The Reven Python API.
Provide a pythonic way to interact with a Reven server. This mainly provides an object oriented wrapper on the low level api, plus a few helper functions to make Reven scripting more straightforward.
To use it, the first step is to connect to a running Reven server, for example on port 13370 of the host localhost:
>>> import reven2 as rvn2 >>> server = rvn2.RevenServer('localhost', 13370)
About properties
Field members in our python classes are typically encapsulated in properties. For instance, the private field RevenServer._host can be read from RevenServer.host
. Properties are special methods that should not be called with parenthesis, e.g. RevenServer.host, not RevenServer.host(). To make this distinction clearer in our documentation, the documentation for a property always starts with the keyword Property: (e.g., see the properties host and port in RevenServer
's documentation).
Changelog
Every notable changes to this api will be documented in this file.
2.14.0
- Prevent positional argument in
preview.project_manager.ProjectManager.get_server_by
to improve typing. - Add
reven2.types.TypeResolver
,reven2.types.UnresolvedEnumeration
andreven2.types.UnresolvedStruct
to allow forward declaration of user-defined fields in struct, class or union. - Add a way to retrieve the memory regions where the binary is mapped in a
reven2.ossi.BinaryMapping
. - Add
reven2.ossi.OssiContext.current_process_mappings
to retrieve the mapping of the current process.
2.13.0
- Add a file `py.typed` to inform that the reven2 package is typed
2.12.0
- Compatibility note:
reven2.stack.StackFrame.first_context
may return a different context in the case of a frame of type Unknown. Previously it would return the first context where the frame was directly executed (not one of its children call), now it returns the first context where this frame or one of its child frames is being executed. The old behavior is now provided byreven2.stack.StackFrame.first_executed_context
. - Compatibility note:
reven2.stack.StackFrame.type
andreven2.stack.StackFrame.creation_transition
are now deprecated. Use thereven2.stack.StackFrame.start_event
to retrieve this information. - The
reven2.stack
module has been extended to support the stack event API:- A
reven2.stack.StackFrame
now gives access to its call subtree and super tree viareven2.stack.StackFrame.ancestors
,reven2.stack.StackFrame.children
,reven2.stack.StackFrame.reversed_children
andreven2.stack.StackFrame.parent
. - A
reven2.stack.StackFrame
now gives access to the location and transition of the function executed in that frame viareven2.stack.StackFrame.function_location
andreven2.stack.StackFrame.function_start
. - A
reven2.stack.StackFrame
now gives access to the relevant event in the stack events, such as itsreven2.stack.StackFrame.start_event
,reven2.stack.StackFrame.end_event
andreven2.stack.StackFrame.descendant_events
(that include stack change events). To support this, thereven2.stack.EventsIterator
,reven2.stack.FrameStart
,reven2.stack.FrameEnd
,reven2.stack.FrameStartType
,reven2.stack.FrameEndType
,reven2.stack.StackEnter
andreven2.stack.StackLeave
,reven2.stack.StackSpace
types have been added. - Added
reven2.stack.StackFrame.last_context
that provides the last context where a frame exists. - Added
reven2.stack.Stack.frame
as a shortcut for next(stack.frames()), giving more convenient access to the current frame. - Added __eq__ and __hash__ methods to
reven2.stack.Stack
andreven2.stack.StackFrame
. - For more information, please refer to the updated documentation of the
reven2.stack
module.
