reven2

package documentation

The REVEN2 python API.

Provide a pythonic way to interact with a Reven server. This mainly provides an object oriented wrapper on the low level api, plus a few helper functions to make REVEN scripting more straightforward.

To use it, the first step is to connect to a running Reven server, for example on port 13370 of the host localhost:

>>> import reven2 as rvn2
>>> server = rvn2.RevenServer('localhost', 13370)

About properties

Field members in our python classes are typically encapsulated in properties. For instance, the private field RevenServer._host can be read from RevenServer.host. Properties are special methods that should not be called with parenthesis, e.g. RevenServer.host, not RevenServer.host(). To make this distinction clearer in our documentation, the documentation for a property always starts with the keyword Property: (e.g., see the properties host and port in RevenServer's documentation).

Changelog

Every notable changes to this api will be documented in this file.

2.11

Compatibility note: reven2.preview.taint.Tainter.simple_taint no longer attempts to convert the passed tag argument to int when it doesn't match any of the supported types.
Compatibility note: Comparing an address with another type for equality no longer raise a ValueError, but returns False.
Compatibility note: Calling Trace.memory_accesses with a size of 0 now raises a ValueError.
Compatibility note: reven2.ossi.FunctionSymbol.prototype is deprecated. Use reven2.ossi.FunctionSymbol.demangled_name instead
Compatibility note: since reven2.ossi.Ossi.symbols and reven2.ossi.Binary.symbols now return reven2.ossi.DataSymbol in addition to reven2.ossi.FunctionSymbol, indiscriminately calling reven2.ossi.FunctionSymbol.name_only or reven2.ossi.FunctionSymbol.prototype on its returned values may now raise an exception. If you have code like the following:
```
>>> for symbol in binary.symbols():
>>>     symbol.prototype
```
Modify it to use the reven2.ossi.Binary.function_symbols function instead:
```
>>> for symbol in binary.function_symbols():
>>>     symbol.prototype
```
Compatibility note: Constructing a reven2.preview.taint.TaintedRegisterSlice with a non-positive size now raises a ValueError.
Compatibility note: reven2.trace.Context.deref is now deprecated when the target is a type containing nested pointers. Either use reven2.trace.Context.deref_all to explicitly ask for nested-pointer dereference, or replace the inner Pointer types with USize. In the future reven2.trace.Context.deref will only dereference the outermost pointer.
Compatibility note: reven2.trace.Context.read is now deprecated when the target is a pointer type. To compute an address add the base address of the pointer type to the offset computed by reading as an USize. In the future, reven2.trace.Context.read will return a reven2.types.PointerInstance when reading a pointer.
Compatibility note: Fixed an issue where reading a reven2.types.Array of e.g. a reven2.types.CString, a reven2.types.Pointer or a nested reven2.types.Array would return values of incorrect types. As a result of this fix, reading a value as a reven2.types.Array will now return a reven2.types.ArrayInstance.
Add reven2.types.ErrorType and reven2.types.VoidType to represent types that couldn't be parsed from a debug object and the void type.
Add reven2.types.Struct, reven2.types.Enumeration, reven2.types.UnresolvedStruct, reven2.types.UnresolvedEnumeration to model user-defined types.
Add reven2.types.StructInstance, reven2.types.EnumerationInstance, reven2.types.ArrayInstance, reven2.types.PointerInstance to represent values read from these types.
Add reven2.ossi.Binary.exact_type to get a named type from a debug object for Windows scenarios.
Add reven2.types.F16.
reven2.types.Pointer now accepts an explicit size arguments. Pointers created this way don't have a context-dependent size.
Add string representations for classes in the reven2.types package.
Classes in the reven2.types package are now comparable for equality and hashable.
Add reven2.trace.Context.deref_all to explicitly ask dereferencing nested pointer types.
Add reven2.types.Pointer.cast_inner to cast the inner type of a pointer.
You can now modify a reven2.preview.taint.TaintState to add or remove elements of the state, and restart a new taint from this modified state using reven2.preview.taint.Tainter.taint_from_state.
Add reven2.arch.helpers.is_flag_register and reven2.arch.helpers.is_condensed_flags_register.
Fix issue where reven2.trace.Trace.filter would raise an exception if to_context == from_context + 1.
Add reven2.RegisterSlice to build bitwise slices of a reven2.Register.
Add reven2.register_slice.RegisterSliceMap and reven2.register_slice.RegisterSliceSet to store multiple reven2.RegisterSlice
reven2.preview.taint.TaintedRegisterSlice now accepts a reven2.RegisterSlice as tainted data.
Add reven2.Register.root and reven2.Register.children to retrieve the base register/children registers of a register.
Allow to build a reven2.RegisterSlice by indexing a register, e.g. reven2.arch.x64.rax[0:-3].
Add reven2.MemoryRange to model ranges of memory address.
Add reven2.memory_range.MemoryRangeMap and reven2.memory_range.MemoryRangeSet to store multiple reven2.MemoryRange
Add memory range support to various types of the API.
Expose reven2.arch.register.Register and reven2.arch.register.Category as reven2.arch.Register and reven2.arch.Category.
Make reven2.arch.Register hashable.
Make reven2.address types hashable.
Typing: Expose reven2.address.AddressType to represent any address type to the type checker and reven2.address.VirtualAddress to represent virtual addresses to the type checker.
Add marker file indicating that the API is typed. This results in type checkers no longer ignoring types of the API when typechecking scripts that uses the API.
Make reven2.trace.Context and reven2.trace.Transition hashable
Add support of data symbol:
- reven2.ossi.Symbol is now an abstract class
- Add reven2.ossi.FunctionSymbol and reven2.ossi.DataSymbol to ossi
- reven2.ossi.Ossi.symbols and reven2.ossi.Binary.symbols return an iterator of reven2.ossi.FunctionSymbol and reven2.ossi.DataSymbol
- Add new methods reven2.ossi.Binary.function_symbols and reven2.ossi.Binary.data_symbols
Add reven2.ossi.BinaryMapping and reven2.ossi.OssiContext.kernel_mappings to access to the kernel mapping at a context.
Add preview.windows package containing Windows 10 utilities (e.g to parse handles and objects)
Add reven2.ossi.Thread.owner_process.
Equality comparisons of objects reven2.ossi.Binary, reven2.ossi.BinaryMapping, reven2.ossi.Symbol, reven2.trace.Context, reven2.trace.Transition and reven2.memhist.MemoryAccess have a specified behavior when comparing against an object of a different type.

