HexRaysCodeXplorer: Hex-Rays Decompiler plugin for better code navigation

The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware like Stuxnet, Flame, Equation, Animal Farm.

The CodeXplorer plugin is one of the first publicly available Hex-Rays Decompiler plugins. We keep updated this project since summer of 2013 and continue contributing new features frequently. Also, most interesting features of CodeXplorer have been presented on numerous security conferences like: REcon, ZeroNights, H2HC, NSEC and BHUS.

Supported versions of Hex-Rays products: everytime we focus on the last versions of IDA and Decompiler because trying to use new interesting features in new SDK releases. It’s also mean we tested just on last versions of Hex-Rays products and not guaranteed stable work on previous ones.

Why not IdaPython: all code developed on C/C++ because it’s a more stable way to support complex plugin for Hex-Rays Decompiler.

Supported Platforms: x86/x64 for Win, Linux and Mac.

HexRaysCodeXplorer – Hex-Rays Decompiler plugin for easier code navigation. Right-click context menu in the Pseudocode window shows CodeXplorer plugin commands:

Here are the main features of the CodeXplorer plugin: 

• Automatic type REconstruction for C++ objects. To be able to reconstruct a type using HexRaysCodeXplorer one needs to select the variable holding pointer to the instance of position independed code or to an object and by right-button mouse click select from the context menu «REconstruct Type» option:

The reconstructed structure is displayed in “Output window”. Detailed information about type Reconstruction feature is provided in the blog post “Type REconstruction in HexRaysCodeXplorer”.

Also CodeXplorer plugin supports auto REconstruction type into IDA local types storage.

• Virtual function table identification – automatically identifies references to virtual function tables during type reconstruction. When a reference to a virtual function table is identified the plugin generates a corresponding C-structure. As shown below during reconstructing struct_local_data_storage two virtual function tables were identified and, as a result, two corresponding structures were generated: struct_local_data_storage_VTABLE_0 and struct_local_data_storage_VTABLE_4.

• C-tree graph visualization – a special tree-like structure representing a decompiled routine in citem_t terms (hexrays.hpp). Useful feature for understanding how the decompiler works. The highlighted graph node corresponds to the current cursor position in the HexRays Pseudocode window:

• Ctree Item View – show ctree representation for highlighted element:

• Extract Ctrees to File – dump calculates SHA1 hash and dump all ctrees to file.

• Extract Types to File – dump all types of information (include reconstructed types) into file.
• Navigation through virtual function calls in HexRays Pseudocode window. After representing C++ objects by C-structures this feature makes possible navigation by mouse clicking to the virtual function calls as structure fields:

• Jump to Disasm – small feature for navigate to assembly code into “IDA View window” from current Pseudocode line position. It is help to find a place in assembly code associated with decompiled line.

• Object Explorer – useful interface for navigation through virtual tables (VTBL) structures. Object Explorer outputs VTBL information into IDA custom view window. The output window is shown by choosing «Object Explorer» option in right-button mouse click context menu:

Object Explorer supports the following features:

• Auto structures generation for VTBL into IDA local types
• Navigation in virtual table list and jump to VTBL address into “IDA View” window by click
• Show hints for the current position in a virtual table list
• Shows cross-references list by click into a menu on “Show XREFS to VTBL”

• Support auto parsing RTTI objects:

The Batch mode contains following features:

• Batch mode – a useful feature to use CodeXplorer for processing multiple files without any interaction from the user. We add this feature after Black Hat research in 2015 for processing 2 million samples.

  Example (dump types and ctrees for functions with name prefix "crypto_"):
  
  idaq.exe -OHexRaysCodeXplorer:dump_types:dump_ctrees:CRYPTOcrypto_path_to_idb

   

Download

Copyright (C) Alex Matrosov (@matrosov), Eugene Rodionov (@rodionov), Rodrigo Branco (@rrbranco), Gabriel Barbosa (@gabrielnb)