{"id":13903747,"url":"https://github.com/KasperskyLab/hrtng","last_synced_at":"2025-07-18T02:30:57.465Z","repository":{"id":251385995,"uuid":"837149190","full_name":"KasperskyLab/hrtng","owner":"KasperskyLab","description":"IDA Pro plugin with a rich set of features: decryption, deobfuscation, patching, lib code recognition and various pseudocode transformations","archived":false,"fork":false,"pushed_at":"2024-11-20T13:40:33.000Z","size":105824,"stargazers_count":126,"open_issues_count":0,"forks_count":16,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-24T06:08:24.186Z","etag":null,"topics":["binary-analysis","decryption","deobfuscation","hexrays","ida","ida-plugin","ida-pro","ida-pro-plugin","idapro","malware-analysis","pattern-matching","reverse-engineering"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/KasperskyLab.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-02T10:12:51.000Z","updated_at":"2024-11-20T13:33:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"07fadb91-0ef6-433e-974b-5a5baa07303d","html_url":"https://github.com/KasperskyLab/hrtng","commit_stats":null,"previous_names":["kasperskylab/hrtng"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KasperskyLab%2Fhrtng","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KasperskyLab%2Fhrtng/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KasperskyLab%2Fhrtng/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/KasperskyLab%2Fhrtng/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/KasperskyLab","download_url":"https://codeload.github.com/KasperskyLab/hrtng/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226329016,"owners_count":17607724,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-analysis","decryption","deobfuscation","hexrays","ida","ida-plugin","ida-pro","ida-pro-plugin","idapro","malware-analysis","pattern-matching","reverse-engineering"],"created_at":"2024-08-06T23:00:35.924Z","updated_at":"2025-07-18T02:30:57.449Z","avatar_url":"https://github.com/KasperskyLab.png","language":"C++","readme":"# hrtng IDA plugin\nhrtng IDA plugin is a collection of tools, ideas and experiments I've found interesting and useful in my reversing work.\n\nSpecial thanks to following peoples for their great plugins were used as base for my work:\n  * Milan Bohacek, [hexrays_tools](https://github.com/nihilus/hexrays_tools) and [hexrays_hlight](https://hex-rays.com/contests_details/contest2016/hexlight/hexrays_hlight.py)\n  * HexRaysDeob by [Rolf Rolles](https://hex-rays.com/blog/hex-rays-microcode-api-vs-obfuscating-compiler) and [Takahiro Haruyama](https://blogs.vmware.com/security/2019/02/defeating-compiler-level-obfuscations-used-in-apt10-malware.html)\n  * Karthik Selvaraj [Krypton plugin](https://www.hex-rays.com/contests/2012/Krypton_2012_Hex-Rays_Contest.zip) \n  * Ali Rahbar, Ali Pezeshk and Elias Bachaalany [GraphSlick plugin](https://github.com/lallousx86/GraphSlick)\n  * Markus Gaasedelen [AVX support for the Hex-Rays x64 Decompiler](https://github.com/gaasedelen/microavx)\n\nThe plugin requires Hex-Rays decompiler presence in your IDA installation.  \nOnly latest version of IDA is supported and evolves. However the plugin can be compiled with IDA SDK \u003e= 7.3\nNew features and fixes added for the current IDA usually not well tested with old versions.\n\n## Features of the plugin:\nThere is no one place in menu where all functionality of the plugin grouped together.\nThe plugin's menu items placed closer to logically related standard IDA \u0026 Hex-Rays decompiler functions.\nMessages, menu items, popup windows and dialog boxes belong to this plugin are marked with \"`[hrt]`\" prefix.\n\n### Automation\n  * [Pull up comments from disasm to pseudocode view](doc/pull-cmt.md)\n  * [Automatic renaming local and global variables, struct members](doc/var-auto-rename.md)\n  * [Automatic enum substitution](doc/enum.md)\n  * [COM helper](doc/com-helper.md)\n\n### Interactive pseudocode transformation\n  * [User interactive renaming/retyping assistance](doc/rename-recast.md)\n  * [Assists with changing type of structure member or local/global variable](doc/recast.md)\n  * [reinterpret_cast](doc/reicast.md)\n  * [Collapse selection](doc/collapse.md)\n  * [\"offsetof\" convertor](doc/offsetof.md)\n\n### Decryption\n  * [Strings/data/const decryption](doc/decr.md)\n  * [Build stack strings (optionally with decryption)](doc/stk-str.md)\n  * [Build array strings (optionally with decryption)](doc/arr-str.md)\n  * [Mass strings decryption](doc/appcall.md)\n\n### Deal with obfuscated code\n  * [Decompile obfuscated code](doc/deob.md)\n  * [Scan for API names hashes](doc/api-hashes.md)\n  * [Unflattening](doc/unflat.md)\n  * [Microcode optimizers / \"Magic\" calls](doc/opt.md)\n\n### Code recognition\n  * [Microcode signatures](doc/msig.md)\n  * [De-Inline - detection of inlined functions](doc/deinline.md)\n\n### Type management assistance\n  * [Create dummy structs](doc/cr_struc.md)\n  * [Assist split gaps in structures](doc/struct-gaps.md)\n  * [Union creation for a variable is reused with different types](doc/var-reuse.md)\n  * [List of structures