REVEN Enterprise edition can be deployed on fully air-gapped networks, where no Internet connection is available. In this situation, the default PDBs servers (Microsoft's and others) the REVEN configuration points to will not be accessible, so manual operations are required to retrieve these files.
- Using a locally-accessible PDB server
- Temporarily connecting the server to the Internet
- Retrieving PDBs from a list built by REVEN
- Retrieving PDBs manually
- About REVEN's local PDB store
- A note about mandatory PDBs
By default, REVEN's configuration points to PDB servers accessible on the Internet. However, it is frequent for users working on an air-gapped network to have their own PDB server accessible over HTTP acting as a mirror for use with tools such as WinDbg or IDA. If such is your case, you can edit the list of PDB server REVEN uses, see the documentation about this.
If you don't have a local PDB mirror, then by far the easiest option is to temporarily connect your REVEN instance to the Internet when you add a new VM or install significant software. Here is the general procedure to follow:
- Open the snapshot's page in the Project Manager (click on the snapshot's name in the VM Manager page)
- Locate the "Prepare the Snapshot" section at the top.
- If your snapshot is not yet prepared, click on "Prepare" and wait for the operation to finish.
- Now connect the REVEN server to the Internet
- Click on "Show advanced", then on "Download PDB files". This will effectively download all possible PDBs from the prepared file system.
- You can monitor and control the
PDB downloadtask in the
Tasks & Sessionstab.
Note that if the software you want to analyze can be augmented with PDBs (such as Chrome), make sure it is installed prior to preparing the snapshot. See advanced snapshot management for more information.
You can apply the same procedure just above but without an Internet connection: at the end of the
PDB download task, you will get a list of PDBs REVEN could not successfully download. Copy this list over to an Internet-capable machine and use it to download all PDBs yourself.
Once you have your set of PDBs, copy them over to REVEN's local PDB store.
Finally if you have no other option, you can use the
bin/rabin2 tool provided with REVEN to download PDBs from a binary:
RABIN2_PDBSERVER="<pdb server>" RABIN2_SYMSTORE="<path to the local PDB store>" bin/rabin2 -PP "<binary file>"
Note you have to copy the binary file from the VM over to an Internet-capable machine by your own means. Once you have your set of PDBs, copy them over to REVEN's local PDB store.
During normal operation, REVEN first looks for PDBs in its local PDB store. This store is common to every scenario of a REVEN installation. Therefore, a last resort option on an air-gapped network is to populate the store manually on the server's disk with a set of PDBs that you would have downloaded on an separate network.
The store's path is defined in the settings files, its default path is
~/.local/share/reven/symbols on both Docker and native installations.
The store structure respects the following format:
<PDB filename>/<GUID><AGE>/<PDB filename>
hal.pdb └── 81C1AF690083498BA941D5EC628CDCF41 └── hal.pdb ntdll.pdb └── 4E4F50879F8345499DAE85935D2391CE1 └── ntdll.pdb ntkrnlmp.pdb ├── 0DE6DC238E194BB78608D54B1E6FA3791 │ └── ntkrnlmp.pdb ├── 23CA40E78F5F4BF9A6B2929BC6A5597D1 │ └── ntkrnlmp.pdb ├── 2980EE566EE240BAA4CC403AB766D2651 │ └── ntkrnlmp.pdb └── 83DB42404EFD4AB6AFB6FA864B700CB31 └── ntkrnlmp.pdb
This structure is exactly the same as Microsoft's PDB store, and makes it easy to merge two PDB sets together.
While in general PDBs are only used for displaying more debug symbols when analyzing a binary, certain PDBs are necessary for REVEN features. You should really make sure they are available if you download PDBs manually.
|Binary||PDB Necessary for|
(ntoskrnl.exe or other names)
|kernelbase.dll||Binary auto record|
|ntdll.dll||Binary auto record|
|wow64.dll||Binary auto record of a 32-bit program in a 64-bit machine|
NOTE: Having the right PDB for the kernel being run is mandatory for anything related to OSSIs in REVEN. There must be an exact GUID match between the kernel and its PDB.
NOTE: Outside of the PDBs mentionned in the table above, if a PDB is missing, REVEN will simply fetch the symbols available in the PE binary instead.