One very important aspect of analyzing a scenario's trace involves mapping the low level transitions in the trace to higher level OS Specific Information (OSSI) such as binary names and symbol names.
Currently, only Windows 64bits is supported.
More information about OSSI environment setup can be found here.
In Axion, OSSI is provided in the following views:
Binary information is all information related to a segment of memory that is mapped into a process address space. Most of the time, a segment of memory is a binary loaded in memory but it can be a stack, a heap, a part of memory allocated by a process, etc.
A segment of memory is valid for a process and defined by a base address (=start address), a size and a name.
Information is derived from the in-memory OS process map.
If the binary information related to an address is not available, unknown will be displayed. The cause of an unknown information can be that:
- The binary mapping was not found in the
_PEB_LDR_DATAstructure of the running process.
- The execution of some code on the heap, on the stack or after a copy in memory.
- The VM used to record the scenario has the
Symbols are part of binary information. A symbol is linked to a memory segment and it is defined by a relative virtual address (RVA) and a name.
A RVA is an offset from the base address of the memory segment. Using a RVA instead of a virtual memory address allows to be independent on where the memory segment is mapped in the process address space.
The sources of symbol information are:
- The binary files.
- The PDB files.
If the symbol related to an address is not available, unknown will be displayed.
The following example explains what will be displayed in various situations.
Process Address Space cr3 = 0x078c0000 | | | | Example.exe | | base address = 0x400000 | | | | rva symbol 0x400000|-------------| .-------------. 0x0 nil | | | | | | | | | | | | | Example.exe | |-------------| 0x300 Sym1 | | => | | | | | | | | |-------------| 0x1200 Sym2 | | | | | | | | | | | | | | | | 0x402000|-------------| '-------------' 0x2000 | | | | | | | |
Possible formats for a symbol's name are:
Sym1+0x<offset from rva>.
Sym2+0x<offset from rva>.
NOTE: Currently, in REVEN v2, it is not possible to define custom symbols in a scenario.