Skip to content
/ NtRays Public

Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

License

Notifications You must be signed in to change notification settings

can1357/NtRays

Repository files navigation

NtRays

NtRays is a Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

Features

  • Cleanup of instrumentation and scheduler hinting code.

  • Lifting of multiple missing instructions.

  • Lifting of TrapFrame accesses and interrupt/syscall returns.

  • Inference of KUSER_SHARED_DATA segments.

  • Lifting of dynamic relocations for page tables and PFN database with LA57 support.

  • RSB flush lifting in ISRs.

  • Replacement of KTHREAD/KPROCESS with ETHREAD/EPROCESS in user types, local variables and arguments.

  • Lifting of SYSCALL instructions with the ability to select Nt* signatures.

How to compile

Windows with Visual Studio 2022

mkdir build
cd build
cmake -G "Visual Studio 17 2022" -A x64 .. -DIDA_SDK_DIR=idasdk90 -DHEXRAYS_SDK_DIR=C:\Program Files\IDA Professional 9.0\plugins\hexrays_sdk
cmake --build . --config Release

Linux

mkdir build
cd build
cmake .. -DCMAKE_BUILD_TYPE=Release -DIDA_SDK_DIR=idasdk90 -DHEXRAYS_SDK_DIR=/root/idapro-9.0/plugins/hexrays_sdk/
make

macOS

mkdir build
cd build
cmake .. -DCMAKE_BUILD_TYPE=Release -DIDA_SDK_DIR=./idasdk90 -DHEXRAYS_SDK_DIR=./idasdk90
make

Installation

Simply drop the NtRays64.dll into the plugins folder. Note: IDA 7.6+ is required.

License

NtRays is licensed under BSD-3-Clause License.