Call graphs

[plafosse]

Implement a method for creating and displaying callgraphs

[pgoodman]

I think this should work like Eclipse's Call Heirarchy View (Google images has lots of pics). The idea is that you can click on anything, e.g. varible name, structure/class field/method, function, macro, whatever, and ask for the call heirarchy. In a pane, this will list all the functions that use the thing you clicked on, e.g. all functions that call X, or use field Y, etc. For each one of these functions, you can expand them to see where they are called, etc. By double clicking on things in this pane, you will be brought to the use site of X, etc.

The key is that pane stays open and its contents do not change when you navigate through use/call sites. This lets you keep the context oh where you came from and all the other places that you can go. It's kind of like a much better "search results" list, where you can click on results and the main view will change, but the results will still be listed so that you can jump to them when you're ready.

[pgoodman]

My proposal is a logical extension of the existing xrefs pane in Binja. What you'd have beside each xref is an arrow that, when clicked, shows you that xref's xrefs.

[psifertex]

Given the new FlowGraph API (https://api.binary.ninja/binaryninja.flowgraph-module.html#binaryninja.flowgraph.FlowGraph) this should be significantly easier to implement now.

[richinseattle]

This topic came up on Twitter today and I realized its something I use nearly every time I open IDA. Peter's suggestion is good, but I would like to request two automations beyond manually expanding nodes off the xref view.

The first automation would be something to bring parity with IDA's xrefs-to/from graph. It just recursively expands callees or callers. The second would be to allow user to specify a set of source and sinks with the same visual effect.

IDA and Radare have the full expansion of xrefs-to and xrefs-from now but are lacking the source/sink set. FWIW, Pancake added it to r2 within a few hours of the discussion on Twitter. https://twitter.com/trufae/status/1056340799439470592

See this thread for some discussion https://twitter.com/magicmac2000/status/1056156028377722881

[elbiazo]

It would be pretty cool to see callgraphs table on the sidebar. It is nice having quick glance over call graph on table instead of generating call graph that takes up entire view. Similar to Ghidra's Function Call Trees.

[psifertex]

Whoops! I just realized i never updated this issue. There has been a call graph plugin for some time in the plugin manager:

I'm leaving the issue open though as I like the table-format as I think that might make more sense, and it also needs both directions in and out as options:

[elbiazo]

It would be also nice to have ability to set depth of search and make graph collapsable. When you are reversing big binaries, current call graph takes really long and it doesn't seem usable.

[psifertex]

Agreed @elbiazo -- though I think this should be tracked in a separate feature request and should be a generic capability on our FlowGraph UI elements so all existing plugins that use them will benefit.

[elbiazo]

Whoops! I just realized i never updated this issue. There has been a call graph plugin for some time in the plugin manager:

I'm leaving the issue open though as I like the table-format as I think that might make more sense, and it also needs both directions in and out as options:

I have made some prototype of calltree that would fit really well with sidebar workflow. https://github.com/elbiazo/calltree

[galenbwill]

I agree with @elbiazo, and i like the folder/tree presentation -- i think it's a lot more useful for navigation, especially when the full callgraph is large.

Also agree it looks like a perfect candidate for the sidebar.

[pgoodman]

That's exactly what Eclipse's call hierarchy looks like. But, it's better! You should be able to get the call tree for any entity. E.g. you should be able to click on a structure field in the types view, then ask for the call tree. At the top level is all functions using this field, where multiple clicks to the same entry cycles to the next usage within the same function. Then, the next level down in the call tree is who calls the immediate user function. And it recursively goes down following call edges.

[seeinglogic]

I like @elbiazo 's plugin, but as an alternate approach I recently released a plugin to show callgraphs as an interactive browser-based visualization: Ariadne.

There's some limitations of course, but this plugin includes source/sink graphing as a feature and also lets you push arbitrary subgraphs of the callgraph (implemented using networkx) to the web UI. I'd appreciate any feedback or ideas to improve it!

[psifertex]

We had some small discussion internally I wanted to recap here to summarize our current thinking on this issue. First, here's the aggregated list of plugins that might help users until we have first-party support. They are all available from the plugin manager:

https://github.com/psifertex/callgraph https://github.com/elbiazo/calltree https://github.com/seeinglogic/ariadne https://sidekick.binary.ninja/ (see the "Code Insight Map")

However, we don't plan on closing this issue until we have a first-party version integrated.

Here's some additional notes on features we plan to explore for that feature:

• [ ] Should be interactive (refocusing on children/parents should re-generate the graph)
• [ ] Should support specifying the number of parents/children (similar to Code Insight Map)
• [ ] Bonus feature: path finder! Specify two functions and solve for paths between the two
• [ ] Related bonus feature: "anchor nodes". Assuming the path finder feature exists, "anchor" one node such as main and any other nodes currently selected would have a path shown from the anchor to the current function, potentially like a website breadcrumb trail.