CTO (Call Tree Overviewer) is an IDA plugin for creating a simple and efficiant function call tree graph

Last update: Dec 24, 2022

Related tags

Overview

CTO (Call Tree Overviewer)

CTO (Call Tree Overviewer) is an IDA plugin for creating a simple and efficiant function call tree graph. It can also summarize function information such as internal function calls, API calls, static linked library function calls, unresolved indirect function calls, string references, structure member accesses, specific comments.

CTO has another helper plugin named "CTO Function Lister", although it can work as a standalone tool. You can think this is an enhanced version of functions window. It lists functions with summarized important information, which is the same as the CTO's one. You can use a regex filter to find nodes with a specific pattern as well.

An introduction video is here.
https://youtu.be/zVCpb82UfFs

You can also check the presentation at VB2021 localhost.
https://vblocalhost.com/conference/presentations/cto-call-tree-overviewer-yet-another-function-call-tree-viewer/

Submitted paper
https://vblocalhost.com/uploads/VB2021-Suzuki.pdf

Presentation slides
https://vblocalhost.com/uploads/2021/09/VB2021-14.pdf

Requirements

IDA Pro 7.4 or later (I tested on 7.5 SP3 and 7.6 SP1)
Python 3.x (I tested on Python 3.8 and 3.9)

You will need at least IDA Pro 7.4 or later because of the APIs that I use. And use Python 3.x. It should work on Python 2.7 but I did not test enough and I do not support it because it has already obsoleted and deprecated.

Optional 3rd Party Software

ironstrings
https://github.com/fireeye/flare-ida/tree/master/python/flare/ironstrings
findcrypt.py
https://github.com/you0708/ida/tree/master/idapython_tools/findcrypt
findguid.py
https://github.com/you0708/ida/tree/master/idapython_tools/findguid
IDA_Signsrch
https://sourceforge.net/projects/idasignsrch/

How to Install

See "INSTALL" file.

How to Use

To start CTO, press Alt+Shift+C.

Double-click "..." symbol if you want to expand the path. If you want to create a graph based on a different target function, jump to the target function, click the CTO window, and press "F" key. See the help by pressing "H" key on the CTO window.

To start CTO Function Lister, press Alt+Shift+F. See the help by pressing "H" key on the CTO Function Lister window as well.

Note

CTO is still under development and it is unstable yet. I might change the data structure drastically. CTO accesses sensitive internal data structure of IDA such as low level APIs and PyQt5. And it might cause a crash of IDA. Do not use this in important situations. I don't take responsibility for any damage or any loss caused by the use of this.

I'm not a programmer. I'm a malware analyst. Please do not expect product-level code.

PRs are welcome. Just complaining and a bug report without enough information are NOT welcome ;-)

Known Issues

CTO Function Lister will crash on IDA on Linux for some reasons while it works on Windows. But I can't fix it because I don't have that.

QSortFilterProxyModel: index from wrong model passed to mapToSource

Currently, CTO focuses on Intel x64/x86 architecture. If you want to extend other architectures, please send the PR to me.
On IDA 7.6 including SP1, you will not be able to use ESC for looking backward location history on CTO’s window because of a bug of IDA. Instead, it will close the CTO window if you press it. I reported the bug and it was fixed internally but not released yet. If you want to use it, you will need a fixed ida*.exe binary. Ask hex-rays support. Please do not ask me.

IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidra’s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

48 Dec 29, 2022

IDA Pro Python plugin to analyze and annotate Linux kernel alternatives

About This is an IDA Pro (Interactive Disassembler) plugin allowing to automatically analyze and annotate Linux kernel alternatives (content of .altin

16 Oct 12, 2022

IDA Pro plugin that shows the comments in a database

ShowComments A Simple IDA Pro plugin that shows the comments in a database Installation Copy the file showcomments.py to the plugins folder under IDA

32 Dec 10, 2022

IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

46 Oct 30, 2022

HashDB API hash lookup plugin for IDA Pro

HashDB IDA Plugin Malware string hash lookup plugin for IDA Pro. This plugin connects to the OALABS HashDB Lookup Service. Adding New Hash Algorithms

237 Dec 21, 2022

Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.

Driver Buddy Reloaded Quickstart Table of Contents Installation Usage About Driver Buddy Reloaded Finding DispatchDeviceControl Labelling WDM & WDF St

199 Jan 4, 2023

IDA Frida Plugin for tracing something interesting.

