With REVEN v2, you can build RE projects where analyzed scenarios are recorded from Virtual Machines(VMs), either VirtualBox or QEMU. Although choosing one vs the other will depend on your work habits, we recommend:
Using VirtualBox when:
- VM configuration and setup is a heavy job.
- Some specific hardware must be studied.
Using QEMU in all other cases to experience replay high fidelity.
IMPORTANT NOTE: Replayers do NOT support VMs with too much RAM (strictly more than 3072MB for QEMU and 2048MB for Vbox). DO NOT record scenarios with more than these limits of RAM or the replay will fail.
Records can be started from VM snapshots. The Project Manager allows some control over those snapshots. Here are some keys to understand what's happening.
Both QEMU and VirtualBox VMs use two kinds of snapshots:
- Disk snapshots: contain no more than the content of the machine local filesystem. Restoring a disk snapshot brings you to the VM boot, which might not be convenient when recording a scenario.
- Live snapshots: contain the full saved state of a running VM, including the RAM, CPU state, and filesystem. Restoring a live snapshot brings you to the exact VM running state where you took it.
NOTE: In case of modifications in the VM hardware parameters, a live snapshot will probably become unrecoverable.
Disk snapshots can have the following statuses in the Project Manager, relating to OSSI availability:
: Prepared, means the filesystem has been extracted from the snapshot.
: Inherited, means the snapshot "inherits" the OSSI of a parent snapshot. NOTE: If the current snapshot contains new binaries compared to its parent snapshot, OSSI may not be available for these binaries in the Analysis stage. Should you need this OSSI, launch a Prepare operation on the current snapshot.
: Not prepared, means no Prepare operation has occured for this snapshot. Therefore, no OSSI is available for this snapshot. Without OSSI, binary and symbol names will not be available in the Analysis stage.
In order to optimize scenario recording and replay performance, you will need to remove system features that are not useful to your scenarios.
As REVEN will record the entire system execution, the following VM system configuration steps will optimize the virtual machine characteristics and scenario recordings:
- Limit the virtual machine RAM to reduce disk footprint.
- Disable any non essential system features so as to reduce noise in the scenario recording, hence the replay duration, the trace size and complexity, which makes analysis easier and faster.
On Windows systems, the following preparation steps are required to improve REVEN performance and to make all its features fully operational.
- Disable desktop graphical effects.
- Disable unnecessary services.
- Disable KPTI protections (required to get OS Specific Information (OSSI) such as symbol names).
- Disable the CompactOS option (required for performance and to get OSSI).
Regarding Windows 10 VMs, the REVEN package comes with a sample Powershell script designed to lighten a Windows 10 system, so as to greatly improve its performance and reduce the size of REVEN traces. This script is available from the Downloads page of the Project Manager.
IMPORTANT: Please note that this script is provided to REVEN's users as-is,
without any guarantee, as a convenient tool. Therefore, it must be
considered for what it is - an example. It is strongly recommended to backup
any VM before running the script on it. Besides, the script may require
modifications to fit your specific configurations. For example, non-English VMs
may require some translation in the script, such as
administrateur in a French VM.
Before using the script, apply the following configuration:
- Disable Windows Defender and optionally the firewall:
- As an Administrator, launch
- Navigate to "Local Computer Policy\Computer Configuration\Administrative
Templates\Windows Components\Windows Defender\Turn off Windows Defender" and
- Navigate to "Local Computer Policy\Computer Configuration\Windows
Settings\Security Settings\Windows Firewall with Advanced Security" and
set it to
- As an Administrator, launch
On Windows 10, in an administrator Powershell console, you can:
- Get help about the script's capabilities and usage:
> Get-Help windows10_lightener.ps1
- Run the script to disable a maximum of services:
> Set-ExecutionPolicy Unrestricted (confirm) > windows10_lightener.ps1 -All
IMPORTANT: AV disablement by this script is not persistent after a VM reboot, which is is why we recommended disabling it via groups policies above. Alternatively, the script may be executed after each reboot to disable the AV services again:
> Set-ExecutionPolicy Unrestricted (confirm) > windows10_lightener.ps1 -DisableAV
Manually disable the following services:
- Print spooler
- Workstation (SMB protocol)
In order to enable networking, reactivate the following services:
Windows Event Log
Network List Service
Run the script to disable basic services only:
> Set-ExecutionPolicy Unrestricted (confirm) > windows10_lightener.ps1 -Basic
NTLite is a tool easing the process of customizing
Windows. It can be used on either a running system, such as a VM, or on an
installation ISO. The way the provided template is supposed to be used is on a
live, running system.
You will need at least a NtLite Home license to modify your VM.
Please follow the instructions below during the "Lightening of the snapshot" step of the "VM setup" wizard:
- Install NTLite on the VM. You can transfer the NTLite setup file through the "file CDROM" feature.
- Activate your NTLite license on this VM.
- Load the current Windows installation into NTLite.
- Load the provided template by inserting the "Windows 10 lightener CDROM".
- Apply the changes required by the template. A few reboots may be required to fully apply all the modifications.
- You will be done when all the changes will have a green bullet in the "Apply" section of NTLite.
NOTE: Installing NTLite on the VM may require an active internet connection. Please refer to NTLite's documentation for more information about how to install NTLite.
KPTI (Kernel Page-Table Isolation) protections were introduced with the meltdown patches. If KPTI protections are enabled, OSSI will be available only on ring 0 or admin processes.
Microsoft provides the following steps to disable KPTI protections:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f shutdown -r
On Windows 10, the CompactOS feature lets you run the operating system
from compressed files to maintain a small footprint. However, this feature
is not compatible with the
Prepare stage of the REVEN workflow, which is
required by the OSSI features.
Besides, uncompression routines may unnecessarily increase a scenario's trace size.
Therefore it is recommended to check the status of the Compact OS feature on a Windows 10 VM with the following command issued as the Administrator user:
> Compact.exe /CompactOS:query The system is in the Compact state. It will remain in this state unless an administrator changes it. >
If the CompactOS feature is active, it is recommended to disable it:
> Compact.exe /CompactOS:never Uncompressing OS binaries / Completed uncompressing OS binaries. 15483 files within 11064 directories were uncompressed. >
If necessary, it can be later re-enabled:
> Compact.exe /CompactOS:always Completed Compressing OS binaries. 15483 files within 11064 directories were compressed. 4,454,521,157 total bytes of data are stored in 2,620,926,932 bytes. The compression ratio is 1.7 to 1. >
On Linux systems, common optimizations include:
- Disabling Xorg server when not needed.
- Disabling the console framebuffer if not needed. For example, on Debian
systems, in file
/etc/default/grub, add the line:
- Disabling any unwanted background service.