An instruction trace visualisation tool for dynamic program analysis
Switch branches/tags
Nothing to show
Clone or download
ncatlin generic coord struct instead of void * param, fix conditionals not be…
…ing displayed in some circumstances, work on tree layout
Latest commit 7780a45 May 21, 2018
Permalink
Failed to load latest commit information.
rgat
shrike
tests added test-sepecific timeouts May 20, 2018
.gitattributes Add .gitignore and .gitattributes. Aug 12, 2016
.gitignore fixed wrong conditional nodes being coloured, added preview zoom widg… May 20, 2018
CHANGELOG.txt replaced tag marker strings with characters. improved control signal … Sep 6, 2017
License.txt Create License.txt Sep 24, 2016
packages.config added sha hash, rearranged serialisation functions and updated to wor… Oct 7, 2017
readme.md problems running on win10 with dynamorio Sep 7, 2017
readme.txt
rgat.pro deal with some warnings and change header paths Aug 23, 2017
rgat.sln fixed blacklisting, previews May 19, 2018

readme.md

rgat

An instruction trace visualisation tool intended to help reverse engineers make the link between target behaviour and code

What is rgat?

rgat uses dynamic binary instrumentation (courtesy of DynamoRIO) to produce graphs from running executables. It creates static and animated visualisations in real-time to support types of analysis that might be a lot more cumbersome with disassemblers and debuggers alone.

This page explains what kind of things you can and can't do with it but basically, it looks like this:

Live animation:

image

Edge frequency Heatmap:

gametime heatmap

Static view zoomed into individual instructions:

Static view zoomed into individual instructions

You may also want a brief introduction to the graph layout.

Latest Version

Version 0.5.2 is here: zip (38MB)/7z (22MB) for Windows x86 and x64 binary targets. rgat itself is compiled for running on x64 hosts.

This version sees the entire frontend UI reimplemented in Qt. Allegro served its purpose but implementing new features with Qt is actually a pleasure rather than a struggle, which will encourage further development.

See the CHANGELOG for a list of changes.

For the next few releases in 0.5.* i'm planning to write a collection of tests for drgat to give me some assurance that the instruction tracing is accurate, switch out OS dependent code from rgat with platform independent replacements and flesh out some of the missing or barebones features in the UI.

Download/Installation

It's built to depend on the Windows 10 Universal CRT so if you have a version lower than that you might need to install it

Unzip it, run it.

Try to execute something. If you get an error then you likely need to install the Visual C++ Redistributable for Visual Studio 2012, because of reasons.

Problems

See Issues and Limitations

Unfortunately the Windows release cycle is a lot faster than the DynamoRIO release cycle so it breaks often. At the time of writing the last release was in Feb 2017, which makes it (and rgat) practically unusuable for complex applications - at least on the AMD CPU i'm using. If in doubt, load a target and press the dynamorio button in the trace launching tab - if the binary doesn't launch then it's not going to work and there isn't a lot I can do about it - short of migrating to Intels Pin.

Excuses

This is an unstable preview release. I promise not to use that excuse when the basic functionality has been done.

Its reliance on DynamoRIO means that rgat suffers from all of the same limitations. In particular - it won't currently instrument x86 binaries on the new Ryzen processors.

99% of problems you find will be my fault, though. Instrumenting arbitrary code - especially malicious obfuscated code - tends to present a lot of edge cases.

'rgat'?

'runtime graph analysis tool' or 'ridiculous graph analysis tool', depending on your fondness for the concept.

Credit where it is due

rgat relies upon:

  • DynamoRIO for generating instruction [opcode] traces
  • Capstone for disassembling them
  • Qt for managing OpenGL and handling input
  • rapidjson used for serialising traces
  • Base 64 code for encoding symbol/module path strings
  • pe-parse which performs some binary header analysis