New feature in IDA 6.2: The proximity browser
The new IDA Pro 6.2 release will be featuring a new view called the “proximity browser” (only available in the Qt version).
The proximity view
The proximity view (“PV” in short) allows the reverser to see and browse the relationships between functions, global variables, constants, etc… We can use the PV, for example, to visualize the complete callgraph of a program, to see the path between 2 functions or what global variables are referenced from some function. This view is accessible from the disassembly view by “zomming out” from the current function (using the “-” hotkey or from the “Proximity view” context menu).
In the PV, it is possible to double-click a node to show the relationships of a function (equally, one can jump to a new function by pressing “G”), double-click the elliptic nodes to show/expand the children of a node (x-refs from) or select the “Show/Hide parents” from the context menu to show or hide the parents (x-refs to) of the selected node.
One of the most interesting feature in this initial version of the PV is the “Find path” (accessible from the context menu). This feature allows us to show graphically (new nodes will be imported to the view with appropriate edge connections) the path between 2 nodes (for example, a function and a global variable).
Let’s imagine you want to know where the function ShellExecuteA in shell32.dll verifies if the path is UNC or not. To do this press “G” to go to the function ShellExecuteA, then “zoom out” to the proximity view by pressing “-”. A view similar to the following will appear:
Now, select the green node (aka central node), right-click and, from the context menu, select “Hide childs” in order to hide all the other nodes as we aren’t interested in them. Now, right click and “Add name” from the context menu and in the newly opened dialog find and select “PathIsUNCW”. The proximity view will look like this:
As you noticed, there is no direct relationship between the nodes and, as so, both nodes appear disconnected. Now, we will search a path between them: select the node “__imp_PathIsUNCW” and select from the contextual menu the option “Find path”. A new dialog will be opened showing all the nodes of the current callgraph. Select “ShellExecuteA” and click OK. A new graph will be displayed:
Before finishing this post, we wanted to show you some more screenshots showing different layouts that will be available for the proximity view with the 6.2 release:
And that’s all! We hope you like the new feature!