Given an arbitrary executable, is it possible to determine some or all of the indirect branch destination addresses? What is a programmatic approach to computing these destinations? I'm asking because I am reconstructing a CFG from an executable and can't figure out a clean way of computing indirect branches. Sometimes the operand can be determined with a little forensic analysis, but other times it's not so clear.

Calculating possible indirect branch destinations in a compiled program statically is possible by performing data-flow analysis for finding out the possible values for the address.

It might work well on simple things such as jump tables (the kind of stuff often generated from switch statements).

In the general case, though, I think that it will be pretty hard to get decent results from that - especially since I suspect your analysis will need some sort of heap analysis to be of any value, and that is not easy, particularly on assembly which might be riddled with loads and stores to memory.