REVEN version 2.7 is packed with new features, with a strong focus on providing you with a "bird's eye view" over a trace, so that you can get important information about what happens in a scenario at a glance! Here are some highlights:
Filter Widget in Axion: the Axion GUI now proposes a new Filter Widget, that allows you to see at a glance which processes are present in the trace, and specify which ones are of interest to you, as well as which rings you would like to see (user, kernel, or both). The Trace view then reflects which ranges of transitions belong to the specified filter, and allows to browse between these ranges by skipping the filtered out transitions. Please refer to the documentation for more details on filters.
Use-after-Free vulnerability detection notebook: this Jupyter Notebook leverages the taint API of REVEN to search for potential Use-after-Free vulnerabilities in a REVEN scenario recorded on a Windows x64 machine. The notebook can be configured to only search for vulnerabilities in some processes/binaries of the trace so as to maximize performance. By default, the notebook supports the user
mallocand the system
ExAllocatePoolWithTagallocators, but you can modify the notebook to add more! The notebook is available in the "Python API - Analyze" examples of the "Download" page of the Project Manager, as well as on our GitHub
File activity report tool: this tool reports the file operations, such as creation, opening, reads and writes, that occur in a REVEN scenario recorded on a Windows x64 machine. The tool is available on our GitHub.
Crash quick report tool: this tool detects and reports system crashes and user exceptions that occur in a REVEN scenario. The tool is available in the "Python API - Analyze" examples of the "Download" page of the Project Manager, as well as on our GitHub.
ASM stub automatic recording from the Project Manager (Enterprise Edition): you can now automatically start and stop a record when the guest VM executes a specific instruction, directly from the Record page of the Project Manager. For more information about ASM stub recording, please refer to the documentation.
Improved Linux OSSI support: for kernels in the supported version range (versions 4.1 to 4.14.9), the OSSI are now automatically generated for 64-bit Linux VMs. This allows you to access e.g. the kernel symbols more easily in a Linux scenario. Please refer to the documentation for more details on OSSI for Linux. Note that process filtering is not available on Linux scenarios at the moment, and due to the way dynamic symbols are called in Linux, the backtrace widget may provide less useful information.
This version introduces changes that will make it necessary to regenerate some resources in order to benefit from all REVEN features in your scenarios. See compatibility information for more information before upgrading.
Analysis Python API
- Added the
reven2.RevenServer.scenario_nameto get the name of the current scenario from the API.
dump_pcap.pyscript now reports in its standard output the address in memory of each packet.
- Configuring QEMU VMs with 3GB of RAM and more is available in Beta Testing and may still be unstable.
- Preparing a VM snapshot by extracting its filesystem now requires much less space during the process (from 3x the space of the extracted filesystem to as low as 1x), incurs less stress on the I/O, which makes the machine more usable during the process, and also requires less space on disk after extraction. Due to this change, it is required to prepare anew all of your snapshots to benefit from the OSSI in the associated scenarios. See compatibility information for more information before upgrading.
- In the Enterprise Edition, you can now update the outdated resources and clean the deprecated ones in a single click
with the new
Updatebutton that is available next to each scenario in the scenario list of the Project Manager.
- You can now access the notebooks of a scenario with a new link in the scenario's description page. Besides, all the notebooks can be accessed with a new link in the footer of each Project Manager page.
- The Taint widget now displays the symbol corresponding to the transition at which each taint change is performed.
- Axion can now be synchronized with WinDbg, so that whenever WinDbg requests a new transition with a debugging command, the same transition is selected in Axion
- The taint would sometimes assign the wrong memory address to a tainted address in basic blocks of instructions when
the block contained
and memory, 0instructions or similar instructions with a "memory desynchronization" warning.
Analysis Python API
TaintAccess.state_afterwould sometimes raise a
- Multiple calls to
Taint.simple_taintwould mistakenly share the same taint data.
- It is now possible to upload a VM from disk when running REVEN in a Docker container.
- It is no longer possible to delete resources of a scenario while the corresponding REVEN server is running.
- QEMU not responding would sometimes cause an error on some pages when interacting with a VM.
- When exporting PDBs during a scenario export, PDBs of the CDROM files will be exported too as long as they are in the SYMSTORE.
- Imported resources now correctly report a progress of 100%.
- Attempting to delete a non-existing resource does not cause an error anymore.
- The light filesystem used to be incomplete for Linux scenarios, which could lead to less symbols in imported scenarios.
- The "prev"/"next" links now display the symbol of the previous/next backtrace switch rather than the symbol of the current transition.
- The status bar is now correctly cleared when the user disconnects from a project.
Future compatibility notes
Debian 9 (Stretch) is getting old. To provide you with recent software and improve our development process, please note that this REVEN 2.7 version is the last version that will run on Debian 9 (Stretch). If you are using the Debian archive of REVEN, you will need to upgrade to a new Debian version to install REVEN 2.8 or superior.
Please note that this REVEN 2.7 version is the last version that supports Python 2.7, which has reached End-of-Life in 2020. Future versions of REVEN will only support Python 3.7 and superior.
Limitations and known issues
- When recording a QEMU VM with UEFI enabled, the UEFI boot option is not passed when replaying.
As a workaround, add
-bios /usr/share/ovmf/OVMF.fdto the replay options when replaying a scenario recorded with a UEFI-enabled VM.