Tetrane is now part of eShard, read the annoucement.
Blog home Search
Blog home Search
Subscribe to What's New Subscribe to What's New
Recent posts
Categories
Tags

REVEN in your toolkit


Feb 20, 2015

Categories: REVEN -
Tags: REVEN - Axion - Taint -



Reven provides many analysis tools but still might lack some of your favorite tool features. To address this issue we created a Python API to allow you to create and share plugins. We also developed some ourselves to make REVEN’s interaction with external tools possible.

Universal debugging

The Gnu debugger gdb provides a standard interface for remote debugging. This enables any program that is compatible with the gdb serial protocol to communicate with it seamlessly.

The flexibility offered by this design has encouraged us to provide a debugger interface usable through this protocol via a plugin called GdbStub. This allows the use of all gdb compatible IDE and debuggers as REVEN front-ends.

image0

For example we may use the gdb command line with REVEN as back-end, like in the screenshot above. In this case the plugin is able to keep Axion synced with the debugger current program counter.

But remember, Reven isn’t a classical software debugger; it provides the usual capabilities but without the well known limitations caused by the intrusive behaviors of software debugging.

IDA multiplexing with qb-sync

Although REVEN provides a static binary view, the reference tool is still good old IDA Pro. Many people are now used to its workflow, and its numerous plugins make it an essential tool for binary analysis. This pushed us to look at how we could further integrate Reven with it.

Luckily, the Quarkslabs team already did the hard job and developed a tool named qb-sync. It enables a debugger to control and stay in sync with the IDA static view; it currently supports windbg, gdb, lldb and ollydbg as back-ends.

So we created an Axion back-end for qb-sync, allowing synchronization between the IDA static view and the Axion dynamic one.

image1

Another useful feature of qb-sync is the ability to synchronize multiple IDA sessions at once. This becomes very powerful when combined with offline, timeless, whole-system debugging. In fact, as the execution may go through several binaries (at least the kernel and the libc for dynamically linked programs) running in potentially different processes, qb-sync’s ability to dispatch the focus on the right IDA instance (adjusting the binary base address on the fly if needed) allows seamless debugging of complex mechanisms like inter-process communication or user and kernel-land interaction, all while still having the ease of the static view representation.

Time traveling debugging for all

As we saw, we try hard to integrate REVEN into your everyday workflow as cleanly and efficiently as possible. Timeless debugging isn’t a common task and we hope to make it easier to tame by providing support for industry leading products and standards.

Next post: SWF file unpacking with REVEN
Previous post: Decoding function arguments