HexRaysCodeXplorer – Hex-Rays Decompiler Plugin For Better Code Navigation

HexRaysCodeXplorer - Hex-Rays Decompiler Plugin For Better Code Navigation

The Hex-Rays Decompiler plugin for higher code navigation in RE course of. CodeXplorer automates code REconstruction of C++ purposes or fashionable malware like Stuxnet, Flame, Equation, Animal Farm …
The CodeXplorer plugin is likely one of the first publicly available Hex-Rays Decompiler plugins. We preserve up to date this challenge since summer of 2013 and proceed contributing new options often. Also most fascinating feutures of CodeXplorer have been introduced on quite a few safety conferences like: REcon, ZeroNights, H2HC, NSEC and BHUS.

Alex Matrosov (
Eugene Rodionov (@rodionov)
Rodrigo Branco (@rrbranco)
Gabriel Barbosa (@gabrielnb)

Supported variations of Hex-Rays merchandise: everytime we give attention to final variations of IDA and Decompiler as a result of attempting to make use of new fascinating options in new SDK releases. It’s additionally imply we examined simply on final variations of Hex-Rays merchandise and never assured steady work on earlier ones.

Why not IdaPython: all code developed on C/C++ as a result of it is extra steady approach to help advanced plugin for Hex-Rays Decompiler.

Supported Platforms: x86/x64 for Win, Linux and Mac.

HexRaysCodeXplorer – Hex-Rays Decompiler plugin for simpler code navigation. Right-click context menu within the Pseudocode window exhibits CodeXplorer plugin instructions:

Here are the primary options of the CodeXplorer plugin:

  • Automatic sort REconstruction for C++ objects. To be capable to reconstruct a sort utilizing HexRaysCodeXplorer one wants to pick out the variable holding pointer to the occasion of place independed code or to an object and by proper-button mouse click on choose from the context menu «REconstruct Type» choice:

The reconstructed construction is displayed in “Output window”. Detailed details about sort Reconstruction characteristic is supplied within the weblog put up “Type REconstruction in HexRaysCodeXplorer”.
Also CodeXplorer plugin helps auto REconstruction sort into IDA native sorts storage.

  • Virtual perform desk identification – robotically identifies references to digital perform tables throughout sort reconstruction. When a reference to a digital perform desk is recognized the plugin generates a corresponding C-construction. As proven beneath throughout reconstructing struct_local_data_storage two digital perform tables have been recognized and, because of this, two corresponding buildings have been generated: struct_local_data_storage_VTABLE_0 and struct_local_data_storage_VTABLE_4.

  • C-tree graph visualization – a particular tree-like construction representing a decompiled routine in citem_t phrases (hexrays.hpp). Useful characteristic for understanding how the decompiler works. The highlighted graph node corresponds to the present cursor place within the HexRays Pseudocode window:

  • Ctree Item View – present ctree illustration for highlighted aspect:

  • Extract Ctrees to File – dump calculate SHA1 hash and dump all ctrees to file.

  • Extract Types to File – dump every kind info (embrace reconstructed sorts) into file.
  • Navigation by means of digital perform calls in HexRays Pseudocode window. After representing C++ objects by C-buildings this characteristic make attainable navigation by mouse clicking to the digital perform calls as construction fields:

  • Jump to Disasm – small characteristic for navigate to meeting code into “IDA View window” from present Pseudocode line place. It is assist to discover a place in meeting code related to decompiled line.

  • Object Explorer – helpful interface for navigation by means of digital tables (VTBL) buildings. Object Explorer outputs VTBL info into IDA customized view window. The output window is proven by selecting «Object Explorer» choice in proper-button mouse click on context menu:

Object Explorer helps following options:

  • Auto buildings technology for VTBL into IDA native sorts
  • Navigation in digital desk listing and leap to VTBL handle into “IDA View” window by click on
  • Show hints for present place in digital desk listing
  • Shows cross-references listing by click on into menu on “Show XREFS to VTBL”

  • Support auto parsing RTTI objects:

The Batch mode accommodates following options:

  • Batch mode – helpful characteristic to make use of CodeXplorer for processing a number of information with none interplay from person. We add this characteristic after Black Hat analysis in 2015 for processing 2 hundreds of thousands samples.
Example (dump sorts and ctrees for capabilities with title prefix "crypto_"):
idaq.exe -OHexRaysCodeXplorer:dump_types:dump_ctrees:CRYPTOcrypto_path_to_idb


  • Open the answer in Visual Studio
  • Open file src/HexRaysCodeXplorer/PropertySheet.props in notepad(++) and replace values of IDADIR and IDASDK paths to level to IDA set up path and IDA7 SDK path accordingly. HexRays SDK needs to be in $IDADIRpluginshexrays_sdk (like by default)
  • Build Release | x64 and Release x64 | x64 configurations


  • cd src/HexRaysCodeXplorer/
  • IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> EA64=Zero make -f makefile.lnx
  • IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> EA64=Zero make -f makefile.lnx


  • cd src/HexRaysCodeXplorer/
  • IDA_DIR=<PATH_TO_IDA> IDA_SDK=<PATH_TO_IDA_SDK> make -f makefile.mac
  • The Mac makefile would possibly want some hand enhancing, pull requests welcome!
  • IDA 7.0 .pmc file extension needs to be .dylib
  • bash$ export IDA_DIR="/Applications/IDA Pro 7.0/ida.app/Contents/MacOS" && export IDA_SDK="/Applications/IDA Pro 7.0/ida.app/Contents/MacOS/idasdk" && make -f makefile7.mac
  • Or open challenge in Xcode HexRaysCodeXplorer.xcodeproj

Conference talks about CodeXplorer plugin:

  • 2015
  • “Distributing the REconstruction of High-Level IR for Large Scale Malware Analysis”, BHUS [slides]
  • “Object Oriented Code RE with HexraysCodeXplorer”, NSEC [slides]
  • 2014
  • “HexRaysCodeXplorer: object oriented RE for fun and profit”, H2HC [slides]
  • 2013
  • “HexRaysCodeXplorer: make object-oriented RE easier”, ZeroNights [slides]
  • “Reconstructing Gapz: Position-Independent Code Analysis Problem”, REcon [slides]



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.