Design Overview
High Level Details
rgat
- Is Written in C# for .NET 5
- Takes instruction traces generated by a custom Intel Pin tool (Written in C++) and builds them into graphs
- Uses Vulkan compute shaders to draw the graphs as static or force-directed layouts
- Has an ImGui based GUI. Vulkan support is mandatory for using UI mode.
- Supports 32/64 bit Windows targets
- Supports EXE’s and DLL’s
rgat currently supports two modes of operation
- Local Tracing - The trace is generated, graphs are built and visualised on the same machine (GPU required)
- Remote Tracing - The trace is generated on one machine (No GPU required) and sent in real time to a separate machine for graph building and visualisation (GPU required)
A third is planned for the near future
- Command Line Tracing - The trace is generated and graphs are built and immediately saved to disk for analysis or sending to a machine with GPU support.
Remote Tracing Mode
Local tracing is useful for testing and any kind of analysis of trusted programs on a standard GPU/Vulkan enabled Windows machine.
Dynamic analysis of malicious binaries tends to be done either on a VM or another - often headless - device where GPU-bound local tracing mode is impractical or impossible. rgat supports a remote tracing mode where traces are piped over an encrypted network connection to another rgat instance which performs graph building and visualisation.
To enable this, trace processors are abstracted to work in either local (Named pipe) or remote (socket mode).
Command Line (Headless) Tracing Mode
This is not yet implemented. It’s unlikely to be a lot of work, but a line had to be drawn for the features to include in the 0.6 release and this didn’t make the cut.