with given size, with given offset](doc/struct-sz-off.md)\n  * [Assist in creation of new structure definitions](doc/struct-bld.md)\n  * [Finds structures with same \"shape\" as is used](doc/struct-shape.md)\n  * [Import user named functions prototypes into the local type library](doc/import_unf_types.md)\n  * [~~New functionality in Structures view~~](doc/ex-unp-struc.md)\n  * [IDC script for interactive merging types across multiple IDBs](bin/idc/merge_types.idc)\n\n### Virtual/indirect calls assistance\n  * [Virtual calls assistance](doc/virtual-calls.md)\n  * [Jump to indirect call destination](doc/ijmp.md)\n  * [Fix stack pointer for indirect call](doc/fix-stack.md)\n \n### Function name and type\n  * [Smart rename func](doc/rename-func.md)\n  * [Convert function to __usercall, detect spoiled registers](doc/usercall.md)\n  * [Set calling conventions bit closer to Go-lang](doc/golang.md)\n  * [~~Remove function's return type converting it to void func(...)~~](doc/remove-ret-type.md)\n  * [~~Remove function's argument~~](doc/remove-arg.md)\n\n### IDA UI improvements\n  * [Extended xrefs](doc/xrefs_ex.md)\n  * [Matching brace highlight](doc/brace.md)\n  * [Auto turn on 'Functions' window content synchronisation](doc/func-sync.md)\n  * [Render markdown content of \"IDA notepad\" in a docked viewer](bin/plugins/notepad-md.py)\n\n### Misk features\n  * [Get API help](doc/zeal-api-help.md)\n  * [AVX lifter](doc/avx.md)\n  * [Dump strings, comments and names from the IDA database](doc/dump-strings.md)\n  * [Offsets table creation](doc/offsets-tbl.md)\n  * Print reversing progress percent on a proc renaming\n  * [Recursively decompile callees](doc/recur-decomp.md)\n  * [Refactoring (global Find and Replace)](doc/refactoring.md)\n  * [~~Deal with structures with negative offsets or access based on offsets in a middle of structure~~](doc/neg-offs.md)\n\n### Patching\n  * [Patch custom area with NOPs](doc/patch-nops.md)\n  * [Patch from debugger / Patch from file](doc/patch-dbg.md)\n  * [Search \u0026 Patch](doc/search-n-patch.md)\n  * [Create patched (DEC) file](doc/create_dec.md)\n\n### IDA plugin developer help\n  * [Microcode Explorer](doc/mcode-expl.md)\n\n## Media\n### Reversing FinSpy\n  * [securelist - Our secret ingredient for reverse engineering](https://securelist.com/hrtng-ida-pro-plugin/114780/) (EN)\n  * [Хабр - Cекретный ингредиент для реверс-инжиниринга: как работает наш собственный опенсорс-плагин для IDA](https://habr.com/ru/companies/kaspersky/articles/865394/) (RU)\n  * [Positive Hack Days Fest 2025 - Наш секретный ингредиент для реверс-инжиниринга](https://www.youtube.com/watch?v=Yxkg2zD7Ggw) (RU)\n  * [Off-By-One 2025 - Speed up your reverse engineering with the hrtng plugin](https://www.youtube.com/watch?v=846wdb06k2g) (EN)\n### Analyzing PlugX  \n  * [SSTIC 2025 - Analysez des logiciels malveillants plus rapidement avec hrtng](https://www.sstic.org/2025/presentation/analysez_des_logiciels_malveillants_plus_rapidement_avec_hrtng/) (FR)\n\n## Building\n\n * Clone hrtng together with [Crypto++® Library CMake](https://github.com/abdes/cryptopp-cmake) submodule. Or put manually downloaded `cryptopp-cmake` source code to `hrtng/src/cryptopp-cmake` folder.\n \n```\ncd src\ngit clone --recurse-submodules https://github.com/KasperskyLab/hrtng.git\n```\n\n * Copy `IDA_DIR/plugins/hexrays_sdk/include/hexrays.hpp` file to the `include` directory of the IDA SDK. (Not necessary since IDA 9.0/8.5)\n * Edit `hrtng/src/CMakeLists.txt` file to set correct path and version of used IDA SDK. To build later with another SDK version you may change cmake's `IDASDK_VER` variable with using `cmake -D`, `ccmake` or `cmake-gui` tools.\n * Create build directory, go into it, configure and build cmake project\n```\nmkdir bld \u0026\u0026 cd bld\ncmake \u003cpath-to/hrtng/src\u003e\ncmake --build . --config Release -j 4 --clean-first\n```\n\n * On the first build attempt with IDA SDK before version 9.1 there will be compiling error looks like:\n\n```\nhrtng/src/deob.cpp:912:60: error: ‘class rangeset_t’ has no member named ‘as_rangevec’\n     fc.create(\"tmpfc2\", ranges.as_rangevec(), 0);//!!! add line into range.hpp, class rangeset_t: \"const rangevec_t \u0026as_rangevec() const { return bag; }\"\n```\n\n * To fix the error, edit `IDA_SDK/include/range.hpp` file, adding line with `as_rangevec` function implementation into `class rangeset_t` declaration as in the following example:\n\n```\nclass rangeset_t\n{\n  rangevec_t bag;\n  ...\n  public:\n  const rangevec_t \u0026as_rangevec() const { return bag; }\n  ...\n};\n```\n\n * Copy built binaries into `IDA_DIR/plugins` folder togeter with `apilist.txt` and `literal.txt` files from `hrtng/bin/plugins`\n * Profit\n\n## License\nThis program is released under GPL v3 license\n\n## Author\n* Sergey.Belov at kaspersky.com\n\n","funding_links":[],"categories":["C++"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKasperskyLab%2Fhrtng","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKasperskyLab%2Fhrtng","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKasperskyLab%2Fhrtng/lists"}