What is REVEN?

Summary

REVEN is a Timeless Debugging and Analysis (TDnA) Platform designed to go x10 faster & x10 deeper while reverse engineering.

REVEN users use it for vulnerability analysis, malware analysis, software discovery, exploration of Windows or Linux kernel mechanisms, etc.

Technically, REVEN records the execution of an entire virtual machine for a duration of time, then provides access to that recording via both a GUI (named Axion) and an Python API to allow analysis.

The analyst can follow the trace of all executed CPU instructions for all processes and kernel modules, alongside memory and CPU registers.

Moreover, REVEN provides unique analysis features such as the Memory history or the Taint. Finally, REVEN provides high-level context with process names, binaries and symbols.

Get the job done

Here are a few examples representative of what can be achieved with REVEN:

Timeless analysis as a first-class citizen

REVEN and its collection of features provides a unique way to reason about the execution of a system and extract answers from a recorded trace:

  • Explore the recorded trace timelessly and intuitively with the Trace View, the Search, or the Call tree.
  • Stay at the level of a process or dive deep into kernel and driver code if necessary.
  • Follow the data flow between functions, binaries or processes with the Memory History and the Taint engine and get immediate answers.
  • Automate repetitive actions or build complex heuristics with the Python API.

See the Axion Views for more screenshots of the various provided features.

Batteries included

A lot of effort went into making REVEN a comprehensive and easy-to-use tool in your toolbox:

  • Import Virtual Machines and record scenarios easily with the step-by-step GUI.
  • Access the whole scenario's data and discover features with the Analysis GUI.
  • See debug symbols thanks to automatic PDBs download and support for linux debug files.
  • Combine REVEN with other tools thanks to the built-in integration with third-parties: WinDbg, IDA / Ghidra / Binary Ninja, Wireshark...
  • Get direct support from the development team as part of your license, to sort out questions or issues quickly.

How does it work?

REVEN is built as mutiple moving parts:

  • A Recorder & Replayer, to record the Virtual Machine & replay its execution later on. REVEN can plug on multiple recorders (and you can build your own), by default REVEN integrates with and recommends using QEMU-based PANDA.
  • An analysis engine, that builds indexes and provides the high level features of trace navigation, tainting, filtering, etc.
  • Multiple GUIs and Python APIs to glue this all together and provide a seamless experience.

How does it work?

I want to learn more

Here is a list of further resources should you want to know more about the product: