REVEN - Auto-record with a VirtualBox VM

IMPORTANT: The automatic record feature is not available in the Free and Professional Editions. This page only applies to the Enterprise Edition.

IMPORTANT: Contrary to QEMU, auto-record with a VirtualBox VM is not currently available in the Project Manager. However, this page will explain how to build your own auto-record with VirtualBox without any manual interaction with the guest.

This document covers the following topics:

  • How to record with VirtualBox without using the keyboard shortcuts.
  • How to autorun your binaries in the guest.

You can find a complete example of auto-record with VirtualBox in the Project Manager Python API examples called vbox-automatic-record.py.

Recording a scenario in VirtualBox with ASM stubs

REVEN uses an hijacked instruction executed in the guest and interpreted differently in the hypervisor to control the record from the inside. This instruction is int3 with the magic value (0xDEADBABE) in rdx.

The commands are:

  • 0xEFF1CAD6 to start the record (when started you won't be able to restart it)
  • 0xEFF1CAD1 to stop the record and stop the VM

Preparing the binary

If you have a binary containing a function you want to record you can use ASM stubs:

void function_to_record() {
	// ...
}

int main() {
	// ...

	// Start the record
	unsigned ret;
	__asm__ __volatile__("int3\n" : "=a"(ret) : "a"(0xEFF1CAD6), "d"(0xDEADBABE));

	function_to_record();

	// Stop the record and the VM
	__asm__ __volatile__("int3\n" : : "a"(0xEFF1CAD1), "d"(0xDEADBABE));

	// Can't reach this point, the previous ASM stub should have stopped the VM
	__asm__ __volatile__("ud2");
}

Launching the binary in a prepared guest (see below) will automatically start and stop the record.

Preparing the guest

The guest must be configured in the same way as for QEMU autorun. Then the instructions below must be followed.

Windows

IMPORTANT: The VM must be started in the step Record of the workflow of a scenario or from the Project Manager Python API using the method start_vbox_snapshot_session with the argument scenario containing the id of the scenario where you want to save your record.

On Windows, AutoPlay (if configured correctly) will use the file autorun.inf at the root of the CD-ROM to know what to execute.

For example:

[autorun]
open=autorun.bat
shell\open\Command=autorun.bat

This will execute autorun.bat when the CD-ROM will be inserted.

If autorun.bat contains something like that:

@echo off
D:\my_binary.exe

With my_binary.exe containing the ASM stubs responsible for the start/stop of the record, you will just need to insert a CD-ROM into the guest containing autorun.inf, autorun.bat and my_binary.exe to auto-record what you want to record.

Linux

IMPORTANT: The VM must be started in the step Record of the workflow of a scenario or from the Project Manager Python API using the method start_vbox_snapshot_session with the argument scenario containing the id of the scenario where you want to save your record.

As Linux doesn't have the AutoPlay feature, you should have configured it to use a script which will execute automatically autorun.sh when the CD-ROM is mounted.

So, if autorun.sh contains something like that:

./my_binary

with my_binary containing the ASM stubs responsible for the start/stop of the record, you will just need to insert a CD-ROM into the guest containing autorun.sh and my_binary.exe to perform the auto-record.

Advanced usage

REVEN v1 used what we called preloaders that were responsible for starting the record at the start of the binary by using various methods:

  • On Linux: using the ptrace API to single step until the entry point is found.
  • On Linux: using a .so dynamically loaded with LD_PRELOAD setting a breakpoint at the entry point.
  • On Windows: using the Windows API to start a suspended process and patch it.

You can reproduce some of these methods using the ASM stubs approach explained above.