After the end of the series with the article “ The best tools pentester" the editor received many letters asking for a selection of hex editors. Of course, what is interesting is not the ability to edit binary data, but additional features like automatic recognition data structures and code disassembly. To make an overview, we found out the opinions of the people who most often have to tinker with such tools - virus analysts. And this is what they told us.
Any hex editor allows you to examine and modify a file at a low level, operating with bits and bytes. The contents of the file are presented in hexadecimal format. This is basic functionality. However, some editors offer users much more, allowing them to figure out exactly what is what in that incomprehensible set of characters that appears when opening a file. To do this, ASCII and Unicode strings are automatically extracted, known patterns are searched, basic data structures are recognized, and much more. There are quite a few hexadecimal editors, but if we decided to consider them in the context of studying malware samples, it is easy to highlight some of them. Only a few turn out to be really useful for analyzing malicious code and examining infected documents (say, PDF).
McAfee FileInsight
FileInsight is a free hex editor for Windows from McAfee Labs. The product, of course, performs all the standard functionality that accompanies such software, offering a convenient interface for viewing and editing files in hexadecimal and text modes. But this is just a drop in the ocean if you look at all its functionality. It’s worth starting with the fact that FileInsight is capable of parsing the structure of executable binaries for Windows (PE files), as well as OLE objects Microsoft Office. Not only that, but the user is offered a built-in x86 disassembler. Just select the part of the file you want to view as readable code, and FileInsight will show this fragment as a listing of assembly instructions. The disassembler is especially useful when looking for shellcode in malicious files. Other options that reversers will appreciate include the ability to import structure declarations. To do this, the program just needs to specify a header file with declarations like:
struct ANIHeader(
DWORD cbSizeOf; // Num bytes in AniHeader
DWORD cFrames; // Number of unique Icons
DWORD cSteps; // Number of Blits
};
In this case, the program itself will parse such structures. However, many intuitive algorithms for code processing are offered by default. We are talking, first of all, about decoding many obfuscation methods (xor, add, shift, Base64, etc.) - built-in scripts make such crypto protection a one-two punch. It should be noted here that the object of research does not necessarily have to be a binary; it can also be an ordinary web page that arouses suspicion. The program allows you to automate many actions using simple JavaScript scripts or Python modules, of which many have already been written. Alas, with all its advantages, FileInsight also has a serious drawback, expressed in the inability to process large files. For example, if you try to feed a file of 400-500 MB in size to the utility, the error “Failed to open document” appears.
Hex Editor Neo
There are two versions of this hex editor from HDD Software - a simple free version and an advanced commercial version. The freeware option is a solid, but unremarkable HEX editor that has a cool, customizable interface with support for different color schemes. No more. But the professional version of Hex Editor Neo provides several useful options that can be extremely useful when analyzing binaries. For example, the user gets the opportunity to decode code encrypted using the most common algorithms. In addition, it becomes possible to view and edit local resources such as NTFS streams, local disks, process memory, and RAM. In the most full version There is also support for a scripting language, allowing you to automate many processes using scripts in VBScript and JavaScript. But the best part is that you have a built-in disassembler at your service that works with x86, x64, and .NET binaries! Another feature - quick creation patches based on a comparison of two binaries. Sounds impressive, but is it better than FileInsight? Probably not. FileInsight looks more functional overall. On the other hand, any, even free version Hex Editor Neo works great even with very large files and allows you to search for ASCII and Unicode strings. The disassembler here is not limited to just the x86 platform, and the built-in resource editor is very convenient. There's a lot to think about.
FlexHex
FlexHex is a powerful commercial hex editor from Heaventools Software that includes many of the same features found in Hex Editor Neo. The only thing missing here is, perhaps, script support. But this full-featured editor handles binaries, OLE files, physical disks and alternative NTFS streams equally well. The latter is especially important because FlexHex allows you to edit data that other editors may not even see. In addition, you can immediately feel the focus on working with large amounts of information: no matter the size of the file, navigation through it is carried out without any lags or brakes. For even greater convenience, the system works convenient bookmarks. At the same time, FlexHex continuously keeps a history of all operations - you can cancel any action simply by selecting it from the list of changes (undo-list is not limited)! FlexHex supports all necessary operations with binary data, searching for ASCII and Unicode strings. If you need to process a structure with a previously known format, setting its parameters is not difficult using special tools. As a result, we get an excellent hex editor, but still much inferior to FileInsight. The only notable option is OLE file processing, but there are problems here too. Several times when trying to open an infected OLE, the program crashed with the error “The docfile has been corrupted.”
010 Editor
010 Editor is a well-known commercial product developed by SweetScape Software. If we compare it with the previous three tools, it can do everything: it supports working with very large files, provides cool capabilities for operating with data, allows you to edit local resources, has a scripting system for automating routine actions (more than 140 various functions at your service). And 010 Editor also has a twist, a unique feature. The editor takes care of everyone thanks to the ability to parse various formats files using its own template library (so-called Binary Templates). Here he has no equal. Many enthusiasts around the world are working on templates, hammering out various format and data structures. As a result, the process of navigating through different file formats becomes transparent and understandable. This also applies to the processing of Windows binaries (PE files), Windows shortcut files (LNK), Zip archives, Java class files and much more. Many people were able to realize the beauty of this feature when the famous security specialist Didier Stevens created a template for parsing PDF files for 010 Editor. Together with other utilities, this has greatly simplified the analysis of infected PDF documents, which for the last six months have not ceased to amaze with the number of places from which the reader program can be exploited. Add here cool instrument for comparing binaries, a calculator with C-like syntax, converting data between ASCII, EBCDIC, Unicode formats, and we get a very attractive tool with unique features.
