Acat: Automatic Identification of Communication Between Assembly-Level Execution Traces - YouTube

This is a video of performing communication analysis of two assembly execution traces.

A project named "dual trace" was created.

All required data for analysis are placed in the project "dual trace".

The executable files (.dll) of the systems where the programs of the captured traces were running.

Client and Server were two programs communicating with each other.

File "communicationMethods.json" contains the functions descriptors of the communication methods need to be analyzed.

The communication method of interest in this demo is "Named Pipe".

There are 8 system function descriptions for the communication method "Named Pipe".

Each function contains input parameters and output parameters descriptions.

Now, I am opening the trace of the client program.

"Client.trace" is displayed in the trace view.

I am opening the trace of the server program as the dual trace of the opened "Client.trace".

Now both "Client.trace" and "Server.trace" are displayed in the trace view parallelly.

I need to load the corresponding .dll file of "Named Pipe" for both traces before I can perform the communication analysis operations.

I activated "Client.trace" by putting the cursor in its trace view.

I am loading the "kernel32.dll" for "Client.trace".

I activated "Server.trace" by putting the cursor in its trace view.

I am loading the "kernel32.dll" for "Server.trace".

After loading .dll files for both traces, I can perform the analysis operations.

Two analysis features are provided: "Stream Extraction" and "Communication Identification".

I perform the "Stream Extraction" operation first.

A list contains all the communication methods provided in the file "communicationMethods.json" prompted out.

I choose the communication method "Named Pipe" and click "OK" to start the analysis operation.

The extracted streams for both traces are shown in the left table in "Communication view".

One stream was identified from "Client.trace" and two streams were identified from "Server.trace".

All function call events in a stream are listed.

I perform the communication identification operation.

I selected "Named Pipe" as the communication method to analyze.

The identified communications are shown in the right table in the "Communication view".

Only one communication was identified from these two traces.

This communication consists of "Stream F8" from "Client.trace" and "Stream F4" from "Server.trace".

The list of the function call events also provided in the communication identification result.

The function call events are navigatable to the views.

I clicked a sent event in "Client.trace", the "Trace view" and "Memory view" updated immediately.

The sent message "This is a test." is shown in the "Memory view".

Use the right-click menu "Go the end of the function" to navigate the message received function call events.

The received message "This is a test." is shown in the "Memory view".

These two navigations from two function call events show how the message "This is a test." being transmitted from "Client.trace" to "Server.trace".

The message "This is the answer." was transmitted from "Server.trace" to "Client.trace".

The irrelevant stream or communication entries can be removed from the result list.