Top Related Projects
A Coverage Explorer for Reverse Engineers
IDA Pro plugin which improves work with HexRays decompiler and helps in process of reconstruction structures and classes
Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction, use-after-free and double-free detection
Quick Overview
HexRaysCodeXplorer is an IDA Pro plugin that enhances reverse engineering capabilities for C++ binaries. It extends the functionality of the Hex-Rays decompiler by providing additional features for analyzing and understanding complex code structures, particularly those related to object-oriented programming.
Pros
- Improves the analysis of C++ binaries by reconstructing class hierarchies and vtables
- Provides advanced search capabilities for finding code patterns and structures
- Enhances code navigation and understanding through graphical representations
- Integrates seamlessly with IDA Pro and Hex-Rays decompiler
Cons
- Requires a licensed version of IDA Pro and Hex-Rays decompiler
- May have limitations when dealing with heavily obfuscated or optimized code
- Learning curve for users unfamiliar with reverse engineering concepts
- Limited documentation and community support compared to more mainstream tools
Getting Started
- Download the latest release from the GitHub repository.
- Copy the plugin files to the IDA Pro plugins directory.
- Launch IDA Pro and open a C++ binary file.
- The plugin will be automatically loaded, and new menu items will appear under "Edit > Plugins > Hex-Rays CodeXplorer".
- Use the plugin features to analyze and explore the decompiled code.
Example usage:
1. Open a C++ binary in IDA Pro
2. Run the Hex-Rays decompiler on a function
3. Right-click in the decompiled view and select "Hex-Rays CodeXplorer" options
4. Use features like "Reconstruct C++ class hierarchy" or "Show C++ objects layout"
Note: As this is an IDA Pro plugin and not a standalone code library, there are no specific code examples to provide. The functionality is accessed through the IDA Pro interface and menu options.
Competitor Comparisons
A Coverage Explorer for Reverse Engineers
Pros of Lighthouse
- Provides a more intuitive and user-friendly interface for code coverage visualization
- Offers real-time coverage updates during debugging sessions
- Supports a wider range of binary formats and architectures
Cons of Lighthouse
- Requires more setup and configuration compared to HexRaysCodeXplorer
- May have a steeper learning curve for new users
- Limited integration with other reverse engineering tools
Code Comparison
HexRaysCodeXplorer:
void HEXRAYS_CALLBACK callback(void *, hexrays_event_t event, va_list va)
{
switch (event)
{
case hxe_maturity:
// Handle maturity event
break;
}
}
Lighthouse:
def update_coverage(self, coverage_data):
for address, hit_count in coverage_data.items():
self.coverage[address] = hit_count
self.refresh_view()
The code snippets show different approaches to handling events and updating coverage data. HexRaysCodeXplorer uses a C++ callback function, while Lighthouse employs a Python method for updating coverage information.
IDA Pro plugin which improves work with HexRays decompiler and helps in process of reconstruction structures and classes
Pros of HexRaysPyTools
- Written in Python, making it more accessible for scripting and customization
- Offers a wider range of features, including object reconstruction and type inference
- More actively maintained with recent updates
Cons of HexRaysPyTools
- Steeper learning curve due to more complex functionality
- May have higher resource usage compared to HexRaysCodeXplorer
- Requires Python knowledge for full utilization
Code Comparison
HexRaysPyTools:
class_type = idaapi.create_class_type(class_name, class_size)
udt_member = idaapi.udt_member_t()
udt_member.name = member_name
udt_member.type = member_type
udt_member.offset = member_offset
class_type.add_udt_member(udt_member)
HexRaysCodeXplorer:
qstring class_name = "MyClass";
tid_t class_id = add_struc(BADADDR, class_name.c_str());
struc_t *struc = get_struc(class_id);
add_struc_member(struc, "member", offsetof(MyClass, member), dwrdflag(), NULL, sizeof(int));
Both examples demonstrate creating a class structure, but HexRaysPyTools uses Python with IDA API, while HexRaysCodeXplorer uses C++ with IDA SDK.
Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction, use-after-free and double-free detection
Pros of bincat
- Performs static analysis on binary code, providing more in-depth security analysis
- Supports multiple architectures (x86, ARM, PowerPC)
- Offers a command-line interface for easier integration into automated workflows
Cons of bincat
- Steeper learning curve due to its focus on static analysis techniques
- May require more computational resources for complex binary analysis
- Limited integration with existing reverse engineering tools compared to HexRaysCodeXplorer
Code Comparison
HexRaysCodeXplorer (C++):
bool idaapi run(size_t arg) {
object_explorer_form_init();
return true;
}
bincat (Python):
def analyze(self, state, addr):
self.current_state = state
self.current_address = addr
return self._analyze()
Both projects aim to enhance binary analysis, but HexRaysCodeXplorer focuses on improving IDA Pro's decompiler output, while bincat provides standalone static analysis capabilities for various architectures.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
_ _ ______ _____ _ __ __ _ | | | | | ___ \ / __ \ | | \ \ / / | | | |_| | _____ _| |_/ /__ _ _ _ ___| / \/ ___ __| | ___ \ V / _ __ | | ___ _ __ ___ _ __ | _ |/ _ \ \/ / // _` | | | / __| | / _ \ / _` |/ _ \/ \| '_ \| |/ _ \| '__/ _ \ '__| | | | | __/> <| |\ \ (_| | |_| \__ \ \__/\ (_) | (_| | __/ /^\ \ |_) | | (_) | | | __/ | \_| |_/\___/_/\_\_| \_\__,_|\__, |___/\____/\___/ \__,_|\___\/ \/ .__/|_|\___/|_| \___|_| __/ | | | |___/ |_|
============================================================================
The Hex-Rays Decompiler plugin for better code navigation in RE process. CodeXplorer automates code REconstruction of C++ applications or modern malware like Stuxnet, Flame, Equation, Animal Farm ... :octocat:
The CodeXplorer plugin is one of the first publicly available Hex-Rays Decompiler plugins. We keep updated this project since summer of 2013 and continue contributing new features frequently. Also most interesting feutures of CodeXplorer have been presented on numerous security conferences like: REcon, ZeroNights, H2HC, NSEC and BHUS :space_invader:
Contributors:
Alex Matrosov (@matrosov)
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)
Supported versions of Hex-Rays products: everytime we focus on last versions of IDA and Decompiler because trying to use new interesting features in new SDK releases. It's also mean we tested just on last versions of Hex-Rays products and not guaranteed stable work on previous ones.
Why not IdaPython: all code developed on C/C++ because it's more stable way to support complex plugin for Hex-Rays Decompiler.
Supported Platforms: x86/x64 for Win, Linux and Mac.
HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Right-click context menu in the Pseudocode window shows CodeXplorer plugin commands:
:gem: Here are the main features of the CodeXplorer plugin: :gem:
- Automatic type REconstruction for C++ objects. To be able to reconstruct a type using HexRaysCodeXplorer one needs to select the variable holding pointer to the instance of position independed code or to an object and by right-button mouse click select from the context menu «REconstruct Type» option:
The reconstructed structure is displayed in âOutput windowâ. Detailed information about type Reconstruction feature is provided in the blog post âType REconstruction in HexRaysCodeXplorerâ.
Also CodeXplorer plugin supports auto REconstruction type into IDA local types storage.
- Virtual function table identification - automatically identifies references to virtual function tables during type reconstruction. When a reference to a virtual function table is identified the plugin generates a corresponding C-structure. As shown below during reconstructing
struct_local_data_storage
two virtual function tables were identified and, as a result, two corresponding structures were generated:struct_local_data_storage_VTABLE_0
andstruct_local_data_storage_VTABLE_4
.
