1

I'm using IDA (free) 8.4. Each time I open a function (Windows x64) I get a possibly huge block of "Additional Parent Function" list on the right.

It's useless to me and I'd like to know if I can get rid of it completely. I know I can hide the block (right click menu) but the space taken is still taken when hidden, and I would like to never see it anyway.

enter image description here

Is there any option in IDA to do this? I kinda remember this "block" wasn't shown like few years ago.

Improve this question
7
  • those are related to ms c++ rt exception handling for x64, either frame unwinding or the handling themselves. their implementation depends on the handler associated with the boundaries specified in the IMAGE_EXCEPTION_DIRECTORY... hence, they're associated with the function through an implied data reference. if you're actually trying to remove them, you can undefine the code with the ui.... however, i prefer to just remove the function chunk from each parent function with a script. you can also disable SEH or EH analysis (not sure which one) in the options during database creation. Commented Aug 4, 2024 at 5:07
  • @AliRizvi-Santiago - can I use a script with IDA free and if yes, which script? Otherwise I've unchecked Kernel Option/Options 3/Enable EH analysis but it still shows this "block", I don't even know what that is... Are you sure it's related to SEH? Here is a closer look i.imgur.com/zthR59K.png Commented Aug 4, 2024 at 8:20
  • I've also tried the "IBM PC specific analyzer options"/ Disable SEH/EH analysis but this block is still there Commented Aug 4, 2024 at 8:29
  • I disable "Options 3 -> Enable EH Analysis", and enable proc options, "Disable SEH/EH analysis", and it results in not processing the IMAGE_EXCEPTION_DIRECTORY. Simple confirmation is that if it's properly disabled, you won't see the "unwind" or "try" posterior/anterior comments in the disassembly. If you xref that basic-block (0x1800EF166), and then xref the labels for that ref'd data (then repeat it a few times for those refs), you should be able to detect what is referencing it and adding it as a function chunk for each of those functions. If you hit RUNTIME_FUNCTION, it's EH. However.. Commented Aug 5, 2024 at 19:16
  • As mentioned, it's still a function chunk. You can remove these as documented at hex-rays.com/blog/igors-tip-of-the-week-86-function-chunks, or you can even undef the code at that address if lazy. If all else fails, and it does turn out to be EH related (despite your doubt), you can zero out the address of the IMAGE_EXCEPTION_DIRECTORY in the origin binary. To script removing chunks with IDC, (which I am no expert at), you can likely use remove_fchunk from hex-rays.com/products/ida/support/.idadoc/1077.shtml. Either way, if it's not marked as code, it won't be displayed. Commented Aug 5, 2024 at 19:23

1 Answer 1

Reset to default
1

Using IDA 9, we can now hide the visual block:

IDA 9 hiding block

And call "Layout graph" to reset the view:

IDA 9 Layout graph

And the huge block is now hidden

ID1 9 hidden visual block

Improve this answer
1
  • Technically not an answer to your question, since you asked about 8.4 specifically. Still good to know. +1 Commented Jan 5 at 14:34

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.