- A
- Added
reven2.ossi.Ossi.os
to get the OS family, version, kernel version and architecture of the current scenario. reven2.types.ArrayInstance
s whose element type is a pointer now always contains a list ofreven2.types.PointerInstance
s. Previously, it would sometimes contain a list of addresses.- The instance types in
reven2.types
now have a string representation for printing. - Added
reven2.types.StructInstance.format
,reven2.types.PointerInstance.format
andreven2.types.ArrayInstance.format
. - Added
reven2.types.StructInstance.__format__
,reven2.types.PointerInstance.__format__
andreven2.types.ArrayInstance.__format__
. - Added
reven2.util.parse_colon_separated_key_values
. - Added
reven2.types.StructInstance.fields
to iterate on the field and bitfield instances of a struct instance. - Iterating on fields with
reven2.types.Struct.fields
now always resolve the types of the field. Previously, the fields were resolved only when callingreven2.types.Struct.field
on a specific field. - Fixed a RecursionError when attempting to resolving a type containing an array of pointers to that type.
- Add
reven2.ossi.Binary.types
to get named types from a debug object for Windows scenarios in case there are multiple types with the same name. - Fix a bug in
preview.windows
when the kernel had twice the structure `_KPCR` in its PDB - Add
reven2.framebuffer.Framebuffer
API to get the current framebuffer as an image. - Add
reven2.trace.Context.framebuffer
to get thereven2.framebuffer.Framebuffer
at a context. - Add
reven2.ossi.Location.__eq__
,reven2.ossi.Location.__ne__
andreven2.ossi.Location.__hash__
- Add
preview.project_manager.ProjectManager.upload_scenario
to upload a scenario archive. - Add
ProjectManager.get_server_by
scenario name or uuid andProjectManager.close_server
inpreview.project_manager
. reven2.trace.Transition
andreven2.address
are not displayed as a clickable link in Jupyter anymore.
2.11.0
Compatibility note:
reven2.preview.taint.Tainter.simple_taint
no longer attempts to convert the passed tag argument to int when it doesn't match any of the supported types.Compatibility note: Comparing an address with another type for equality no longer raise a ValueError, but returns False.
Compatibility note: Calling
Trace.memory_accesses
with a size of 0 now raises a ValueError.Compatibility note:
reven2.ossi.FunctionSymbol.prototype
is deprecated. Usereven2.ossi.FunctionSymbol.demangled_name
insteadCompatibility note: since
reven2.ossi.Ossi.symbols
andreven2.ossi.Binary.symbols
now returnreven2.ossi.DataSymbol
in addition toreven2.ossi.FunctionSymbol
, indiscriminately callingreven2.ossi.FunctionSymbol.name_only
orreven2.ossi.FunctionSymbol.prototype
on its returned values may now raise an exception. If you have code like the following:>>> for symbol in binary.symbols(): >>> symbol.prototype
Modify it to use the
reven2.ossi.Binary.function_symbols
function instead:>>> for symbol in binary.function_symbols(): >>> symbol.prototype
Compatibility note: Constructing a
reven2.preview.taint.TaintedRegisterSlice
with a non-positive size now raises a ValueError.Compatibility note:
reven2.trace.Context.deref
is now deprecated when the target is a type containing nested pointers. Either usereven2.trace.Context.deref_all
to explicitly ask for nested-pointer dereference, or replace the inner Pointer types with USize. In the futurereven2.trace.Context.deref
will only dereference the outermost pointer.Compatibility note:
reven2.trace.Context.read
is now deprecated when the target is a pointer type. To compute an address add the base address of the pointer type to the offset computed by reading as an USize. In the future,reven2.trace.Context.read
will return areven2.types.PointerInstance
when reading a pointer.Compatibility note: Fixed an issue where reading a
reven2.types.Array
of e.g. areven2.types.CString
, areven2.types.Pointer
or a nestedreven2.types.Array
