Hexrayscodexplorer - Hex-Rays Decompiler Plugin For Meliorate Code Navigation
The Hex-Rays Decompiler plugin for amend code navigation inwards RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware similar Stuxnet, Flame, Equation, Animal Farm ...
The CodeXplorer plugin is ane of the first publicly available Hex-Rays Decompiler plugins. We maintain updated this projection since summertime of 2013 together with choke on contributing novel features frequently. Also most interesting feutures of CodeXplorer accept been presented on numerous safety conferences like: REcon, ZeroNights, H2HC, NSEC together with BHUS.
Contributors:
Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)
Supported versions of Hex-Rays products: everytime nosotros focus on terminal versions of IDA together with Decompiler because trying to job novel interesting features inwards novel SDK releases. It's likewise hateful nosotros tested simply on terminal versions of Hex-Rays products together with non guaranteed stable piece of work on previous ones.
Why non IdaPython: all code developed on C/C++ because it's to a greater extent than stable means to back upwards complex plugin for Hex-Rays Decompiler.
Supported Platforms: x86/x64 for Win, Linux together with Mac.
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Right-click context bill of fare inwards the Pseudocode window shows CodeXplorer plugin commands:
Here are the principal features of the CodeXplorer plugin:
- Automatic type REconstruction for C++ objects. To live on able to reconstruct a type using HexRaysCodeXplorer ane needs to lead the variable belongings pointer to the event of seat independed code or to an object together with yesteryear right-button mouse click lead from the context bill of fare «REconstruct Type» option:
The reconstructed construction is displayed inwards “Output window”. Detailed information almost type Reconstruction characteristic is provided inwards the weblog post service “Type REconstruction inwards HexRaysCodeXplorer”.
Also CodeXplorer plugin supports motorcar REconstruction type into IDA local types storage.
- Virtual part tabular array identification - automatically identifies references to virtual part tables during type reconstruction. When a reference to a virtual part tabular array is identified the plugin generates a corresponding C-structure. As shown below during reconstructing
struct_local_data_storage
2 virtual part tables were identified and, every bit a result, 2 corresponding structures were generated:struct_local_data_storage_VTABLE_0
together withstruct_local_data_storage_VTABLE_4
.
- C-tree graph visualization – a particular tree-like construction representing a decompiled routine inwards citem_t price (hexrays.hpp). Useful characteristic for agreement how the decompiler works. The highlighted graph node corresponds to the electrical current cursor seat inwards the HexRays Pseudocode window:
- Ctree Item View – demonstrate ctree representation for highlighted element:
- Extract Ctrees to File – dump calculate SHA1 hash together with dump all ctrees to file.
- Extract Types to File – dump all types information (include reconstructed types) into file.
- Navigation through virtual part calls inwards HexRays Pseudocode window. After representing C++ objects yesteryear C-structures this characteristic brand possible navigation yesteryear mouse clicking to the virtual part calls every bit construction fields:
- Jump to Disasm - pocket-size characteristic for navigate to assembly code into "IDA View window" from electrical current Pseudocode business position. It is aid to uncovering a house inwards assembly code associated amongst decompiled line.
- Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. Object Explorer outputs VTBL information into IDA custom persuasion window. The output window is shown yesteryear choosing «Object Explorer» pick inwards right-button mouse click context menu:
Object Explorer supports next features:
- Auto structures generation for VTBL into IDA local types
- Navigation inwards virtual tabular array listing together with bound to VTBL address into "IDA View" window yesteryear click
- Show hints for electrical current seat inwards virtual tabular array list
- Shows cross-references listing yesteryear click into bill of fare on "Show XREFS to VTBL"
- Support motorcar parsing RTTI objects:
The Batch trend contains next features:
- Batch trend - useful characteristic to job CodeXplorer for processing multiple files without whatsoever interaction from user. We add together this characteristic afterward Black Hat question inwards 2015 for processing 2 millions samples.
Example (dump types together with ctrees for functions amongst call prefix "crypto_"): idaq.exe -OHexRaysCodeXplorer:dump_types:dump_ctrees:CRYPTOcrypto_path_to_idb
Compiling:Windows:
- Open the solution inwards Visual Studio
- Open file
src/HexRaysCodeXplorer/PropertySheet.props
inwards notepad(++) together with update values ofIDADIR
together withIDASDK
paths to betoken to IDA installation path together with IDA7 SDK path accordingly. HexRays SDK should live on inwards$IDADIR\plugins\hexrays_sdk
(like yesteryear default) - Build
Release | x64
together withRelease x64 | x64
configurations
- cd src/HexRaysCodeXplorer/
- IDA_DIR=
IDA_SDK= EA64=0 brand -f makefile.lnx - IDA_DIR=
IDA_SDK= EA64=0 brand -f makefile.lnx
- cd src/HexRaysCodeXplorer/
- IDA_DIR=
IDA_SDK= brand -f makefile.mac - The Mac makefile mightiness call for simply about mitt editing, delineate requests welcome!
- IDA 7.0
.pmc
file extension should live on.dylib
- bash$
export IDA_DIR="/Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS" && export IDA_SDK="/Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS/idasdk" && brand -f makefile7.mac
- Or opened upwards projection inwards Xcode
HexRaysCodeXplorer.xcodeproj
- 2015
- "Distributing the REconstruction of High-Level IR for Large Scale Malware Analysis", BHUS [slides]
- "Object Oriented Code RE amongst HexraysCodeXplorer", NSEC [slides]
- 2014
- "HexRaysCodeXplorer: object oriented RE for fun together with profit", H2HC [slides]
- 2013
- "HexRaysCodeXplorer: brand object-oriented RE easier", ZeroNights [slides]
- "Reconstructing Gapz: Position-Independent Code Analysis Problem", REcon [slides]