The Semantic Graph tab builds and explores a knowledge graph of the binary's functions, call relationships, data flows, and security characteristics. It provides four sub-views for different exploration modes, plus tools for automated security, network, and community analysis.
Present across all sub-views:
| Element | Description |
|---|---|
| Current | Text field showing the selected function. Type a name or address and click Go to navigate. |
| Status bar | Shows index statistics: node count, caller/callee counts, flag counts. |
| Button | Description |
|---|---|
| Reset Graph | Delete all indexed data for this binary. |
| ReIndex Binary | Run the full indexing pipeline: extract structure, call graph, cross-references. |
| Semantic Analysis | Generate LLM summaries for all unsummarized functions. Shows a progress bar. |
| RAG checkbox | Include RAG context during semantic analysis. |
| MCP checkbox | Allow MCP tool use during semantic analysis. |
| Force re-analysis checkbox | Re-analyze functions that already have summaries. |
Graph Stats display: X nodes | Y edges | Z stale | Last: YYYY-MM-DD HH:MM:SS
A detail panel for the currently selected function with four sections:
Left Column (60%):
| Section | Description |
|---|---|
| Callers | Functions that call the current function. Double-click to navigate. |
| Callees | Functions called by the current function. Double-click to navigate. |
| Edges | Table of all edges involving this function, with type filtering. |
Edge types: calls, references, calls_vulnerable, taint_flows_to, similar_purpose, network_send, network_recv
Right Column (40%):
| Section | Description |
|---|---|
| Security Flags | Checkboxes for known security flags. Click to toggle. |
| + Add Custom Flag | Add a custom security flag to this function. |
| LLM Summary | The LLM-generated explanation of this function. |
| Edit / Save | Toggle between read and edit mode for the summary. |
Known Security Flags:
BUFFER_OVERFLOW_RISKCOMMAND_INJECTION_RISKFORMAT_STRING_RISKUSE_AFTER_FREE_RISKPATH_TRAVERSAL_RISKINTEGER_OVERFLOW_RISKNULL_DEREF_RISKMEMORY_LEAK_RISKRACE_CONDITION_RISKHANDLES_USER_INPUTPARSES_NETWORK_DATACRYPTO_OPERATIONAUTHENTICATION
An interactive QGraphicsView displaying function nodes and relationship edges.
Controls:
| Control | Description |
|---|---|
| N-Hops spinner | Expansion depth (1–5 hops from the center function). |
| CALLS checkbox | Show/hide call edges. |
| VULN checkbox | Show/hide vulnerability-related edges. |
| NETWORK checkbox | Show/hide network flow edges. |
| Zoom buttons | Zoom in (-), reset (100%), zoom out (+), fit to view (Fit). |
Visual Theme:
| Element | Color | Meaning |
|---|---|---|
| Background | #1f2123 |
Dark theme |
| Normal node | #3a3f44 |
Standard function |
| Center node | #2ea8b3 |
Currently selected function |
| Vulnerable node | #7a2b2b |
Function with security flags |
| Call edges | #58a6ff |
Function calls |
| Reference edges | #7a7f87 |
Data/code references |
| Vulnerability edges | #ff5c5c |
Vulnerability-related relationships |
- Uses Graphviz (
dotcommand) for layout when available, falls back to BFS layout - Curved edges with arrowheads
- Double-click any node to navigate to that function in IDA
- Summary panel below shows the selected node's function name, address, and LLM summary
Query the knowledge graph with seven search types:
| Query Type | Description |
|---|---|
| Semantic Search | Find functions by natural-language description. |
| Get Analysis | Retrieve the stored analysis for a specific function. |
| Similar Functions | Find functions with similar behavior or structure. |
| Call Context | Explore callers and callees at a given depth. |
| Security Analysis | Find functions matching security patterns. |
| Module Summary | Summarize a group of related functions. |
| Activity Analysis | Analyze function activity patterns (network, file I/O). |
Parameters:
| Field | Description |
|---|---|
| Query | Search text or natural-language description. |
| Address | Target function address. Use Current Address checkbox auto-fills. |
| Limit | Maximum results (1–100, default 20). |
| Depth | Call graph depth (1–5, default 1). |
| Direction | Call graph direction: both, callers, or callees. |
| Scope | Analysis scope: function or binary. |
Results Table: #, Function, Address, Score, Summary
Click a result row to see full details in the panel below. Click Go To to navigate to that address in IDA.
Run targeted analyses with individual buttons and progress indicators:
| Button | Description |
|---|---|
| Security Analysis | Detect vulnerability patterns and security-relevant API calls. |
| Network Flow | Trace network operations across the call graph. |
| Community Detection | Group related functions into logical modules. |
| Refresh Names | Update graph node labels to match current IDB names. |
Each button shows a progress indicator during execution.
The full analysis pipeline (triggered by ReIndex Binary + Semantic Analysis) runs these phases:
- Structure extraction — Function boundaries, call graph, cross-references
- Semantic analysis — LLM summaries for each function
- Security feature extraction — Vulnerability pattern detection
- Network flow analysis — Network API tracing
- Taint analysis — Data flow tracking
- Community detection — Module grouping
- Functions are indexed via
idautils.Functions()which iterates all recognized functions - Double-clicking a node or search result calls
ida_kernwin.jumpto(ea)to navigate - Function names are read via
ida_name.get_name(ea) - Cross-references use
ida_xreffor both code and data xrefs - The IDB hook
renamed()notifies the graph when functions are renamed, keeping labels in sync
- Semantic Graph Workflow — Step-by-step graph building guide
- Explain Tab — Individual function explanations
- RAG Tab — Add documents for enriched semantic analysis
- Settings Tab — Configure LLM provider for semantic analysis