would return values of incorrect types. As a result of this fix, reading a value as areven2.types.Array
will now return areven2.types.ArrayInstance
.Add
reven2.types.ErrorType
andreven2.types.VoidType
to represent types that couldn't be parsed from a debug object and the void type.Add
reven2.types.Struct
,reven2.types.Enumeration
,reven2.types.UnresolvedStruct
,reven2.types.UnresolvedEnumeration
to model user-defined types.Add
reven2.types.StructInstance
,reven2.types.EnumerationInstance
,reven2.types.ArrayInstance
,reven2.types.PointerInstance
to represent values read from these types.Add
reven2.ossi.Binary.exact_type
to get a named type from a debug object for Windows scenarios.Add
reven2.types.F16
.reven2.types.Pointer
now accepts an explicit size arguments. Pointers created this way don't have a context-dependent size.Add string representations for classes in the
reven2.types
package.Classes in the
reven2.types
package are now comparable for equality and hashable.Add
reven2.trace.Context.deref_all
to explicitly ask dereferencing nested pointer types.Add
reven2.types.Pointer.cast_inner
to cast the inner type of a pointer.You can now modify a
reven2.preview.taint.TaintState
to add or remove elements of the state, and restart a new taint from this modified state usingreven2.preview.taint.Tainter.taint_from_state
.Add
reven2.arch.helpers.is_flag_register
andreven2.arch.helpers.is_condensed_flags_register
.Fix issue where
reven2.trace.Trace.filter
would raise an exception if to_context == from_context + 1.Add
reven2.RegisterSlice
to build bitwise slices of areven2.Register
.Add
reven2.register_slice.RegisterSliceMap
andreven2.register_slice.RegisterSliceSet
to store multiplereven2.RegisterSlice
reven2.preview.taint.TaintedRegisterSlice
now accepts areven2.RegisterSlice
as tainted data.Add
reven2.Register.root
andreven2.Register.children
to retrieve the base register/children registers of a register.Allow to build a
reven2.RegisterSlice
by indexing a register, e.g. reven2.arch.x64.rax[0:-3].Add
reven2.MemoryRange
to model ranges of memory address.Add
reven2.memory_range.MemoryRangeMap
andreven2.memory_range.MemoryRangeSet
to store multiplereven2.MemoryRange
Add memory range support to various types of the API.
Expose
reven2.arch.register.Register
andreven2.arch.register.Category
asreven2.arch.Register
andreven2.arch.Category
.Make
reven2.arch.Register
hashable.Make
reven2.address
types hashable.Typing: Expose
reven2.address.AddressType
to represent any address type to the type checker andreven2.address.VirtualAddress
to represent virtual addresses to the type checker.Add marker file indicating that the API is typed. This results in type checkers no longer ignoring types of the API when typechecking scripts that uses the API.
Make
reven2.trace.Context
andreven2.trace.Transition
hashableAdd support of data symbol:
reven2.ossi.Symbol
is now an abstract class- Add
reven2.ossi.FunctionSymbol
andreven2.ossi.DataSymbol
to ossi reven2.ossi.Ossi.symbols
andreven2.ossi.Binary.symbols
return an iterator ofreven2.ossi.FunctionSymbol
andreven2.ossi.DataSymbol
- Add new methods
reven2.ossi.Binary.function_symbols
andreven2.ossi.Binary.data_symbols
Add
reven2.ossi.BinaryMapping
andreven2.ossi.OssiContext.kernel_mappings
to access to the kernel mapping at a context.Add
preview.windows
package containing Windows 10 utilities (e.g to parse handles and objects)Equality comparisons of objects
reven2.ossi.Binary
,reven2.ossi.BinaryMapping
,reven2.ossi.Symbol
,reven2.trace.Context
,reven2.trace.Transition
andreven2.memhist.MemoryAccess
have a specified behavior when comparing against an object of a different type.
2.10.2
- Add
OssiContext.thread
method to get the current thread.
2.10.1
- Add
Type.to_bytes
method to convert a value of a type to bytes.
2.10.0
- Compatibility note: The following deprecated classes and methods have been removed: Stack.backtrace, BackTrace, Taint.changes, TaintChanges, TaintChangeView.
