trace selected Ring3 program

[johdcmlaker2000]

Is there in REVEN Free edition (i know about Automated recording and ASM-stubs) any way to minimize replay size by tracing only selected ring3 process with no kernel tracing or something like that?

[Quentin01]

Hi,

REVEN currently works with full-system traces only (ring0 + ring3) in all editions. You're correct that the Enterprise edition provides ways to shorten traces by allowing recording around a specific process using automatic binary recording or between arbitrary start/stop points using ASM stubs.

Working with full-system traces is leveraged in particular by the backward/forward data flow Taint feature which allows to follow data full system for investigations such as crash to data or data to crash.

Aside from trace generation, on the analysis side, the Ring and Process Filter feature, available in Axion GUI and Python API, allows to browse the trace while sticking to some ring and set of processes.

Otherwise, here are some general tips to record lighter scenarios:

• Ensure that the CPU activity of your target VM is low (ie the VM is idle) when:
  • you take your live snapshot that you'll use as a starting point for your record.
  • you're about to record a scenario, especially if you had to perform preparations specific to your scenario after loading your live snapshot (e.g., starting a browser in the target VM).
• Ensure that you start the record at the latest possible point, eg everything is started and you only record the section that is necessary to your analysis.
• Similarly, ensure that you stop the record as soon as you recorded the relevant section. For instance, it is rather slow to print to the console, so you can typically stop the record before a final message appear when recording console applications.
• If possible, play your scenario in your target VM a first time before recording it. This will use the OS' cache to speed-up things for the actual record.
• Ensure that no necessary background tasks or services are running.