Skip to content

Home

Jump to bottom
Nia Catlin edited this page Oct 2, 2016 · 12 revisions

##Views

###Structure

rgat's primary job is generating graphs of instruction trace data. Here is a complete graph for netcat after having received a file

Netcat zoomed out

Zooming in, we can see the symbols of calls to dlls. Argument 0 of GetStdhandle is displayed. Netcat with visible dll calls

Zooming in further, we can see basic blocks broken down into instructions with their disassembly. Netcat disassembly data

###Live activity

The instruction trace is - in ideal circumstances - displayed in real time. Here is what Firefox looks like when it's running

Terrible resolution tiny image of live firefox execution animation

The little graphs on the right are the different threads running in that process and can be selected for further analysis

###Replay

Once a trace has been recorded, it can be replayed at various speeds. Here is 7zip decompressing a file:

7ztip replay tiny gif

rgat can record its traces in environments without 3d capability and export them for safe analysis elsewhere

###Heatmap

Watching the trace is a fairly unwieldly way of seeing which areas of code are most active. For this rgat generates heatmaps as it builds the graph:

gametime heatmap Heatmap of CSAW 2016: gametime.exe

###Conditionals

One of the obvious problems with dynamic analysis is that you can only see what happens to be executed in the environment you are running your target in.

One attempt to tackle this is by checking for conditional jumps which are either never taken or always taken, suggesting an unused code path.

Example conditionals rendering

###Divergence

One other idea was to look for difference between executions in different environments, or with different inputs.

Lets look at 2 runs of FLARE-ON 2015 Challenge 11, one with the correct input, one with incorrect.

When we check for graph divergence (a fuzzy diff of the instruction traces that tries to tolerate ASLR), we get this:

flareon 2015 challenge 11 divergence image

The point the two graphs diverge is indicated by the orange line.

zoomed in to the orange line

The difference appears to manifest at the jb instruction. Lets look at the two graphs individually:

graph1 and graph2 at divergence point

##Other Features

###Highlighting

Graphs are messy. There is a highlight function that lets you locate all the given instances of a symbol, dll or address in a graph.

Highlighting all calls to GetProcAddress:

getprocaddress highlighted image

Highlighting all calls to ntdll:

highlight all ntdll calls image

###Call log

There is also window listing DLL calls since their in-animation display isn't very clear.

##Limitations

More charitably known as "areas for further research",

It's Win32 only at the moment: Linux and 64-bit shouldn't pose any big challenges but they can wait until this version is stable

DynamoRIO will take one look at some malware samples and say "I'm not even gonna go there".

Clone this wiki locally