Presentation information

CTO (Call Tree Overviewer): yet another function call tree viewer

Hiroshi Suzuki (Internet Initiative Japan)
live only
UTC on Day 3
FRIDAY 02 OCTOBER
CTO is a chief technical/technology officer, right? No, of course not in this context! CTO (Call Tree Overviewer) is a new IDA Pro plug-in to show an overview of function call relationships as a graphical tree structure.

Of course I know there are already two features related to function call tree graphs in IDA Pro, one is called "Graph" or "Chart", and another is called "Proximity Browser". However, the former does not generate clickable graphs. The latter is not suitable for grasping the whole picture of the relationships because it always traces all xrefs including unnecessary ones and the area per node is large. The graphs can easily get too complicated.

CTO is a field-oriented and practical tool aimed at solving these issues. It can display not only a function call tree, but also referred strings, and repeatable comments, which are input by a user in general, and so on if necessary, so that you can easily recognize the relationships between functions and important clues in one view. In addition, it is docked next to IDA Pro's disassembly view (or IDA View) by default. If you click on a node on the CTO graph, the address on IDA View will automatically be synchronized with it so that you can check code around the node. By default, inside static linked libraries, which are commonly unnecessary to look into, parent nodes that are unrelated to the target node and deep function calls are collapsed to keep the graph simple. However, you can of course dig deeper or filter them out again. You can find paths between two given functions as well. Every feature on this tool has its own shortcut key, so that you can handle this tool quickly.

CTO will improve your analysis speed dramatically. This tool will be released as OSS after this presentation.
Hiroshi Suzuki
Internet Initiative Japan Hiroshi Suzuki is a malware analyst, a forensic investigator, an incident responder and a researcher, working for Japanese ISP Internet Initiative Japan Inc. He is a member of IIJ-SECT, which is the private CSIRT of his company. He is especially interested in targeted attacks, their RATs and their attack tools, such as PlugX, Mimikatz and so on. He has over 15 years dedicated to these areas. He has been a speaker and a trainer for international conferences such as Black Hat (USA, Europe, Asia and Japan) and FIRST conference (Annual and TC) multiple times.
arrow left Back

CTO (Call Tree Overviewer): yet another function call tree viewer

Hiroshi Suzuki (Internet Initiative Japan)
CTO is a chief technical/technology officer, right? No, of course not in this context! CTO (Call Tree Overviewer) is a new IDA Pro plug-in to show an overview of function call relationships as a graphical tree structure.

Of course I know there are already two features related to function call tree graphs in IDA Pro, one is called "Graph" or "Chart", and another is called "Proximity Browser". However, the former does not generate clickable graphs. The latter is not suitable for grasping the whole picture of the relationships because it always traces all xrefs including unnecessary ones and the area per node is large. The graphs can easily get too complicated.

CTO is a field-oriented and practical tool aimed at solving these issues. It can display not only a function call tree, but also referred strings, and repeatable comments, which are input by a user in general, and so on if necessary, so that you can easily recognize the relationships between functions and important clues in one view. In addition, it is docked next to IDA Pro's disassembly view (or IDA View) by default. If you click on a node on the CTO graph, the address on IDA View will automatically be synchronized with it so that you can check code around the node. By default, inside static linked libraries, which are commonly unnecessary to look into, parent nodes that are unrelated to the target node and deep function calls are collapsed to keep the graph simple. However, you can of course dig deeper or filter them out again. You can find paths between two given functions as well. Every feature on this tool has its own shortcut key, so that you can handle this tool quickly.

CTO will improve your analysis speed dramatically. This tool will be released as OSS after this presentation.
Hiroshi Suzuki
Internet Initiative Japan Hiroshi Suzuki is a malware analyst, a forensic investigator, an incident responder and a researcher, working for Japanese ISP Internet Initiative Japan Inc. He is a member of IIJ-SECT, which is the private CSIRT of his company. He is especially interested in targeted attacks, their RATs and their attack tools, such as PlugX, Mimikatz and so on. He has over 15 years dedicated to these areas. He has been a speaker and a trainer for international conferences such as Black Hat (USA, Europe, Asia and Japan) and FIRST conference (Annual and TC) multiple times.