- Compatibility note: The return value of
Symbol.name
changed: previously it would return the prototype, now it returns the short name (Symbol.name_only) of a symbol if available, or defaults to the source name (Symbol.source_name
). - In Jupyter Notebook, a
reven2.address.LinearAddress
,reven2.address.LogicalAddress
orreven2.address.LogicalAddressSegmentIndex
instance now displays as a clickable link that instructs Axion to open a hexdump widget for that address in Jupyter Notebook. - Added the
reven2.session.Sessions.publish_address
method to publish an address to clients like Axion. - Add new name-related properties to
Symbol
:Symbol.source_name
, Symbol.name_only and Symbol.prototype. - Added
trace.Mode
class that indicates the current mode. - Added
Transition.pc
andTransition.mode
properties. - The
Transition
,Instruction
,CPUException
are now faster to fetch back from the server: up to 5x faster in some workloads. - Add the
Ossi.executed_processes
method to get the processes executed in the trace. Currently this feature will return results only for windows. - Add the
Trace.filter
to iterate on contexts that match filter policies. Currently process policies and ring policy are available. - Add
preview.prototypes
package containing basic parsing of C function prototypes
2.9.0
- Compatibility note: the Stack.backtrace method and BackTrace class have been deprecated and are scheduled for removal in version 2.10. Use str or display with a
Stack
instance to display the backtrace. - The
reven2.trace.Trace.memory_accesses
method now supports fetching memory accesses on the entire trace or between 2 transitions without specifying an address range. - Added
Transition.step_out
andTransition.step_over
2.8.1
- Fix issue were
Instruction
s were displayed without their prefixes.
2.8.0
- Compatibility note: The values returned by the
Instruction.mnemonic
andInstruction.operands
methods may have changed from previous versions. See the release notes for more detailed information about the changes. - Compatibility note: The behavior of the
Tainter.simple_taint
andTaintResultView.filter_by_context_range
functions has been modified in the way the to_context parameter is handled. Previously, the taint would not propagate through theTransition
right before the to_context parameter. With this change, it is now the case. This means that a simple taint between context c and context c + 1 will now propagate through the transition between context c and its successor context, whereas before it would propagate through no context at all. - Fixed issue where
Context.find_register_change
could loop infinitely when invoked in backward. - Fixed issue where
Context.find_register_change
could skip changes depending on the value of the fetch_count parameter. - Fixed an AttributeError on
TaintResultView.filter_by_context_range
when to_context is None (its default value). - Improved accuracy of the `Transition.find_inverse` method so that it returns the correct transition in more cases. Previously incorrect matches might be produced on pagefault/iret, syscall/sysret, sysenter/sysexit.
- Drop support for Python 2 and Python 3.5. reven2 now only support Python 3.7+.
2.7.0
- Added
RevenServer.scenario_name
property. - Fixed issue where
TaintAccess.state_before
andTaintAccess.state_after
would sometimes raise a StopIteration Exception. - Fixed issue where multiple calls to
Tainter.simple_taint
would mistakenly share the same taint data.
2.6.0
- Added
Taint.accesses
for querying all the transitions that touch the tainted data. Can be filtered to query only the transitions that change taint state (like Taint.changes). - Mark Taint.changes as deprecated. Use
Taint.accesses
instead. - Fixed issue where
TaintResultView.take_n
method would sometimes return the wrong number of results. - Added
Trace.first_context
,Trace.last_context
,Trace.first_transition
,Trace.last_transition
- Added
Search.memory
to search byte patterns throughout the whole trace - Fixed issue where
TaintedRegisterSlice
would sometimes take the entire register instead of the requested slice
2.5.0
- Added
reven2.bookmark
module that allows to programmatically add, access, edit and remove bookmarks. - Added
reven2.address.LinearAddress.translate
,reven2.address.LogicalAddress.translate
,reven2.address.LogicalAddressSegmentIndex.translate
to translate the virtual address intoreven2.address.PhysicalAddress
. - Added
reven2.trace.Transition.find_inverse
method to get the transition that performs the inverse operation to the given transition. - Added
reven2.trace.Context.find_register_change
method to find the next/previous context in which the content of the requested register is modified. - Added
reven2.session
module that allows to publish various events to clients like Axion. - Added
reven2.RevenServer.sessions
property that lists the sessions tracked by the RevenServer. reven2.RevenServer
andreven2.RevenServer.connect
now accept an additional keyword parameter 'sessions' to set the tracked sessions- In Jupyter Notebook, a
reven2.trace.Transition
instance now displays as a clickable link that instructs Axion to select that transition in Jupyter Notebook.
