Finding All Paths Between Two Functions in IDA

By | | ,

A common need that I have when reversing code is to find all possible code paths between two functions. Say for example that I’m looking for calls to dangerous functions, like sprintf, and I want to find all possible code paths that lead from my current function to sprintf. Manually going through the call graph from my starting function can often be, well, tedious:

websReadEvent call graph

Unfortunately I couldn’t find an easy way to make IDA display all code paths between two functions, and only the paths between those two functions. Normal call graphs show everything going to or from a single function, and while proximity view can be told to find a path between two nodes, it only displays the first path that it finds.

So I wrote idapathfinder, a plugin to find all code paths between two functions. This can significantly narrow down the number of paths that require investigation:

All paths between websReadEvent and sprintf

Note that the graphs generated by idapathfinder are solely dependent on IDA’s knowledge of function cross-references, so if for example you have a function that iterates over function pointers in a function table, those relationships will not be identified.

You can download idapathfinder here.

Bookmark the permalink.

9 Responses to Finding All Paths Between Two Functions in IDA

  1. Ari Weinstein says:
    April 30, 2013 at 2:54 am

    Nice router web server action going on there! 🙂

    Reply
  2. mike says:
    April 30, 2013 at 8:03 pm

    Is that USS Enterprise?

    Reply
  3. slow says:
    May 2, 2013 at 3:36 pm

    Isn’t this implemented in the toolbag plugin? Does your algo differ from theirs at all?

    Reply
    • Craig says:
      May 2, 2013 at 5:10 pm

      Yes, I found that out after I posted this of course. 😛 I’ll probably still keep idapathfinder around though, since I found it to be a bit of a pain to get toolbag working properly in a non-windows environment.

      Reply

  4. Pingback: An IDA plugin to graph all paths between two functions | ç«æ˜ŸäżĄæŻćź‰ć…šç ”ç©¶é™ą

  5. AnIDAUser says:
    May 8, 2014 at 5:56 pm

    Im actually using this with IDA 6.1, it works fine except the graph rendering, for example when I use an xref from a function where I can assume theres 100% a path between, it looks like this:

    http://gyazo.com/e23d0906d50e3c4beadc26329d58c290

    Any Idea?

    Reply
    • AnIDAUser says:
      May 8, 2014 at 6:44 pm

      Sry used the version from google code linked in your post
      The code from github just works fine, so you may consider updating the link in the post 😉

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *