REVEN version 2.6 is packed with new features, from GUI and workflow improvements to ever better third party integration! Here are some highlights:
Whole trace search in memory: The new
trace.search.memoryAPI entry allows to look for arbitrary patterns of bytes in the memory accessed throughout the entire trace.
The WinDbg integration now supports stepping commands, setting breakpoints and going to the next breakpoint: This allows you to use even more of your usual WinDbg workflows with REVEN, and in particular significantly improves how you can browse the REVEN trace from WinDbg. This changes a bit how you can use the integration. Please refer to the documentation for more details.
The Taint in the Analysis API now returns the instructions that use tainted data: Before version 2.6, only the instructions that changed which data was tainted could be queried. With this new feature, you can now extract a shorter program, containing only the instructions that are relevant to the tainted data, allowing the taint to act as a slicer. Use the
Taint.accessesmethod to get the list of the instructions that use tainted data.
A new "ltrace-like" tool is available: for a given binary in a trace, it allows to see all the calls to functions of external binaries, complete with their parameters and return types (when they are known to the system, such as functions documented on the MSDN). Users can also add their own signature to the system for the calls to be recognized. You can find this tool on our Github.
Automatic binary recording from the Project Manager (Enterprise Edition): you can now automatically start a record when a binary starts executing, directly from the Record page of the Project Manager. The record stops automatically when the binary either exits or crashes (or if the VM itself crashes). For both Enterprise and Professional editions, the Record page was revamped for the occasion and sports a more reactive and complete interface that includes the improvements introduced by the VM Creation Wizard in version 2.5.0.
- REVEN can now be used behind a proxy for contacting the license server (Professional Edition), downloading symbols from a symbol server and downloading VMs in the VM wizard. Please refer to the installation documentation for more details.
Analysis Python API
Context.search_in_memorymethod to perform a search in the virtual memory at a single context. This is the API entry corresponding to the
search_in_memory.pyscript introduced in version 2.5.0.
- Add various helper methods to get the first and last context and transition in a trace.
- The Bookmark widget now displays the symbol corresponding to the transition at which the bookmark was set.
- Improved reactivity of the Backtrace widget when there are many backtrace items.
- Improved the Hexdump widget:
- The default block size in the Hexdump widget now depends on the current mode: QWORD when in 64-bit, DWORD when in 32-bit.
- The Hexdump widget now keeps the scroll position and current selection when going back and forth in history.
- You can now optionally select with which segment you wish to follow an address from the Hexdump and CPU widgets.
- The QEMU emulator and the PANDA recorder/replayer components have been upgraded. This upgrade fixes some possible segmentation faults while replaying the trace. Note that scenarios recorded with version 2.6 cannot be replayed with an older version of REVEN.
- Interrupts could sometimes be replayed at the wrong time in the trace. The fix changes the transition numbers in replayed traces. See compatibility information for more information.
- The taint would sometimes incorrectly taint
xor eax, eaxinstructions.
- When using the docker installation method of REVEN, it is now possible to install both the Professional and the Enterprise editions on the same machine.
Analysis Python API
RegisterSlicenow correctly takes the requested slice of the register when the first item is 0 or the last item is the size of the register.
TaintView.take_nwould sometimes not return the requested number of results.
- Opening Python from the Project Manager is now more reliable and less impacted by browser blocking pop-ups.
- "Prepare VM" uses a temporary directory for more atomic filesystem operations while extracting the file system.
- The status bar at the bottom of Axion is no longer displayed when the user disables the corresponding option in the "Windows" menu.
- WinDbg's built-in search in memory was not working properly and has been disabled for the time being.
- Improved logging in case of a connection error.