2023.04

Highlights

Summary

esReven version 2023.04 is the second version released by eShard. It focuses on 2 areas:

  • Quality-of-life updates to the product.
  • Introduction of two new knowledge modules.

Quality-of-life updates to the product

  • First of all, esReven is now the easiest to install it has ever been! The packaging has matured as we are taking more and more environments into account: you can now install & run esReven with an up-to-date docker compose plugin, on no-execute partitions, with no ptrace rights, you can configure proxies, and so on.
  • We also addressed a number of small issues that smooth out the web interface experience: the log out/log back in workflow now works as expected, we fixed issues that required the user to refresh the page, etc.
  • Lastly, we made a few improvements to the esReven engine and its environment: the ASM stub is now easier to discover and use, and now it supports Rust as well. Bugs have been fixed in the API, etc.

One important thing to note: we merged the reven JupyterLab kernel into the base one - there is no reven JupyterLab kernel anymore, and you can use either kernel available (they are equivalent): both now include the reven package.

See below for the full list of changes.

Subscription-based knowledge modules

Following the path set in the previous version, in parallel to this version we are introducing the first two subscription-based knowledge-base modules. These must be purchased separately from your esReven license, and will get new content regularly.

Advanced Usage How-tos

These how-tos will provide straightforward guides that cover situations where translating the intent of the reverse engineer into a set of tasks is not trivial. They are intended for those who wish to refine their esReven skills to tackle advanced use cases and be more efficient with the platform.

How-to example

At the time of this release, we have focused on addressing advanced recording situations, as well as networking options:

  • Recording non-trivial environments: discover how to efficiently record many use-cases with general strategies and actionable information to get you started quickly.
    • Overview of the tools at our disposal for recording.
    • Strategy: recording a standalone application as it loads data (file, URL, etc.).
    • Strategy: recording a standalone application as I communicate with it (via IPC, network or other).
    • Strategy: the crash (or procedure) is non-deterministic or not 100% reliable.
    • How to: every method to stop the recording when a process exits, crashes, or when the OS crashes.
    • How to to inject code in a program to control its behavior or its recording.
  • Advanced target VM networking: discover various networking possiblities for your target VM and the proper QEMU options you can use, covering more advanced use cases than the default.

Applied Algorithms & Tools

In this module, we introduce comprehensive tools built on top of the esReven framework. These tools will help you better leverage esReven to answer questions more effectively, while teaching you about the approach taken.

How-to example

Tools are documented such that they can be adapted if necessary, and, when applicable, provide their functionality as a library so other scripts can be built on top of them.

At the time of this release, we have focused on extracting valuable information from Windows traces with two important tools:

  • Process activity (Windows): This tool notebook presents the activity on files on a trace: file creation, accesses, etc.
  • File Activity (Windows): This tool notebook presents an overview of the general process activity in a trace: process starts, exits, crashes.

Along with the tools come Python libraries to exploit the data in your own scripts, as well as knowledge notebooks that explain the approach taken.

Changes and improvements

General packaging

  • Remove ptrace requirement & checks as it's not needed anymore
  • Update to Docker Compose V2
  • Support installation on no-exec partitions.
  • Do not require sudo password when installation user in the docker group
  • New upgrade documentation

esReven Web Interface

  • Reduced RAM usage of login system esConnect.
  • Fixed "Incorrect Application url fetching" token issue when navigating between applications.
  • Fixed behavior on air-gapped system: do not fetch fonts on external hosts.
  • Better logout experience: the user can now immediately log back in esReven, instead of in the underlying esConnect application.

Python API

  • esReven's Python API is now included in the default base kernel of JupyterLab - no need to select a separate kernel anymore.
  • Linting now follows latest black version.
  • Type hints are now available for the reven2 Python module to IDEs & other tools, thanks to the py.typed file that is now part of the packaging.
  • Fixed an API call in preview.project_manager's export_scenario.
  • Python wheel are now built & shipped to be PEP440-compatible. This will make the package easier to install with recent setuptools.

Reven engine & project manager

  • Fixed loading of the QUASAR_WEBSOCKIFY_PUBLIC_PORT environment variable, used to configure one of the port that msut to be open to users.
  • Improved ASM stubs:
    • Better README file
    • Add Rust compatibility with a new Rust module
    • Rename ASM stubs entry to mention all supported languages
  • Internal binary wrapper system has been simplified.
  • Unused text tool reven_taint binary is not shipped anymore.
  • Reven GUI Axion can now build on more recent gcc
  • Linting now follows latest black version.

Knowledge modules

  • (Bundled) "VulnAnalysis": Add instructions on how to configure WinDbg to fetch Chrome's PDB files
  • (Bundled) "GettingStarted": Provide archived link to now-removed MSEdge Microsft VMs.
©2019-2023 eShard