Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

Can Bölük

Last update: Jan 3, 2023

Overview

NtRays

NtRays is a Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

Features

Cleanup of instrumentation and scheduler hinting code.
Lifting of multiple missing instructions.
Inference of KUSER_SHARED_DATA segments.
Lifting of dynamic relocations for page tables and PFN database with LA57 support.
RSB flush lifting in ISRs.

Planned Features

ETHREAD/EPROCESS where KTHREAD/KPROCESS is used.

Installation

Simply drop the NtRays64.dll into the plugins folder. Note: IDA 7.4+ is required.

License

NtRays is licensed under BSD-3-Clause License.

A decompilation of the Nintendo Switch version of Captain Toad: Treasure Tracker [v1.3.0].

cttt-decomp A decompilation of the Nintendo Switch version of Captain Toad: Treasure Tracker [v1.3.0]. Build Instructions Obtain a clean copy of a mai

14 Aug 17, 2022

Powerful automated tool for reverse engineering Unity IL2CPP binaries

2.1k Jan 7, 2023

Proof-of-concept implementation for the paper "Osiris: Automated Discovery of Microarchitectural Side Channels" (USENIX Security'21)

Osiris This repository contains the implementation of the Osiris framework discussed in the research paper "Osiris: Automated Discovery of Microarchit

41 Nov 11, 2022

Automated hydroponics with Home Assistant & ESP8266 controllers

ESPonics Automated hydroponics with ESP8266 microcontrollers & Home Assistant I absolutely want to credit Reddit user u/ghoofman for both the inspirat

16 Aug 27, 2022

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

1 Nov 7, 2021

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

1 Nov 8, 2021

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

ATM - Automated Teller Machine The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project. What is ATM? An automated t

0 Dec 26, 2021

Automated builds/mirrors of various PS3SDKs for Linux systems.

Working PS3SDK Binaries NOTICE: This repo is now deprecated. SDK builds have moved here, and SDK mirrors have moved here. Prepares and releases workin

3 Jan 29, 2022

PET: Optimizing Tensor Programs with Partially Equivalent Transformations and Automated Corrections

PET: Optimizing Tensor Programs with Partially Equivalent Transformations and Automated Corrections PET is the first DNN framework that optimizes tens

88 Dec 29, 2022

Comments

Suggestion: replacable literals

Since this is domain specific to NT Kernels, you could make it so that literal values (e.g. 0x80000000) are a drop down form menu containing various defines or enumeration values that match it. I don't know if it's possible with the IDA plugin API but it could be helpful.

opened by GravisZro 0

Releases(v1.67)

v1.67(Dec 2, 2021)
Implemented INVEPT/INVVPID.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(176.50 KB)
v1.66(Dec 2, 2021)
Implemented _mm_prefetcht0, _mm_prefetcht1, _mm_prefetcht2, _mm_prefetchnta.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(176.50 KB)
v1.64(Dec 2, 2021)
Implemented _xsaves, _xrstors.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(176.00 KB)
v1.63(Dec 2, 2021)
Implemented __invpcid, __invlpga.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(176.00 KB)
v1.62(Dec 2, 2021)
Implemented __vmread.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(176.00 KB)
v1.61(Dec 2, 2021)
Fixed invalid IN/OUT of __rdsspq/__rdsspd intrinsics.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(172.50 KB)
v1.6(Dec 2, 2021)
Added Intel CET/VMX, RDRAND/RDSEED, CLFLUSHOPT, CLWB lifters.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(171.50 KB)
v1.5(Dec 2, 2021)
Implemented type replacement for ETHREAD/EPROCESS.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(165.00 KB)
v1.4(Dec 2, 2021)
Added TrapFrame, IRETQ and SYSRETQ lifting.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(158.50 KB)
v1.3(Dec 2, 2021)
Added lifters for RCL and RCR.

Fixed a bug with global optimizer causing crashes.

Optimizing out shadow PTE reads.

Source code(tar.gz)
Source code(zip)
v1.2(Dec 1, 2021)
Added lifters for XSETBV, CLAC, STAC.

Implemented automatic creation of KUSER_SHARED_DATA sections.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(133.50 KB)
v1.1(Dec 1, 2021)
Added CPUID and XGETBV lifting, improved RSB search efficiency.

Source code(tar.gz)
Source code(zip)
NtRays64.dll(128.50 KB)
v1.0(Nov 30, 2021)

Initial release!
Source code(tar.gz)
Source code(zip)
NtRays64.dll(116.00 KB)

Owner

Can Bölük

Security researcher and reverse engineer; mostly interested in Windows kernel development and low-level programming.

GitHub

Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.

Related tags

Overview

NtRays

Features

Planned Features

Installation

License

You might also like...

A decompilation of the Nintendo Switch version of Captain Toad: Treasure Tracker [v1.3.0].

Powerful automated tool for reverse engineering Unity IL2CPP binaries

Proof-of-concept implementation for the paper "Osiris: Automated Discovery of Microarchitectural Side Channels" (USENIX Security'21)

Automated hydroponics with Home Assistant & ESP8266 controllers

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

The Project name is "ATM - Automated Teller Machine" and It is for beginners level Project.

Automated builds/mirrors of various PS3SDKs for Linux systems.

PET: Optimizing Tensor Programs with Partially Equivalent Transformations and Automated Corrections

Comments

Suggestion: replacable literals

Releases(v1.67)

v1.67(Dec 2, 2021)

v1.66(Dec 2, 2021)

v1.64(Dec 2, 2021)

v1.63(Dec 2, 2021)

v1.62(Dec 2, 2021)

v1.61(Dec 2, 2021)

v1.6(Dec 2, 2021)

v1.5(Dec 2, 2021)

v1.4(Dec 2, 2021)

v1.3(Dec 2, 2021)

v1.2(Dec 1, 2021)

v1.1(Dec 1, 2021)

v1.0(Nov 30, 2021)

Owner

Can Bölük

Header only wrapper around Hex-Rays API in C++20.

Interactive-hex-meshing - Source code for "Interactive All-Hex Meshing via Cuboid Decomposition [SIGGRAPH Asia 2021]".

A small single-file library for sprite outline extraction and simplification for C/C++

A decompilation of Banjo Kazooie. (MIRROR of https://gitlab.com/banjo.decomp/banjo-kazooie)

PaRappa the Rapper Decompilation

An in-progress matching decompilation of Final Fantasy VII For the PSX.

An in-progress decompilation of the 1.1 US release of Silent Hill on the Playstation 1.

Ezfrags - Decompilation of the CS:GO cheat ezfrags

A Super Mario 64 decompilation, brought to you by a bunch of clever folks.

Decompilation of the Berry Fix Program included in Pokémon Emerald and FireRed/LeafGreen