Executive Summary

Revenant is a high-performance Dynamic Binary Translation (DBT) framework engineered in Rust. It specializes in the automated deobfuscation of polymorphic and metamorphic malware by lifting opaque binary blobs into LLVM Intermediate Representation (IR). Unlike standard emulators, Revenant focuses on semantic recovery—stripping away junk code and mutation layers to reveal the underlying logic.

Core Architecture

• Front-end (Lifting): Supports x86_64 and AArch64. Implements a custom lifter that converts machine instructions into a side-effect-aware IR.
• Optimization Layer: Leverages LLVM’s optimization passes (SROA, GVN, DCE) to perform “Symbolic Execution-lite,” effectively collapsing obfuscated branches and dead-store loops.
• Back-end: Can re-emit cleaned binaries or provide a JIT environment for high-speed analysis of unpacked payloads.

» Project Transmissions (Dev Logs)

The following logs document the development milestones, research breakthroughs, and technical hurdles encountered during the Revenant lifecycle.

Technical Roadmap

• Pipeline implementation.
• Initial trace collector implementation.
• Initial Pre-Lifter implementation.
• Initial x86_64 Lifter implementation.
• Integration of Z3 for automated SMT-based opaque predicate solving.
• Exporter implementation.
• Language bindings (Py, JS, Java, C, C++).