2.4.0
- No changes
2.3.0
- Marker names created by preview.taint.simple_taint are changed from tag0/tag1 to Tag0/Tag1
- Added
ProjectManager.hostname
andProjectManager.port
properties - Added
ProjectManager.connect
to connect to a Reven project from its name - Added
ossi.OssiContext.process
to get the information of the currentossi.process.Process
2.2.1
- Fixed an issue where the
Instruction
object would sometimes contain wrong operands for relative jmp - Improved the performance of the
Context.read
method up to x3 in typical workloads - Added a timeout argument to the
String.memory_accesses
method, allowing to specify how long this function should attempt to recover all accesses before raising an exception. - Modified Stack.backtrace property so that it returns a string instead of printing it.
- Made the if register accessible from the API. Previously, attempting to access reven2.arch.x64.if would raise a SyntaxError, because if is a python keyword. You can now access the if register through reven2.arch.x64.if_.
2.2.0
- Add
trace
package containing basic classes to navigate in a trace and inspect cpu registers and memory - Add
search
module containing basic objects to search interesting points in a trace - Add
trace.Trace.memory_accesses
andtrace.Transition.memory_accesses
to query memory accesses from the trace - Add
memhist
package containingMemoryAccess
object - Add
stack
module containing basic objects to get interesting information on the stack like the backtrace - Add
string
module containing a basic `String` object to get interesting strings in the trace and their memory accesses - Add
ossi
package containing basic objects to get Operating System Semantic Information (OSSI) - Add
types
package containing various predefined types and type constructors - Add
arch
package containing the various x86_64 registers - Add
address
package containing representation of memory addresses - Add
preview.project_manager
package containing basic (incomplete) bindings to the Reven project manager REST API - Add
preview.taint
package containing an experimental, simplified API for the taint - Add explicit relative imports, for Python 3 compatibility
2.0.0-dev
- The API is currently in development
- cleanup and rework of the
RevenServer
class (previously Project)
2.0.0-prerelease
- The API is currently not available
Module | address |
Defines memory address classes |
Package | arch |
Contains classes and instances related to the description of the machine architecture. |
Module | bookmark |
No module docstring; 2/3 classes documented |
Module | filter |
Module related to trace filter. See the Trace object. |
Module | framebuffer |
This module contains the Framebuffer type used to acces the framebuffer and take screenshots from the trace. |
Module | memhist |
No module docstring; 0/1 variable, 0/10 function, 3/3 classes documented |
Module | memory |
This module contains the MemoryRange type that model a range of memory addresses, and related types. |
Package | ossi |
Package related to OSSI information. See the OssiContext object. |
Module | prelude |
This is the prelude module of the Reven python API |
Package | preview |
Contains subpackages and modules whose API is not considered stable yet. |
Module | register |
This module contains the RegisterSlice type that models a bitwise-slice of a register. |
Module | search |
Module related to trace search. See the Search object. |
Module | search |
No module docstring; 7/8 classes documented |
Module | session |
Module related to sessions, that allow to publish information to various other connected clients (e.g., Axion). |
Module | stack |
Module related to stack. See the Stack object. |
Module | string |
Module related to strings in trace. See the String object. |
Package | trace |
Module related to the execution trace. See the Trace object. |
Package | types |
Contains classes and instances related to the description of data types. |
Module | util |
Module that provide util functions |
From __init__.py
:
Variable | __version__ |
Undocumented |