_ _ ___ ___ _ __ __ _ | || |_____ _| _ \__ _ _ _ ___/ __|___ __| |___\ \/ /_ __| |___ _ _ ___ _ _ | __ / -_) \ / / _` | || (_-< (__/ _ \/ _` / -_)> <| '_ \ / _ \ '_/ -_) '_| |_||_\___/_\_\_|_\__,_|\_, /__/\___\___/\__,_\___/_/\_\ .__/_\___/_| \___|_| |__/ |_|
===============================================================================
Hex-Rays Decompiler plugin for better code navigation in RE process of C++ applications or code reconstruction of modern malware as Stuxnet, Flame, Equation ...
Contributors: Alex Matrosov (@matrosov) and Eugene Rodionov (@rodionov)
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Right-click context menu in the Pseudocode window shows CodeXplorer plugin commands:
Here are the main features of the plugin:
- Automatic type REconstruction for C++ objects. To be able to reconstruct a type using HexRaysCodeXplorer one needs to select the variable holding pointer to the instance of position independed code or to an object and by right-button mouse click select from the context menu «REconstruct Type» option:
The reconstructed structure is displayed in “Output window”. Detailed information about type Reconstruction feature is provided in the blog post “Type REconstruction in HexRaysCodeXplorer”.
Also CodeXplorer plugin supports auto REconstruction type into IDA local types storage.
- C-tree graph visualization – a special tree-like structure representing a decompiled routine in citem_t terms (hexrays.hpp). Useful feature for understanding how the decompiler works. The highlighted graph node corresponds to the current cursor position in the HexRays Pseudocode window:
- Navigation through virtual function calls in HexRays Pseudocode window. After representing C++ objects by C-structures this feature make possible navigation by mouse clicking to the virtual function calls as structure fields:
- Jump to Disasm - small feature for navigate to assembly code into "IDA View window" from current Pseudocode line position. It is help to find a place in assembly code associated with decompiled line.
- Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. Object Explorer outputs VTBL information into IDA custom view window. The output window is shown by choosing «Object Explorer» option in right-button mouse click context menu:
Object Explorer supports folowing features:
-
Auto structures generation for VTBL into IDA local types
-
Navigation in virtual table list and jump to VTBL address into "IDA View" window by click
-
Show hints for current position in virtual table list
-
Shows cross-references list by click into menu on "Show XREFS to VTBL"
- Basic RTTI objects parsing
Conference talks about CodeXplorer plugin:
- 2015
- "Object Oriented Code RE with HexraysCodeXplorer", NSEC [slides]
- 2014
- "HexRaysCodeXplorer: object oriented RE for fun and profit", H2HC [slides]
- 2013
- "HexRaysCodeXplorer: make object-oriented RE easier", ZeroNights [slides]
- "Reconstructing Gapz: Position-Independent Code Analysis Problem", REcon [slides]