REVEN-Axion 2018v1.5.0
Axion Overview

Axion's GUI provides the user with a view of the execution trace, and various means of extracting information and analysing it.

Navigation - basics

The Instruction View

This central view represents the flow of instructions of the execution trace.

The Trace view

It is divided into sequences in run: you can see above three sequences, each with their identifier, symbol name and offset within that symbol. To know more about Symbol in Reven see the concerning documentation.

The Trace View

This widget presents the sequences as a hierarchy based on calls and returns.

The Call Tree View

You can use this view to filter the instruction view using the Filter button:


By activating it, the instruction view will hide sequences that are hidden in the tree's collapsed branches.


You can store named bookmarks to keep track of interesting places.

Bookmarks widget

You can use the contextual menu of the instruction and trace views or use the appropriate keyboard shortcut to add a bookmark, and then the widget or the shortcuts to navigate through them.

Adding a Bookmark from Trace

Navigation - advanced

Previous / Next

You can easily follow accesses (reads, writes, or both) of registers and memory locations. First, you need to select what to follow. You can select an instruction's first or second operand by clicking on an instruction

Selecting an operand

You can also select a register through the cpu widget, or a memory location from the hex dump view, both through their repsective contextual menus.

Once an operand is selected, select Read and or Write and navigate using the Previous and Next buttons:

Going to the next use


The tainter highlights dependencies between memory locations and/or registers. It can work forward (highlight data that is dependent on what you selected) or backward (highlight what your selected operand is dependent on).

The selection process is exactly the same as for the Previous / Next:

Selecting an operand for tainting

Once your operand is selected, click on the Taint button, then on Forward or Backward in the now opened Tainter widget:

Configuring the taint

Now you should see operands being highlighted in the instruction view.

A backward taint

Memory history

The hexdump view can also display the history of accesses of any memory buffer, as long as the memory history inspector has been selected prior to execution:

The Hexdump widget with memory history

Select a byte, word or even whole buffer and check "Show access history". You should see the list of accesses to that buffer, on which a double click would take you directly to that part of the execution trace.


The search widget will search for items in the execution trace. You can search for addresses, binaries, symbols or device accesses.

The search widget

It presents the results in two different ways: A combo-box for quick access and a horizontal bar representing the entire trace.

Note that, should you work on big traces (hundreds of millions of sequences), searching through the entire trace can take quite a long time. You can easily select an execution range to search in by right-clicking and dragging in the horizontal bar:

Reducing search to a particular range

Current symbol graph

You can display a graph of the current symbol and location.

A symbol's graph

What you see are the different paths taken during the execution: it's static view of the symbol.

Contextual information

Part of the information you will see is only relevant to the selected instruction or sequence:


The CPU widget displays the state of CPU registers.

The CPU view

Note the contextual menu in which you can select what group of register you want to see.


The backtrace widget simply displays the current backtrace, as with any debugger.

The Backtrace view


The framebuffer is a view of the machine's screen state

The Framebuffer view

Note that Axion cannot display the framebuffer if you didn't start the binary "dump_process" prior to your binary when you created the scenario.

Aggregated information

There is also information that is not contextual but rather about the entire execution trace:


The string widget summarize every memory buffer that has been accessed during the execution and that looked like a valid string.

Akin to the memory history widget, you can select a string and see its accesses. You can also filter on the strings you want displayed, if you're looking for a particular pattern. Note that this filter can be slow on huge traces.

The String view

It requires the string inspector to be activated prior to execution.


Pretty much self-explanatory, this widgets gives a list of symbols that were encountered during the execution.

The Symbols view

Binary dependency graph

Displays the known binaries and their dependencies

The binary dependencies

Hot points

This hot points list is a central widget where certain inspectors will push data about execution points that require your attention. For exemple you can find about use-after-frees, providing you activated the appropriate inspector.

Various hot points

Technical information

List of inspectors

This widget reminds what inspectors where activated for this trace.


Information log

This is where Axion will display warnings, errors, or important messages. It's a good idea to give it a look after an execution is complete, to make sure everything is okay.

The log