An instruction trace visualisation tool intended to help reverse engineers make the link between target behaviour and code
What is rgat?
rgat uses dynamic binary instrumentation (courtesy of DynamoRIO) to produce graphs from running executables. It creates static and animated visualisations in real-time to support types of analysis that might be a lot more cumbersome with disassemblers and debuggers alone.
This page explains what kind of things you can and can't do with it but basically, it looks like this:
Edge frequency Heatmap:
Static view zoomed into individual instructions:
You may also want a brief introduction to the graph layout.
This version sees the entire frontend UI reimplemented in Qt. Allegro served its purpose but implementing new features with Qt is actually a pleasure rather than a struggle, which will encourage further development.
See the CHANGELOG for a list of changes.
For the next few releases in 0.5.* i'm planning to write a collection of tests for drgat to give me some assurance that the instruction tracing is accurate, switch out OS dependent code from rgat with platform independent replacements and flesh out some of the missing or barebones features in the UI.
It's built to depend on the Windows 10 Universal CRT so if you have a version lower than that you might need to install it
Unzip it, run it.
Try to execute something. If you get an error then you likely need to install the Visual C++ Redistributable for Visual Studio 2012, because of reasons.
Unfortunately the Windows release cycle is a lot faster than the DynamoRIO release cycle so it breaks often. At the time of writing the last release was in Feb 2017, which makes it (and rgat) practically unusuable for complex applications - at least on the AMD CPU i'm using. If in doubt, load a target and press the dynamorio button in the trace launching tab - if the binary doesn't launch then it's not going to work and there isn't a lot I can do about it - short of migrating to Intels Pin.
This is an unstable preview release. I promise not to use that excuse when the basic functionality has been done.
Its reliance on DynamoRIO means that rgat suffers from all of the same limitations. In particular - it won't currently instrument x86 binaries on the new Ryzen processors.
99% of problems you find will be my fault, though. Instrumenting arbitrary code - especially malicious obfuscated code - tends to present a lot of edge cases.
'runtime graph analysis tool' or 'ridiculous graph analysis tool', depending on your fondness for the concept.
Credit where it is due
rgat relies upon: