Building Complete Call Graphs with Phoenix

In my last post, I told you that we use Phoenix for building the WRK, which allows us to apply Phoenix’ comprehensive set of analysis capabilities to the WRK. One particular analysis might be the construction of complete call graphs for functions interest.

Unfortunately, the build process of the WRK compiles each module separately and links it into a static library. As a final step, all static libraries will be linked together with pre-compiled libraries to the ntoskrnl.exe executable image. So building complete call graphs may be a problem, especially when a function calls or is called by a function within another module as Phoenix is only aware of functions within the compiled module.

But fortunately, Phoenix provides a solution to this problem!

Read more