IDA Pro plugin for recovering metadata-like structures from stripped .NET NativeAOT binaries.
This project started as an IDA rewrite of the ideas from NativeAOT research and ghidra-nativeaot.
On supported NativeAOT binaries, the plugin can:
- locate ReadyToRun header even when there is no CLR header,
- rehydrate
DEHYDRATED_DATAinto the in-memory metadata region, - recover method tables and type relationships,
- annotate frozen strings and frozen arrays,
- apply cached FLIRT NativeAOT signatures
- Plugin works on IDA Pro 7.x, 8.x and 9.x.
- Plugin implemented on
x64NativeAOT PE/ELF samples. - Signature cache for
windows-x64andlinux-x64(available for.NET 7,.NET 8,.NET 9, and.NET 10).
Install the plugin into your IDA plugin directory: place nativeaot_ida.py plugin entrypoint and ida_nativeaot folder in IDA plugins/ directory.
Open a suspected NativeAOT sample in IDA, then run Edit -> Plugins -> NativeAOT Recover or press Ctrl-Alt-N.
Wait about 15-30 seconds for plugin RTR recognition and metadata parsing.
Set NATIVEAOT_DISABLE_FLIRT=1 before starting IDA if you want to skip the bundled FLIRT signature cache.
The directory sigcache contains config-driven cache of FLIRT .sig files that the IDA plugin can apply automatically.
Plugin looks for config.json under plugins/ida_nativeaot/sigcache and plugins/sigcache. Each config entry describes when a signature should be considered:
{
"name": "hello_world",
"path": "windows-x64/net8/hello_world.sig",
"dotnet_version": "net8",
"target_os": "windows",
"binary_format": "pe",
"architecture": "x64",
"layout": "net80",
"rtr_major": 9,
"rtr_minor": 1,
"requires_dehydrated_data": true
}windows-x64/net8/includes the borrowed starter corpus from NativeAOT-Signatures.windows-x64/net7-10andlinux-x64/net7-10are generated from NativeAOT PE/ELF objects built from reference hello-world apps.
- ghidra-nativeaot project and blog post.
- NativeAOT-Signatures