When working on a Windows scenario, whether in user land or kernel, WinDbg is always a tool of choice for its deep understanding of the OS and its environment.
This is also true when performing timeless analysis with REVEN, where WinDbg can be of some great help to:
- Perform debugger-assisted recording so as to choose start and stop record points accurately and keep records short and to the point.
- Provide advanced analysis information when analyzing a recorded and replayed scenario.
When doing a debugger-assisted recording, you will connect WinDbg in kernel mode to a VM at the recording stage of a scenario via REVEN's Virtual Machine Introspection (VMI) capabilities. From that point, you can:
- Use breakpoints to control the recording stage more finely (see how here).
- Get a debugger at the start of a process you wish to record (see how here).
- Inspect the VM state to validate conditions, while it is being recorded.
- Orchestrate the recording of multi-process cases.
You can connect WinDbg in kernel mode to a REVEN trace. In this case, the trace is presented as a live running VM to the debugger. This allows you to:
- Navigate the trace in a familiar environment while retaining the timeless aspects even in kernel space.
- Get high level semantic information: handles, kernel objects, etc.
- Explore data structures declared in PDBs.
- Get information about the system such as all running processes.
- Run existing scripts you might have already created for your use cases.
In both situations, the integration works via a bridge program called
RvnKdBridge. It is intended to run on Windows alongside your WinDbg client: it will connect to the REVEN VM or trace on one side, and create a named pipe WinDbg can connect to on the other.
Please read the following pages for further information: