An instruction trace visualisation tool intended to help reverse engineers make the link between target behaviour and code
What is rgat?
rgat uses dynamic binary instrumentation (courtesy of DynamoRIO) to produce graphs from running executables. It creates static and animated visualisations in real-time to support types of analysis that might be a lot more cumbersome with disassemblers and debuggers alone.
This page explains what kind of things you can and can't do with it but basically, it (used to) look like this and I haven't updated the images yet:
Edge frequency Heatmap:
Static view zoomed into individual instructions:
You may also want a brief introduction to the graph layout.
Version 0.5.3 (Feb 2019) is here: 7z (16MB) for Windows x86 and x64 binary targets. rgat itself is compiled for running on x64 hosts.
At some point in the last year of no releases i've moved instrumentation to PIN because it worked more reliably at the time, especially on my AMD processor (which is a bit odd). I plan to have both DynamoRIO and PIN clients working to give a bit of redundancy.
Lot's of other usability changes, mainly around the UI and a settings dialog.
Preperation has been made for a Linux port. My TODO list is gigantic but getting a proper tree rendering is the main priority to make the visualisations actually useful on a wide variety of binaries.
See the CHANGELOG for a list of changes.
Try to execute something. If you have 'DLL not found errors', install the VS 2017 redistributable https://go.microsoft.com/fwlink/?LinkId=746572
This is an unstable preview release. I promise not to use that excuse when the basic functionality has been done.
99% of problems you find will be my fault, though. Instrumenting arbitrary code - especially malicious obfuscated code - tends to present a lot of edge cases.
'runtime graph analysis tool' or 'ridiculous graph analysis tool', depending on your fondness for the concept.
Credit where it is due
rgat relies upon: