View Full Version : IDA Call Graph
NoLoader
October 31st, 2007, 01:05
Hi All,
I'm disassembling a sample program I worte. I create one worker thread. I am able to view both call graphs separately (that rooted at main(), and the other rooted at ThreadProc()).
I would like to see the dependency from the call to CreateThread. In essence, I'd like to have the graphs merged. Is this possible with IDA?
Thanks,
Jeff
Jeffrey Walton
Polaris
October 31st, 2007, 04:13
To do what you want, just select the code you want to graph, then click the "User defined chart". In the box (that gives you a higher level of control than the pre-made graph commands, but is still kinda uncomfortable to work with) uncheck:
"Cross references to"
and check:
"Ignore: From library functions"
This command will create a callgraph starting from the highlighted code. Please note that if you want more control, you need to create a plugin.
Hope this helps!
LLXX
October 31st, 2007, 18:28
Indeed IDA's graph functionality, though improved over previous versions, seems to have been added on as a last thought...
NoLoader
November 1st, 2007, 03:26
Thanks Polaris and LLXX.
Jeff
dELTA
November 1st, 2007, 08:32
Quote:
| [Originally Posted by LLXX;69955]Indeed IDA's graph functionality, though improved over previous versions, seems to have been added on as a last thought... |
Actually, I've found some of the graphing features (especially the "xrefs to/from current identifier" ones) most useful when doing more "deep analysis" or "full reversing" of programs, e.g. during malware analysis. Especially for tracing imports and other known point up the function hierarchy, to faster and easier be able to map the functionality of different functions.
naides
November 1st, 2007, 10:21
Take a look at TiGa's video tutorials on IDA.
I think he makes a pretty good case in showing that IDA's graphic interface is much more that eye candy: Visual disassembly and debugging, once you get the hang of it is quite intuitive and easier to grasp and comprehend, particularly because it allows one to look at the program flow in 2 dimensions.
I seem to remember some one somewhere in this board, years ago was dreaming of such a toy. . .
I have to find that post if it still exists. . .
Here it is, and actually what Aquatic fore sought was similar to what IDA delivered:
http://71.6.196.237/forum/showthread.php?t=6013&highlight=visual+debugging
blurcode
November 1st, 2007, 16:58
If you also have a big/wide monitor graphic interface must be really amazing.
TiGa
November 1st, 2007, 18:02
I normally use 1440x900 so it's less cramped than in the videos.
Dual display works great too.
In debugging mode, IDA's windows are all independent (not child) so they can be thrown from one monitor to the other individually.
Another alternative is IDA on one side and the programming environment on the other.
TiGa
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.