IDAFrida A simple IDA plugin to generate FRIDA script. Edit template for functions or you can use the default template. Select functions you want to t

133 Dec 24, 2022

Code emulator plugin for IDA Pro

emu_ida Code emulator plugin for IDA Pro (v 0.0.6) The plugin is designed for simple data decryption and getting stack strings. Requirements Emulator

11 Jul 6, 2022

FindFunc is an IDA PRO plugin to find code functions that contain a certain assembly or byte pattern, reference a certain name or string, or conform to various other constraints.

FindFunc: Advanced Filtering/Finding of Functions in IDA Pro FindFunc is an IDA Pro plugin to find code functions that contain a certain assembly or b

213 Dec 17, 2022

printstack is a Python package that adds stack trace links to the builtin print function, so that editors such as PyCharm can link you to the source of the print call.

printstack is a Python package that adds stack trace links to the builtin print function, so that editors such as PyCharm can link to the source of the print call.

101 Aug 26, 2022

aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in a future time.

aws-lambda-scheduler aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in the future. This functionality is achieved by dyn

57 Dec 17, 2022

An Airflow operator to call the main function from the dbt-core Python package

airflow-dbt-python An Airflow operator to call the main function from the dbt-core Python package Motivation Airflow running in a managed environment

93 Jan 8, 2023

We provide useful util functions. When adding a util function, please add a description of the util function.

Utils Collection Motivation When we implement codes, we often search for util functions that are already implemented. Here, we are going to share util

6 Sep 9, 2021

This is my favourite function - the Rastrigin function.

This is my favourite function - the Rastrigin function. What sparked my curiosity and interest in the function was its complexity in terms of many local optimum points, which makes it particularly interesting and useful for testing any optimisation algorithms.

1 Dec 27, 2021

Azure-function-proxy - Basic proxy as an azure function serverless app

azure function proxy (for phishing) here are config files for using *[.]azureweb

17 Nov 9, 2022

Lambda-function - Python codes that allow notification of changes made to some services using the AWS Lambda Function

AWS Lambda Function This repository contains python codes that allow notificatio

3 Feb 11, 2022

A python wrapper for creating and viewing effects for Matt Parker's christmas tree.

Christmas Tree Visualizer A python wrapper for creating and viewing effects for Matt Parker's christmas tree. Displays py or csv effect files and allo

4 Nov 22, 2022

Setup a flask project using a single command, right from creating virtual environment to creating Procfile for deployment.

AutoFlask-Setup About AutoFlask-Setup can help you set up a new Flask Project, right from creating virtual environment to creating Procfile for deploy

1 Oct 21, 2021

Pytest plugin for testing the idempotency of a function.

pytest-idempotent Pytest plugin for testing the idempotency of a function. Usage pip install pytest-idempotent Documentation Suppose we had the follo

3 Dec 14, 2022

Comments

Pathfinding problem

Does cto have a function to display the call path between two function nodes selected by the user, for example, the main function calls the puts and gets functions, when the user selects to display these two nodes, the call graph from the main node to these two nodes will be automatically generated？
question not a bug

opened by nj00001 3
can't use cto
Error: Failed while executing plugin_t.run(): Traceback (most recent call last): File "C:/Program Files/IDA Pro 7.5 SP3/plugins/cto_plugin.py", line 153, in run self.exec_cto() File "C:/Program Files/IDA Pro 7.5 SP3/plugins/cto_plugin.py", line 126, in exec_cto self.g = cto.exec_cto(cto_data=sync_data, debug=debug) File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\cto.py", line 4058, in exec_cto return cto UnboundLocalError: local variable 'cto' referenced before assignment

