NtRays is a Hex-Rays microcode plugin for automated simplification of Windows Kernel decompilation.
-
Cleanup of instrumentation and scheduler hinting code.
-
Lifting of multiple missing instructions.
-
Lifting of TrapFrame accesses and interrupt/syscall returns.
-
Inference of KUSER_SHARED_DATA segments.
-
Lifting of dynamic relocations for page tables and PFN database with LA57 support.
-
RSB flush lifting in ISRs.
-
Replacement of KTHREAD/KPROCESS with ETHREAD/EPROCESS in user types, local variables and arguments.
Simply drop the NtRays64.dll into the plugins folder. Note: IDA 7.6+ is required.
NtRays is licensed under BSD-3-Clause License.