https://github.com/crowdstrike/drawmeatree

Tool to visualize the output of the WinDbg "wt" command as customizable graphic trees, to facilitate reverse engineering.

https://github.com/crowdstrike/drawmeatree

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.6%) to scientific vocabulary

Keywords

reverse-engineering windbg
Last synced: 5 months ago · JSON representation

Repository

Tool to visualize the output of the WinDbg "wt" command as customizable graphic trees, to facilitate reverse engineering.

Basic Info
  • Host: GitHub
  • Owner: CrowdStrike
  • License: mit
  • Language: Python
  • Default Branch: main
  • Homepage:
  • Size: 1.69 MB
Statistics
  • Stars: 9
  • Watchers: 2
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Topics
reverse-engineering windbg
Created almost 2 years ago · Last pushed over 1 year ago
Metadata Files
Readme License Code of conduct

readme.md

DrawMeATree

DrawMeATree is a python tool developped to support the exploitation of the Windbg wt command, generating two graphic trees from the wt's output. On the one hand, a "full tree" displaying all the calls made and on the other hand, a "filtered tree" based on customizable filters, resulting in an image similar to:

Filtered tree example

🌟 Tool introduction

The problematic: using wt without a headache

The Windbg command wt runs through a function and then displays the list of subfunctions successively called, showing the function calls flow with the following format: 0:000> wt Tracing MyModule!myFunction to return address 00401137 105 0 [ 0] MyModule!myFunction 1 0 [ 1] MyModule!ILT+1555(_printf) 9 0 [ 1] MyModule!printf 1 0 [ 2] MyModule!ILT+370(__stbuf) 11 0 [ 2] MyModule!_stbuf 1 0 [ 3] MyModule!ILT+1440(__isatty) 14 0 [ 3] MyModule!_isatty 50 15 [ 2] MyModule!_stbuf .... 11 0 [ 5] kernel32!__SEH_epilog4 54 11675 [ 4] kernel32!ReadFile 165 11729 [ 3] MyModule!_read 100 11895 [ 2] MyModule!_filbuf 91 11996 [ 1] MyModule!fgets 54545 83789 [ 0] MyModule!myFunction 1 0 [ 1] MyModule!ILT+1265(__RTC_CheckEsp) 2 0 [ 1] MyModule!_RTC_CheckEsp 54547 83782 [ 0] MyModule!myFunction While this command is very useful to understand what a targeted function does, it is common to end up with thousands lines of results, that can be hard to understand and use.

Our solution: DrawMeATree

Because an image is worth a thousand words, we developped a tool to visualize this precious amount of information. From a given file containing the output of wt's execution, DrawMeATree will render two graphic trees displaying the function calls flow; one containing all the calls made and a filtered version based on customizable filters, to keep essential information accessible.

These resulting trees will help users to: - Synthetize a potential large amount of information to one simpler images; - Easily identify the names and number of different modules involved; - Easily identify connections between functions (eg: determine what part of a function is responsible for a system call); - Using a visual representation of a complex function flow in reports.

⚓ Installation

  1. Download the last version of GraphViz from: https://graphviz.org/download/ and make sure to select "add to PATH" while installing
  2. Install python (> 3.8) and install requirements using: python pip install -r requirements.txt ## 🚀 2-steps usage

Step 1: Export the result of wt

a. From a breakpoint in the target function on Windbg, open a log file to store the command result: .logopen C:\logfiles\wt_output.txt b. Execute wt with your parameters

c. Close the logfile: .logclose

Step 2: Use DrawMeATree to visualize the result

a. Run from a command line: python python draw.py C:\logfiles\wt_output.txt <optional arguments> b. Go check the resulting trees!

🕹️ Examples

```python usage: draw.py input_file [-h] [-c] [-d 1-9] [-o output_directory] [-f filterlevel] [-a filterswords [filters_words ...]]

Ex: python daw.py wt_output.txt

Arguments: optional arguments: -h, --help show this help message and exit -c, --console Display the resulting filtered tree in console. -d 1-9, --depth 1-9 Defines the depth level of filtering between 1 and 9. Default: 9. -o outputdirectory, --output outputdirectory Defines the repository to contain the resulting trees. Ex: C:\Myresults -f filterlevel, --filter filterlevel Defines the level of default filtering: light | medium (default) | high. 1/ "light": ['CriticalSection', 'securitycheck', 'Alloc', 'Heap', 'free', 'operator', 'LockExclusive', 'Error', 'mkstr'] 2/ "medium": ['CriticalSection', 'securitycheck', 'Alloc', 'Heap', 'free', 'operator', 'LockExclusive', 'Error', 'mkstr', 'toupper', 'tolower', 'Unicode', 'towlower', 'towupper'] 3/ "high": ['CriticalSection', 'securitycheck', 'Alloc', 'Heap', 'free', 'operator', 'LockExclusive', 'Error', 'mkstr', 'toupper', 'tolower', 'Unicode', 'towlower', 'towupper', 'memcpy', 'memmove', 'memset', 'Close', 'Rtlp', 'Language', 'initterm', 'Fls'] -a filterswords [filterswords ...], --addfilters filterswords [filters_words ...] Adsd a list of custom filters. Ex: -a cmp memcpy

Example 1: Draw a highly filtered tree and store the tree in an existing "results" directory:

python draw.py wt_output.txt -f high -o results

Example 2: Draw a lightly filtered tree and add custom filters to exclude CreateFile calls:

python draw.py wt_output.txt -f light -a CreateFile

Example 3: Draw trees with a maximum depth of 3 levels and display result in console:

python draw.py wt_output.txt -c -d 3 ```

🖥️ DrawMeATree's interface

At the execution, DrawMeATree's interface will display: - The parameters of the trees' generation - The steps of the live execution - The success of the generation or errors if any

DrawMeaTree interface

💾 Additional notes

Contributors

Support

DrawMeATree is an open source project, not a CrowdStrike product. As such, it carries no formal support, expressed or implied.

License

This project is licensed under the MIT License.

Owner

  • Name: CrowdStrike
  • Login: CrowdStrike
  • Kind: organization
  • Email: github@crowdstrike.com
  • Location: United States of America

GitHub Events

Total
  • Watch event: 6
  • Push event: 1
Last Year
  • Watch event: 6
  • Push event: 1

Committers

Last synced: 9 months ago

All Time
  • Total Commits: 12
  • Total Committers: 1
  • Avg Commits per committer: 12.0
  • Development Distribution Score (DDS): 0.0
Past Year
  • Commits: 2
  • Committers: 1
  • Avg Commits per committer: 2.0
  • Development Distribution Score (DDS): 0.0
Top Committers
Name Email Commits
Mathilde Venault 6****t 12

Issues and Pull Requests

Last synced: 9 months ago

All Time
  • Total issues: 0
  • Total pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Total issue authors: 0
  • Total pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Top Authors
Issue Authors
Pull Request Authors
Top Labels
Issue Labels
Pull Request Labels

Dependencies

requirements.txt pypi
  • anytree ==2.9.0
  • rich ==13.5.3