Log: Launching CTO (Call Tree Overviewer) ... For the first execution, CTO will analyze all functions to build the call tree. Please wait for a while. data is unavailable. extract data from idb or pickle Got a unexpected error (<class 'IndexError'>: pop from empty list) (4049) Traceback (most recent call last): File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\cto.py", line 4049, in exec_cto cto = CallTreeOverviewer(ida_kernwin.get_screen_ea(), cto_data=cto_data , debug=debug) File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\cto.py", line 99, in init cto_base.cto_base.init(self, cto_data, debug) File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\cto_base.py", line 80, in init self.update_data() File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\cto_base.py", line 223, in update_data self.cache_update() File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\cto_base.py", line 153, in cache_update self.cto_data["cto_data"]["func_relations"], self.cto_data["cto_data"]["import_eas"], self.cto_data["cto_data"]["string_eas"] = get_func_relation.get_func_relations() File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\get_func_relation.py", line 875, in get_func_relations for func_ea, parents, children, func_type, gvars, strings, stroff, vtbl in get_relation_in_all_funcs(import_eas, string_eas): File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\get_func_relation.py", line 866, in get_relation_in_all_funcs for ea, parents, children, func_type, gvars, strings, stroff, vtbl in get_func_relation(f, import_eas, string_eas): File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\get_func_relation.py", line 848, in get_func_relation parents, children, apicalls, gvars, strings, stroff, vtbl = get_family_members(f.start_ea, bbs, import_eas, string_eas) File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\get_func_relation.py", line 838, in get_family_members children, apicalls, gvars, strings, stroff, vtbl = get_children(bbs, import_eas, string_eas) File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\get_func_relation.py", line 684, in get_children get_calls_in_bb(bb, bbs, import_eas, string_eas, result=result, apicalls=apicalls, gvars=gvars, strings=strings, stroff=stroff, vtbl=vtbl) File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\get_func_relation.py", line 655, in get_calls_in_bb target_ea, func_type, op, target_name = get_funcptr_ea(ea, bbs, import_eas, string_eas) File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\get_func_relation.py", line 509, in get_funcptr_ea tmp_func_name, tmp_func_type, _v = get_func_info_by_opstr(ea, i) File "C:\Program Files\IDA Pro 7.5 SP3\plugins\cto\get_func_relation.py", line 261, in get_func_info_by_opstr member_name = member_names.pop() IndexError: pop from empty list

IDA Version 7.5 sp3

python 3.9.0
opened by HuanGMZzz 2

Owner

Hiroshi Suzuki

A malware analyst, a forensic investigator, an incident responder, a researcher and a black hat trainer.

GitHub

Mu - A Simple Python Code Editor

A small, simple editor for beginner Python programmers. Written in Python and Qt5.

1.2k Jan 3, 2023

An amazing simple Python IDE for developers!

PyHub An amazing simple Python IDE for developers! Get ready to compile and run your code in the most simplest and easiest IDE of the ancient world! T

2 Dec 31, 2022

Gaphor is a UML and SysML modeling application written in Python.

Gaphor is a UML and SysML modeling application written in Python. It is designed to be easy to use, while still being powerful. Gaphor implements a fully-compliant UML 2 data model, so it is much more than a picture drawing tool. You can use Gaphor to quickly visualize different aspects of a system as well as create complete, highly complex models.

1.3k Jan 7, 2023

Automatically detect obfuscated code and other state machines

Scripts to automatically detect obfuscated code and state machines in binaries.

110 Dec 4, 2022

💻 Open recent VS Code folders and files using Ulauncher

ulauncher-vscode-recent ?? Open recent VS Code folders and files using Ulauncher. Quickly open recently-opened VS Code project directories and files.

14 Nov 24, 2022

VSCode extension to sort and refactor python imports using reorder-python-imports.

reorder-python-imports VSCode extension to sort and refactor python imports using reorder-python-imports. Unlike other import organizers, reorder-pyth

3 Aug 26, 2022

cottonformation is a Python tool providing best development experience and highest productivity

Welcome to cottonformation Documentation Full Documentatioin Here cottonformation is a Python tool providing best development experience and highest p

6 Jul 8, 2022

A way to integrate Latex, VSCode, and Inkscape in macOS. Adopted the whole workflow from Gilles Castel.

VSCode-LaTeX-Inkscape A way to integrate LaTeX, VSCode, and Inkscape in macOS Abstract I use LaTeX heavily in past two years for both academic work an

62 Dec 14, 2022

A small POC plugin for launching dumpulator emulation within IDA, passing it addresses from your IDA view using the context menu.

Dumpulator-IDA Currently proof-of-concept This project is a small POC plugin for launching dumpulator emulation within IDA, passing it addresses from

9 Sep 21, 2022

A simple IDA Pro plugin to show all HexRays decompiler comments written by user

XRaysComments A simple IDA Pro plugin to show all HexRays decompiler comments written by user Installation Copy the file xray_comments.py to the plugi

20 Dec 27, 2022