- C-tree graph visualization â a special tree-like structure representing a decompiled routine in citem_t terms (hexrays.hpp). Useful feature for understanding how the decompiler works. The highlighted graph node corresponds to the current cursor position in the HexRays Pseudocode window:
- Ctree Item View â show ctree representation for highlighted element:
- Extract Ctrees to File â dump calculate SHA1 hash and dump all ctrees to file.
-
Extract Types to File â dump all types information (include reconstructed types) into file.
-
Navigation through virtual function calls in HexRays Pseudocode window. After representing C++ objects by C-structures this feature make possible navigation by mouse clicking to the virtual function calls as structure fields:
- Jump to Disasm - small feature for navigate to assembly code into "IDA View window" from current Pseudocode line position. It is help to find a place in assembly code associated with decompiled line.
- Object Explorer â useful interface for navigation through virtual tables (VTBL) structures. Object Explorer outputs VTBL information into IDA custom view window. The output window is shown by choosing «Object Explorer» option in right-button mouse click context menu:
Object Explorer supports following features:
-
Auto structures generation for VTBL into IDA local types
-
Navigation in virtual table list and jump to VTBL address into "IDA View" window by click
-
Show hints for current position in virtual table list
-
Shows cross-references list by click into menu on "Show XREFS to VTBL"
- Support auto parsing RTTI objects:
The Batch mode contains following features:
- Batch mode - useful feature to use CodeXplorer for processing multiple files without any interaction from user. We add this feature after Black Hat research in 2015 for processing 2 millions samples.
Example (dump types and ctrees for functions with name prefix "crypto_"):
idaq.exe -OHexRaysCodeXplorer:dump_types:dump_ctrees:CRYPTOcrypto_path_to_idb
Compiling:
Windows:
- Open the solution in Visual Studio
- Open file
src/HexRaysCodeXplorer/PropertySheet.props
in notepad(++) and update values ofIDADIR
andIDASDK
paths to point to IDA installation path and IDA7 SDK path accordingly. HexRays SDK should be in$IDADIR\plugins\hexrays_sdk
(like by default) - Build
Release | x64
andRelease x64 | x64
configurations
Linux:
- cd src/HexRaysCodeXplorer/
- IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> EA64=0 make -f makefile.lnx
- IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> EA64=0 make -f makefile.lnx install
Mac:
- cd src/HexRaysCodeXplorer/
- IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> make -f makefile.mac
- The Mac makefile might need some hand editing, pull requests welcome!
- IDA 7.0
.pmc
file extension should be.dylib
- bash$
export IDA_DIR="/Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS" && export IDA_SDK="/Applications/IDA\ Pro\ 7.0/ida.app/Contents/MacOS/idasdk" && make -f makefile7.mac
- Or open project in Xcode
HexRaysCodeXplorer.xcodeproj
With CMake:
- cd src/HexRaysCodeXplorer/
- mkdir build && cd build
- cmake .. -DIdaSdk_ROOT_DIR=<PATH_TO_IDA_SDK> -DHexRaysSdk_ROOT_DIR=<PATH_TO_HEXRAYS_SDK>
- cmake --build . --config Release
============================================================================
Conference talks about CodeXplorer plugin:
- 2015
- "Distributing the REconstruction of High-Level IR for Large Scale Malware Analysis", BHUS [slides]
- "Object Oriented Code RE with HexraysCodeXplorer", NSEC [slides]
- 2014
- "HexRaysCodeXplorer: object oriented RE for fun and profit", H2HC [slides]
- 2013
- "HexRaysCodeXplorer: make object-oriented RE easier", ZeroNights [slides]
- "Reconstructing Gapz: Position-Independent Code Analysis Problem", REcon [slides]
Top Related Projects
A Coverage Explorer for Reverse Engineers
IDA Pro plugin which improves work with HexRays decompiler and helps in process of reconstruction structures and classes
Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction, use-after-free and double-free detection
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot