![]() ![]() This time, NtRays modifies the C-level tree to give you type information as well as clear names for the constants. Naturally, this becomes a nightmare when you try to understand how the memory manager works, consider MmGetVirtualForPhysical, for instance, which does nothing more than looking up a field in the PFN database and subtracting it from the PTE base. Nowadays, with KASLR (Kernel-Mode Address Space Layout Randomization), they aren't constants at all, but for performance reasons, the MS compiler keeps them as constants (propagating any arithmetic as well) and instead puts the relocation information in the PE header for the bootloader to patch during startup. NT kernel has two very special constants, namely the PTE base and the PFN database. Now imagine if this was inlined into a much more complex subroutine with multiple calls, you'd basically be combing through the boilerplate to follow the actual logic, which is, unfortunately, what looking at NT kernel feels like these days.īy utilizing Hex-Ray's microcode optimizations, NtRays turns the Windows 11 version into a measly 7 lines. Take the function KeReleaseInterruptSpinLock as an example, I mean, it does sound like a simple one, doesn't it? Here's a comparison between Windows 7 and the latest Windows 11 kernels. You can install NtRays through a single drag and drop into the plugins folder, either by using the pre-compiled release from the Github repository or by compiling a dll from source.įollowing the installation, the next time you launch IDA Pro, you will have its entry under Edit > Plugins > NtRays, from which you can simply toggle it on or off.įeatures Scheduler assist & Perf instrumentations NtRays is an open-source IDA plugin using Hex-Ray's powerful microcode hooks to help you read through the inlined boilerplate code with a simplified pseudo-code output reminiscent of the Windows XP era, with a few extra features to help in any kind of kernel mode reverse engineering. However, combined with inlining, this also means that it has become increasingly more complicated to understand with each passing week, seemingly with no end. Windows kernel has changed a lot in the past few years, with the addition of Hypervisor enhancements, security mitigations, scheduler hints, and general performance optimizations, it has become much snappier and more secure. NtRays: Reversing Windows kernel, simplified Any technical or maintenance issues regarding the code herein should be directed to the author. His views and opinions are his own and not those of Hex-Rays. This is a guest entry written by Can Bölük. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |