https://github.com/can1357/ntrays

Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.
https://github.com/can1357/ntrays

hex-rays hex-rays-decompiler ntoskrnl windows-kernel

Last synced: 8 months ago
JSON representation

Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

• Host: GitHub
• URL: https://github.com/can1357/ntrays
• Owner: can1357
• License: bsd-3-clause
• Created: 2021-11-30T14:26:17.000Z (about 4 years ago)
• Default Branch: master
• Last Pushed: 2025-01-28T11:06:22.000Z (12 months ago)
• Last Synced: 2025-04-15T05:32:04.678Z (9 months ago)
• Topics: hex-rays, hex-rays-decompiler, ntoskrnl, windows-kernel
• Language: C++
• Homepage:
• Size: 241 KB
• Stars: 588
• Watchers: 17
• Forks: 73
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# NtRays

NtRays is a Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

## Features

- Cleanup of instrumentation and scheduler hinting code.

  ![](https://i.can.ac/zPTAq.png)

- Lifting of multiple missing instructions.

  ![](https://i.can.ac/BKL9G.png)

  

- Lifting of TrapFrame accesses and interrupt/syscall returns.

  ![](https://i.can.ac/5h6wU.png)

  

- Inference of KUSER_SHARED_DATA segments.

  ![](https://i.can.ac/SGIp2.png)

  

- Lifting of dynamic relocations for page tables and PFN database with LA57 support.

  ![](https://i.can.ac/LxA48.png)

  

- RSB flush lifting in ISRs.

  ![](https://i.can.ac/YW5AQ.png)

  

- Replacement of KTHREAD/KPROCESS with ETHREAD/EPROCESS in user types, local variables and arguments.

- Lifting of SYSCALL instructions with the ability to select Nt* signatures.

## How to compile

### Windows with Visual Studio 2022

```

mkdir build

cd build

cmake -G "Visual Studio 17 2022" -A x64 .. -DIDA_SDK_DIR=idasdk90 -DHEXRAYS_SDK_DIR=C:\Program Files\IDA Professional 9.0\plugins\hexrays_sdk

cmake --build . --config Release

```

### Linux

```

mkdir build

cd build

cmake .. -DCMAKE_BUILD_TYPE=Release -DIDA_SDK_DIR=idasdk90 -DHEXRAYS_SDK_DIR=/root/idapro-9.0/plugins/hexrays_sdk/

make

```

### macOS

```

mkdir build

cd build

cmake .. -DCMAKE_BUILD_TYPE=Release -DIDA_SDK_DIR=./idasdk90 -DHEXRAYS_SDK_DIR=./idasdk90

make

```

## Installation

Simply drop the NtRays64.dll into the plugins folder.

Note: IDA 7.6+ is required.

## License

NtRays is licensed under BSD-3-Clause License.