IDA plugin for analyzing, filtering and tracing functions and call flows
- Download and install Python 3.x from the official website.
- Ensure to add Python to your
PATHduring the installation.
Install PyQt5 using pip for GUI functionality in plugins:
pip install PyQt5Note: Installing PyQt5 might require you to have Microsoft Visual C++ 14.0 or greater and the Windows SDK installed on your system.
Developed and tested under IDA Pro 7.7 and Python 3.11.0
Ctrl + Shift + D - open main plugin window.
The plugin's User Interface is composed of three major sections: Filters, Results, and Info, designed to facilitate a seamless and efficient function analysis and navigation experience within IDA.
This section allows users to configure filters, enabling the search for functions based on various parameters.
Toggle the display of filter setting windows. Note that hiding a section does not deactivate its filters.
Specify required or prohibited signatures in functions. Utilize the "Inverted" checkbox to toggle between the necessity and prohibition of signatures, while the "Enabled" checkbox activates or deactivates the filter. Manage signatures easily with right-click options.
Define address references necessary for function filtering. Set the directionality and type of cross-references (to/from an address and read/write/access, respectively) using the provided checkboxes. Cross-reference filters are easily managed and inverted with a right-click menu.
The Flows section enables users to stipulate address prerequisites that must be navigable from or to the function to pass the filter. Two essential parameters guide this feature:
-
Direction: Dictates the permissible navigation direction between the function and specified addresses. It can be set to ensure that the function can reach the address, be reached from the address, or both.
-
Depth: Indicates the maximum call depth allowed for reaching from one function to another. If a function can reach another through a chain of calls but exceeds the specified depth, it will be filtered out.
Flows can be utilized to identify potential execution paths or to highlight complex call hierarchies within the analyzed binary. Manage and invert flow filters with the familiar right-click context menu.
Just like other sections, the Flows filtering rules can be temporarily disabled or inverted by utilizing the "Enabled" and "Inverted" checkboxes, respectively. Users can also delete a flow filter by selecting it, right-clicking, and choosing "Delete" from the context menu.
Initiate an analysis with the "Analyze" button, applying configured filters and displaying compliant functions in the "Results" section. Optionally apply filters only to currently displayed results with the "Analyze only current results" checkbox.
The "Results" section displays filtered functions or all functions if no filters are defined. Navigate directly to functions within IDA with a double click, or view detailed information in the "Info" section with a single click. Undo previous filter applications with the "Undo Previous Analysis" button.
This section presents detailed information about the selected function, including general details, Xrefs, and potential virtual function calls.
Displays the address, name, and size of the selected function.
Showcases data accessed from, and functions called from, the selected function. Navigate to the current Xref To or the Xref itself by double-clicking the "Offset" and "Address" columns, respectively. Specify which Xrefs to display via configurable options.
This subsection parallels the functionality of Xrefs From but focuses on external references to the current function. Navigate and manage Xrefs with double clicks and context menu options.
Displays potential virtual function calls, presenting call addresses, VMT offsets, and instructions in respective columns.
All elements (addresses, offsets, names) in the plugin UI are interactive, facilitating easy navigation to relevant IDA code through double-click actions.