reach this point, the previous ASM stub should have stopped the VM
__asm__ __volatile__("ud2");
}
All you have to do to record this function is to launch this binary in the guest and this will automatically start/stop the record.
Warning: The session should have been started in the step Record
of the workflow of a scenario or from the Project Manager Python API using the method start_vbox_snapshot_session
with the argument scenario
containing the id of the scenario where you want to save your record.
Autorun
To enable autorun you will need to configure the guest in the same way as for QEMU autorun, and then follow the following instructions.
Windows
On Windows, AutoPlay
(if configured correctly) will use the file autorun.inf
at the root of the CD-ROM to know what to execute.
For example:
[autorun]
open=autorun.bat
shell\open\Command=autorun.bat
This will execute autorun.bat
when the CD-ROM will be inserted.
If autorun.bat
contains something like that:
@echo off
D:\my_binary.exe
With my_binary.exe
containing the ASM stubs responsible for the start/stop of the record. You will just need to insert a CD-ROM into the guest containing autorun.inf
, autorun.bat
and my_binary.exe
to auto-record what you want to record.
Linux
As Linux doesn't have the AutoPlay
feature, you should have configured it to use a script which will execute automatically autorun.sh
when the CD-ROM is mounted.
So, if autorun.sh
contains something like that:
./my_binary
with my_binary
containing the ASM stubs responsible for the start/stop of the record, you will just need to insert a CD-ROM into the guest containing autorun.sh
and my_binary.exe
to perform the auto-record.
Advanced usage
REVEN v1 used what we called preloaders
that were responsible for starting the record at the start of the binary by using various methods:
- On Linux: using the
ptrace
API to single step until the entry point is found - On Linux: using a
.so
dynamically loaded withLD_PRELOAD
setting a breakpoint at the entry point - On Windows: using the Windows API to start a suspended process and patch it
You can reproduce some of these methods using the ASM stubs explained in this document but the accuracy will probably not be sufficient to have the first instruction of the record be the first instruction of the binary.