Blog Projects Publications About

Announcement of HexRaysCodeXplorer plugin

On REcon conference on this week we will be speaking about Gapz bootkit and presenting our plugin for Hex-Rays Decompiler - HexRaysCodeXplorer. We already have been working for a long time with static code analysis of such complex threats as Stuxnet, Flame, Festi and many more. In the course of the research of the Gapz bootkit we faced the problem of position independent code analysis once again. This motivated us for developing a plugin for Hex-Rays decompiler which makes the process of reversing position independent and object oriented code easier.

One of the approaches to tackle this problem in Hex-rays decompiler so far is to use structures (“Local types” in IDA pro) to represent objects.

As an example, here is a structure which describes a smart pointer type: ``` typedef struct SMART_PTR { void *pObject; // pointer to the object int *RefNo; // reference counter };


Which results in the following decompiled code:

Unfortunately these structures are to be created manually in the course of reversing the code what takes a lot of time. Another thing is that there is no possibility to navigate through the object’s code using this approach in Hex-Rays decompiler. In other words, when you encounter the following expression:

it’s not possible to go to decompiled code of hook_routine by double clicking on it, since the decompiler doesn’t know its address.

However, Hex-Rays plugin allows us to approach the aforementioned difficulties. The decompiler’s SDK provides access to its internal structures and, therefore, leverage its capabilities.

Here are the main features of the plugin which we would like to have in the first release: * navigation through virtual function calls in Hex-Rays Decompiler window; * automatic type reconstruction for C++ objects; * useful interface for working with objects & classes;

HexRaysCodeXplorer - open source plugin, the source code will be shared after the first stable release. But if you want to join for beta testing HexRaysCodeXplorer send email request to with a few words about “Why it’s interesting for you?” and we share the binary of plugin. If you interested in HexRaysCodeXplorer and have features requests for future releases let us know at with any feedback.