2.10.2

Add OssiContext.thread method to get the current thread.

2.10.1

Add Type.to_bytes method to convert a value of a type to bytes.

2.10.0

Compatibility note: The following deprecated classes and methods have been removed: Stack.backtrace, BackTrace, Taint.changes, TaintChanges, TaintChangeView.
Compatibility note: The return value of Symbol.name changed: previously it would return the prototype, now it returns the short name (Symbol.name_only) of a symbol if available, or defaults to the source name (Symbol.source_name).
In Jupyter Notebook, a reven2.address.LinearAddress, reven2.address.LogicalAddress or reven2.address.LogicalAddressSegmentIndex instance now displays as a clickable link that instructs Axion to open a hexdump widget for that address in Jupyter Notebook.
Added the reven2.session.Sessions.publish_address method to publish an address to clients like Axion.
Add new name-related properties to Symbol: Symbol.source_name, Symbol.name_only and Symbol.prototype.
Added trace.Mode class that indicates the current mode.
Added Transition.pc and Transition.mode properties.
The Transition, Instruction, CPUException are now faster to fetch back from the server: up to 5x faster in some workloads.
Add the Ossi.executed_processes method to get the processes executed in the trace. Currently this feature will return results only for windows.
Add the Trace.filter to iterate on contexts that match filter policies. Currently process policies and ring policy are available.
Add preview.prototypes package containing basic parsing of C function prototypes

2.9.0

Compatibility note: the Stack.backtrace method and BackTrace class have been deprecated and are scheduled for removal in version 2.10. Use str or display with a Stack instance to display the backtrace.
The reven2.trace.Trace.memory_accesses method now supports fetching memory accesses on the entire trace or between 2 transitions without specifying an address range.
Added Transition.step_out and Transition.step_over

2.8.1

Fix issue were Instructions were displayed without their prefixes.

2.8.0

Compatibility note: The values returned by the Instruction.mnemonic and Instruction.operands methods may have changed from previous versions. See the release notes for more detailed information about the changes.
Compatibility note: The behavior of the Tainter.simple_taint and TaintResultView.filter_by_context_range functions has been modified in the way the to_context parameter is handled. Previously, the taint would not propagate through the Transition right before the to_context parameter. With this change, it is now the case. This means that a simple taint between context c and context c + 1 will now propagate through the transition between context c and its successor context, whereas before it would propagate through no context at all.
Fixed issue where Context.find_register_change could loop infinitely when invoked in backward.
Fixed issue where Context.find_register_change could skip changes depending on the value of the fetch_count parameter.
Fixed an AttributeError on TaintResultView.filter_by_context_range when to_context is None (its default value).
Improved accuracy of the `Transition.find_inverse` method so that it returns the correct transition in more cases. Previously incorrect matches might be produced on pagefault/iret, syscall/sysret, sysenter/sysexit.
Drop support for Python 2 and Python 3.5. reven2 now only support Python 3.7+.

2.7.0

Added RevenServer.scenario_name property.
Fixed issue where TaintAccess.state_before and TaintAccess.state_after would sometimes raise a StopIteration Exception.
Fixed issue where multiple calls to Tainter.simple_taint would mistakenly share the same taint data.

