NtRays is a Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.
-
Cleanup of instrumentation and scheduler hinting code.
-
Lifting of multiple missing instructions.
-
Lifting of TrapFrame accesses and interrupt/syscall returns.
-
Inference of KUSER_SHARED_DATA segments.
-
Lifting of dynamic relocations for page tables and PFN database with LA57 support.
-
RSB flush lifting in ISRs.
-
Replacement of KTHREAD/KPROCESS with ETHREAD/EPROCESS in user types, local variables and arguments.
-
Lifting of SYSCALL instructions with the ability to select Nt* signatures.
mkdir build
cd build
cmake -G "Visual Studio 17 2022" -A x64 .. -DIDA_SDK_DIR=idasdk90 -DHEXRAYS_SDK_DIR=C:\Program Files\IDA Professional 9.0\plugins\hexrays_sdk
cmake --build . --config Release
mkdir build
cd build
cmake .. -DCMAKE_BUILD_TYPE=Release -DIDA_SDK_DIR=idasdk90 -DHEXRAYS_SDK_DIR=/root/idapro-9.0/plugins/hexrays_sdk/
make
mkdir build
cd build
cmake .. -DCMAKE_BUILD_TYPE=Release -DIDA_SDK_DIR=./idasdk90 -DHEXRAYS_SDK_DIR=./idasdk90
make
Simply drop the NtRays64.dll into the plugins folder. Note: IDA 7.6+ is required.
NtRays is licensed under BSD-3-Clause License.