Welcome to the VB2021 conference!

CTO (Call Tree Overviewer): yet another function call tree viewer

Hiroshi Suzuki (Internet Initiative Japan)
partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity

https://ti.qianxin.com/marketing/vb2021/

QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

partner message

Looking for performance validation for your product?

https://www.virusbulletin.com/testing/

Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

F5 helps find malware hiding in plain sight

https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encrypted

Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

Threat Intelligence and Cyber Resilience

https://vblocalhost.com/programme/#TIPS

Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions

https://www.farsightsecurity.com/get-started-guide/

DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Amazon Information Security - come build the future with us!

https://www.amazon.jobs/en-gb/team/infosec

Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Calling all Hackers!

https://www.ise.io/careers/#op-470256-hacker-midseniorprincipal

We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

IoT security begins with your Smart TV

https://chomar.link/smarttv

CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

We don’t just talk about sharing. We do it every day.

https://www.cyberthreatalliance.org/about-cta

Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?

https://talosintelligence.com/careers

At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

Ransomware prevention starts with zero

https://www.zscaler.com/solutions/security-transformation/ransomware-protection

Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

Stay ahead of threats with VirusTotal

https://www.virustotal.com/

Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

VirusTotal: Actionable crowdsourced threat intelligence

https://www.virustotal.com/

Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

CTO is a chief technical/technology officer, right? No, of course not in this context! CTO (Call Tree Overviewer) is a new IDA Pro plug-in to show an overview of function call relationships as a graphical tree structure.

Of course I know there are already two features related to function call tree graphs in IDA Pro, one is called "Graph" or "Chart", and another is called "Proximity Browser". However, the former does not generate clickable graphs. The latter is not suitable for grasping the whole picture of the relationships because it always traces all xrefs including unnecessary ones and the area per node is large. The graphs can easily get too complicated.

CTO is a field-oriented and practical tool aimed at solving these issues. It can display not only a function call tree, but also referred strings, and repeatable comments, which are input by a user in general, and so on if necessary, so that you can easily recognize the relationships between functions and important clues in one view. In addition, it is docked next to IDA Pro's disassembly view (or IDA View) by default. If you click on a node on the CTO graph, the address on IDA View will automatically be synchronized with it so that you can check code around the node. By default, inside static linked libraries, which are commonly unnecessary to look into, parent nodes that are unrelated to the target node and deep function calls are collapsed to keep the graph simple. However, you can of course dig deeper or filter them out again. You can find paths between two given functions as well. Every feature on this tool has its own shortcut key, so that you can handle this tool quickly.

CTO will improve your analysis speed dramatically. This tool will be released as OSS after this presentation.

Got a question about this presentation? To get in touch with the speaker, contact Hiroshi on Twitter at @herosi_t.
Hiroshi Suzuki
Internet Initiative Japan

Hiroshi Suzuki is a malware analyst, a forensic investigator, an incident responder and a researcher, working for Japanese ISP Internet Initiative Japan Inc. He is a member of IIJ-SECT, which is the private CSIRT of his company. He is especially interested in targeted attacks, their RATs and their attack tools, such as PlugX, Mimikatz and so on. He has over 15 years dedicated to these areas. He has been a speaker and a trainer for international conferences such as Black Hat (USA, Europe, Asia and Japan) and FIRST conference (Annual and TC) multiple times.