rgat - An Instruction Trace Visualisation tool

Note: rgat is an active research project that has emerged from a long re-write. 0.6.X will be a series of preview builds. Don’t let the flashy videos entice you into thinking that it will be useful on real targets

rgat is a dynamic binary analysis tool for gathering and visualising instruction traces. It is intended to help software reverse engineers in bridging the gap between the high level API view of malware sandboxes and the low level function view of disassemblers and decompilers - particularly where code obfuscation is present.

Switching between different plots

Different layouts

The UI with a heatmap graph

Find busy areas with a heatmap render

Live cylinder plot of UPX packing a binary

‘Detonate’ malware into a force-directed graph layout

Features

  • GPU accelerated graph layout
  • Thread preview graphs
  • Trace animation replay
  • Heatmap generation
  • API recording
  • Signature scanning with YARA and partial Detect-It-Easy support
  • Customisable instrumentation (module granularity)
  • Remote tracing - perform tracing in real time over a network

See the Changelog for a full list of features

See the Trello for the features under development or scheduled to be worked on and known bugs

It currently supports 32 and 64 bit Windows EXE’s and DLL’s, but it now runs on .NET so Linux support should be slightly less distant that it was a while ago. Technically it will trace .NET apps and other JIT binaries but it’s rarely a good idea.

Requirements and Installation

The two main requirements for 0.6.1 are:

  • Windows, with the ability to run .NET 5 programs
  • For the computer running the visualiser: A GPU with Vulkan driver support (ie: this test program works)
To install
  • If .NET 5+ isn’t installed, install it(run console apps -> x64). If nothing happens then running rgat in the console will tell you if this is the problem.
  • Download the latest release - currently 0.6.0
  • Unzip rgat.exe into its own directory
  • Run rgat.exe - it will unpack the tools it needs into the directory it is launched in
  • Configure it to your liking in the settings

If nothing else you may want to get familiar with the graph manipulation controls

To trace something
  • Drag and drop a binary onto the UI
  • Click ‘Start Trace’

Documentation

Known Issues

  • Pin’s file API doesn’t play well with named pipes, so an unsafe API has to be used causing some traces to fail to start (especially .NET programs)
  • A console window opens with rgat to enable interaction with console-enabled targets. Selecting text will hang the UI on any output until the selection is cleared - which might happen at startup.

Technologies

A full list and discussion of libraries can be found in the development documentation

Latest Posts

Instruction Trace Visualisation: Packers & Protectors
Instruction Trace Visualisation: Packers & Protectors

Software protectors can be a bit of a trial by fire for binary analysis tools - this post shows some visualisations of a few packers and protectors often used for malware. It’s intended to be a record for how rgat’s visualisation capabilities evolve - so expect the first entry to be a bit rough.

The Eldritch Birds Nest - Control Flow Graph Clumping
The Eldritch Birds Nest - Control Flow Graph Clumping

Modern compilers generate a lot of code that gets poor results from force-directed graph layouts. This post discusses why and some steps being taken to improve it.