2.6.0

Added Taint.accesses for querying all the transitions that touch the tainted data. Can be filtered to query only the transitions that change taint state (like Taint.changes).
Mark Taint.changes as deprecated. Use Taint.accesses instead.
Fixed issue where TaintResultView.take_n method would sometimes return the wrong number of results.
Added Trace.first_context, Trace.last_context, Trace.first_transition, Trace.last_transition
Added Search.memory to search byte patterns throughout the whole trace
Fixed issue where TaintedRegisterSlice would sometimes take the entire register instead of the requested slice

2.5.0

Added reven2.bookmark module that allows to programmatically add, access, edit and remove bookmarks.
Added reven2.address.LinearAddress.translate, reven2.address.LogicalAddress.translate, reven2.address.LogicalAddressSegmentIndex.translate to translate the virtual address into reven2.address.PhysicalAddress.
Added reven2.trace.Transition.find_inverse method to get the transition that performs the inverse operation to the given transition.
Added reven2.trace.Context.find_register_change method to find the next/previous context in which the content of the requested register is modified.
Added reven2.session module that allows to publish various events to clients like Axion.
Added reven2.RevenServer.sessions property that lists the sessions tracked by the RevenServer.
reven2.RevenServer and reven2.RevenServer.connect now accept an additional keyword parameter 'sessions' to set the tracked sessions
In Jupyter Notebook, a reven2.trace.Transition instance now displays as a clickable link that instructs Axion to select that transition in Jupyter Notebook.

2.4.0

No changes

2.3.0

Marker names created by preview.taint.simple_taint are changed from tag0/tag1 to Tag0/Tag1
Added ProjectManager.hostname and ProjectManager.port properties
Added ProjectManager.connect to connect to a REVEN project from its name
Added ossi.OssiContext.process to get the information of the current ossi.process.Process

2.2.1

Fixed an issue where the Instruction object would sometimes contain wrong operands for relative jmp
Improved the performance of the Context.read method up to x3 in typical workloads
Added a timeout argument to the String.memory_accesses method, allowing to specify how long this function should attempt to recover all accesses before raising an exception.
Modified Stack.backtrace property so that it returns a string instead of printing it.
Made the if register accessible from the API. Previously, attempting to access reven2.arch.x64.if would raise a SyntaxError, because if is a python keyword. You can now access the if register through reven2.arch.x64.if_.

2.2.0

Add trace package containing basic classes to navigate in a trace and inspect cpu registers and memory
Add search module containing basic objects to search interesting points in a trace
Add trace.Trace.memory_accesses and trace.Transition.memory_accesses to query memory accesses from the trace
Add memhist package containing MemoryAccess object
Add stack module containing basic objects to get interesting information on the stack like the backtrace
Add string module containing a basic `String` object to get interesting strings in the trace and their memory accesses
Add ossi package containing basic objects to get Operating System Semantic Information (OSSI)
Add types package containing various predefined types and type constructors
Add arch package containing the various x86_64 registers
Add address package containing representation of memory addresses
Add preview.project_manager package containing basic (incomplete) bindings to the REVEN project manager REST API
Add preview.taint package containing an experimental, simplified API for the taint
Add explicit relative imports, for Python 3 compatibility

2.0.0-dev

The API is currently in development
cleanup and rework of the RevenServer class (previously Project)

2.0.0-prerelease

The API is currently not available

Module	`address`	Defines memory address classes
Package	`arch`	Contains classes and instances related to the description of the machine architecture.
Module	`bookmark`	No module docstring; 2/3 classes documented
Module	`filter`	Module related to trace filter. See the `Trace` object.
Module	`memhist`	No module docstring; 0/1 variable, 0/10 function, 3/3 classes documented
Module	`memory_range`	This module contains the `MemoryRange` type that model a range of memory addresses, and related types.
Package	`ossi`	Package related to OSSI information. See the `OssiContext` object.
Module	`prelude`	This is the prelude module of the Reven2 python API
Package	`preview`	Contains subpackages and modules whose API is not considered stable yet.
Module	`register_slice`	This module contains the `RegisterSlice` type that models a bitwise-slice of a register.
Module	`search`	Module related to trace search. See the `Search` object.
Module	`search_in_memory`	No module docstring; 7/8 classes documented
Module	`session`	Module related to sessions, that allow to publish information to various other connected clients (e.g., Axion).
Module	`stack`	Module related to stack. See the `Stack` object.
Module	`string`	Module related to strings in trace. See the `String` object.
Package	`trace`	Module related to the execution trace. See the `Trace` object.
Package	`types`	Contains classes and instances related to the description of data types.
Module	`util`	Module that provide util functions

From __init__.py:

Variable __version__ Undocumented

__version__: str =

Undocumented