2.5.0

Highlights

REVEN version 2.5 is packed with new features, from GUI and workflow improvements to ever better third party integration! Here are some highlights:

  • Microsoft WinDbg integration: the REVEN server can now act as a Windows machine being debugged by WinDbg. This allows to use the usual debugging commands with REVEN and to get the best of both Windbg debugging and REVEN timeless analysis.

  • Zoomable timeline in Axion: it provides a zoomed view of the main timeline, making it much easier to distinguish between several close search results or bookmarks.

  • New VM installation workflow: a new wizard will guide you through the necessary steps for adding a VM, in particular making it "lighter" for REVEN scenario recording.

  • Improved hexdump management: the hexdump widget is now reused by default when following a memory address, to avoid "hexdump proliferation". The hexdump style has also been reworked for improved clarity.

  • Python API/Axion synchronization: it is now possible to instruct Axion to select a transition from the Analysis Python API.

  • Jupyter Notebook integration: REVEN 2.5 now includes a Jupyter notebook server so that you can easily use the REVEN Analysis Python API on a given scenario from the Project Manager.

  • Server-side bookmarks management: the bookmarks of a scenario are now saved live with the scenario data and exported automatically when exporting a scenario.

Besides, bookmarks are automatically synchronized between Axion clients, making it easy to share key points of interest with other users if you're using REVEN Enterprise.

Improvements

Analysis Python API

  • Added bookmark module that allows to programmatically add, access, edit and remove bookmarks.
  • Added address.LinearAddress.translate, address.LogicalAddress.translate, address.LogicalAddressSegmentIndex.translate to translate virtual addresses into address.PhysicalAddress.
  • Added trace.Transition.find_inverse method to get the transition that performs the inverse operation of the given transition. This feature was previously provided by the percent.py script.
  • Added trace.Context.find_register_change method to find the next/previous context at which the content of the requested register is modified.
  • Added session module that allows to publish various events to clients like Axion.
  • Added RevenServer.sessions property that lists the sessions tracked by the RevenServer.
  • RevenServer and RevenServer.connect now accept an additional keyword parameter 'sessions'. to set the tracked sessions
  • In Jupyter Notebook, a reven2.trace.Transition instance now displays as a clickable link that instructs Axion to select that transition in Jupyter Notebook.
  • Added a search_in_memory.py example script to search patterns in virtual memory. You can find it in the Download page of the Project Manager.

Project Manager

  • Starting a REVEN server in the Analyze page of a scenario now generates a Python snippet that can be copied/pasted to scripts and notebooks to connect to the server.
  • Added an option to the VM pages to enable UEFI for QEMU VMs.
  • Supported QEMU VM format are now detected using QEMU. As a result of this change, the setting variable QUASAR_QEMU_SCAN_EXTENSIONS has been replaced by QUASAR_QEMU_SCAN_FORMATS.

Axion

  • The search combobox now selects the item closest to the currently selected transition when browsing with F4/Shift-F4
  • You can now copy the value of a register with a right-click in the CPU widget.
  • You can now change the selected instruction by pressing Enter while scrolling a list of memory accesses.
  • Double-clicking on a register in the CPU widget will now move the hexdump widget to the value contained in the register.

Fixed issues

Project Manager

  • Improved logging when starting up fails due to some external processes.

Axion

  • The display of a new widget could sometimes cause the main window to overflow the bottom of the screen. Consequently, the "Maximum docks" option has been removed.
  • The trace view now gets the focus upon connecting to a project.
  • It was possible to entirely collapse the Hexdump widget and the Strings widget.
  • The Trace view would sometimes not follow the cursor when using the percent plugin.
  • Clicking on a backtrace item could result in wrong transition numbers being displayed in the CPU widget.

Other changes

  • REVEN Enterprise edition now requires a license key to use the software and download software updates. See also upgrading page.
  • REVEN is now available as a docker image, allowing to install it on any amd64 Linux.