IDA 9.2 is bringing a fresh set of tools for exploring cross-references (xrefs). These new views bring clarity to function relationships and data flows, making it easier to trace code paths and understand complex binaries.

Let’s take a closer look at the Xref Graph and Xref Tree.

Dynamic Xref Graph

For years, IDA users relied on qwingraph that allowed users to make graphs out of references between functions. While useful, it was not interactive, and the rendered graphs could quickly get confusing.

The new Xref Graph in IDA 9.2 evolves that concept, offering a more modern, integrated way to explore relationships between functions, code and data in an interactive manner. Though still early in development, it provides a strong foundation for richer visualization features in future versions.

The Xref Graph complements the Xref Tree, which we discuss in a bit, by showing relationships in a different perspective. It also helps users quickly understand dependencies and call hierarchies at a higher level.

Simple controls

• Dragging nodes around moves them
• Click and drag any point in the graph to pan around (Hold the Shift key to pan without unintentionally grabbing a node)
• Hold Ctrl/CMD while scrolling to zoom in and out
• Double-click on a node to jump to the corresponding item in an IDAView
• Right-click on a node to add or remove from the graph (e.g. "Add xrefs from node")
• Use the Space key to play or pause the layout mechanism 

Current state and future improvements

• Still in its early stages and will continue to evolve in upcoming releases.
• Planned to be improved and more tightly integrated with xrefs in general.
• Intended to work side by side with the Xref Tree to provide both textual and graphical overviews

Tips & Tricks

Xref Graph is still relatively nascent and we’re working on improving the default workflows.

Here is an example walkthrough of a workflow available today:

Finding code paths to a particular syscall

Let’s take some program and try to find paths to one of the “edges” - the “read” syscall for example.

• First we jump to the `_read` function; From there, we have a few options to generate an Xref Graph.
• This approach invokes the plugin directly (“Edit>Plugins>Xref Graph”), this will create a graph with one level of reference depth to and from the root node.
• From there, we can select code paths we’re interested in and expand their callers (references to) by using the “Add xrefs to node” action (`T` shortcut).

It’s also possible to delete unwanted nodes by using “Delete selected nodes” (`D` shortcut).

On smaller binaries, the “Xrefs graph to…” action, available in the right-click menu, would be a great candidate; it will gather callers recursively. This approach has caveats in 9.2: at the moment, Xref Graph’s layout algorithm performs slowly on sizable graphs and on a large enough binary, graphs will quickly reach thousands of nodes.

Techniques for dealing with large graphs:

• Pause the layout while browsing (if the graph hasn’t reached an equilibrium)
• To speed up the initial layout: open the Xref Graph options panel (right-click menu) and hide all Node types (“Filters”, “Nodes” checkboxes) while the layout runs. The graph will take shape faster while the rendering load is reduced.
  
  

The search bar at the bottom can be used to swiftly select nodes that match a certain string. Once the nodes are selected, the node manipulation actions will be enabled on those. For example this can let one rapidly select and remove functions that match a certain library prefix.

Xref Tree

Another new addition is the Xref Tree view. Instead of relying solely on graphs, this feature presents cross-references in a browsable, hierarchical structure. Users can quickly expand and collapse branches, making it easier to trace references without losing the broader context.

This feature consolidates and replaces the Function Calls and Cross References widgets.

• Shows references to and from the current function, much like call hierarchy views in IDEs (both code and data references are displayed).
• The tree is non-modal, so there can be multiple instances open, each focused on a different function.
• Tree nodes load lazily and update in real time as the user navigates.
• Function and object renames are immediately reflected in the view.
• When switching to the Xref Tree window, the last child widget you worked on will remain as the focus

• Synchronize with the current IDA View using the “Sync” checkbox.
• Filter out unnecessary functions via the “Add filter” button, Ctrl+F (apply filter), or Ctrl+Shift+F (remove filter).
• Toggle between simplified names (main(argc, argv) and full function names (int main(int argc, char **argv) .
• Navigate easily with mouse and keyboard using the common cursor keys.
• Double click/Enter to navigate the IDA View to the current item
• Multiple xrefs to the same function are deduplicated by default. Remove this step by checking “Allow Duplicates”.

Wrapping it Up

Together, the Dynamic Xref Graph and Xref Tree give analysts both a visual overview and a detailed textual map of code and data references. So whether you gravitate towards a big-picture diagram or a precise, navigable tree, IDA 9.2 brings new tools to better understand the relationships hidden inside complex binaries.

Do you have suggestions on what you’d like to see in the next versions of Xref Graph and Xref tree?

Feel free to contact us at product@hex-rays.com or let us know on our Discourse Forum!