Hiew
Hiew, in terms of distribution method, is not much different from its colleagues - this is also a commercial product developed by our compatriot Evgeny Suslikov. Having a long history, the program is greatly loved by many specialists in information security. There are quite obvious reasons for this - powerful capabilities for researching and editing the structure and content of executable files of both Windows (PE) and binaries for Linux (ELF). Another very useful feature for reverse engineering is the built-in x86-64 assembler and disassembler. The latter even supports ARM instructions. Needless to say, the editor perfectly digests large files and allows you to edit logical and physical drives. Many tasks are easily automated through a system of keyboard macros, scripts, and even an API for developing extensions (Hiew Extrenal Modules). But before you rush into battle, keep in mind that the Hiew interface is a DOS-like window, which is quite inconvenient to work with if you are not used to it. But you can experience all the charm of old school.
Radare
Radare is a set free utilities for the Unix platform, which provide cool features for editing files in HEX mode. It includes the hex editor itself (radare) with the ability to open local and deleted files. The program analyzes executable files of various formats, both Linux (ELF) and Windows (PE). In addition to editing, the Radare package includes a tool for comparing binary files (radiff) and a built-in assembler/disassembler. And personally, a tool for generating shellcodes (rasc) came in handy a couple of times. Any operations can be easily automated and customized using a script system. Of the minuses, again, we can note the lack of a GUI interface - all actions are carried out from command line, but you can fully work with the utilities only after reading the documentation. On the other hand, the site has visual screencasts demonstrating both the main points and little secrets (like connecting a Python plugin).
So what should you choose?
We've reviewed several powerful hex editors that include useful options for analyzing suspicious files. Of all the products, FileInsight stands out, which, despite all its functionality (and it is truly impressive), remains free. 010 Editor provides a large number of templates for processing a wide variety of files, including PDF documents. This is a mega feature that should not be neglected. I use these two editors all the time; For the work of an analyst, perhaps they are best suited. If we talk about working under the Unix platform, then, of course, we cannot forget about Radare. The package offers very powerful features, although it is difficult to use due to the fact that it runs from the command line. Hiew is also not very friendly, although its capabilities certainly allow you to perform a variety of operations with binaries. In addition, Hiew is the choice of a large number of real pros, and this is worth a lot (and means a lot). As for Hex Editor Neo, it's worth picking up if you're interested in the ability to disassemble x86, x64 and .NET code.
Hex Editor Instructions
- The program is very useful, especially for those who like to appropriate someone else’s property) Download link (at the bottom of the topic).
- Hex - editor (English hex - editor), hexadecimal editor - an application for editing data in which data is presented in “raw.
- This article will talk about working in the free hex editor Free Hex Editor Neo, using the example of editing the BkEnd.dll file from.
- In the first part of the series of articles, we looked at an example of examining a file in a hex editor (with very minimal analytics) and...
- For this, so-called hex editors are used. The very first question that usually arises is: which editor of all? file, in the second - the bytes of the instruction, in the third - its mnemonic designation.
Published on 03/09/2013 by Vitaly Onyanov 1. A little about hex editors and files As you know, any file stored on a computer’s hard drive is a sequence of machine words - bytes. A byte, in turn, consists of 8 bits, each of which can take the value “0” or “1”, which means that one byte can take 28 = 256 values in the range from 0 to 255. The number 25610 written in hexadecimal system, is a round three-digit number - 10016, i.e., to represent any number from the range 0-255, no more than 2 digits will be required. This means that it is very convenient to write the value of each byte as a two-digit number in the hexadecimal number system. The hex-editor shows us the file the way the machine “sees” it, namely, as a sequence of bytes. For example, opening a file in the editor, we will see a matrix consisting of 16 columns and the number of rows depending on the file size. Each matrix value corresponds to one byte, written as a two-digit hexadecimal number. By changing the value of the desired byte, we can, accordingly, change the file itself. In addition, next to the table we can see: To the left of the matrix is a line of numbers: each line corresponds to a number indicating the address/offset of the first byte of this line. The address step is equal to the number of columns. Another ruler is displayed at the top of the matrix: above each column the offset of the byte in this column relative to the first byte of the corresponding line is displayed. The sum of the number corresponding to the i-th row and the number corresponding to the j-th column is the address/offset of the byte (i; j) located at the intersection of the taken row and the taken column. To the right of the matrix the same data is displayed, but in a different interpretation. The most common alternative is to display data as ASCII text, with bytes whose values correspond to non-printable characters displayed as dots (·). You can also edit values in this area. 2. Installing Free Hex Editor Neo Download Free Hex Editor Neo from the official website. The program is free, at the time of writing the latest version was 5.14. We install following the installer's instructions without changing the default settings. When you first launch the program, you will be prompted to select an interface mode. Select “Novice user”, this is more than enough. 3. Working with a file in a hex editor Now let’s open the file that we need to “correct” by selecting “File” - “Open” - “Open File” in the Free Hex Editor Neo menu. In my case, this is the BkEnd.dll file located in the folder with 1C:Enterprise 7.7 installed (Default “C:\Program Files\1Cv77\BIN”) for the article Installing 1C:Enterprise 7.7 on Microsoft SQL Server 2008 R2. For example, I need to write the value eb to the byte at offset 000d9cca. To do this, I find the row “000d9cco” and column “0a”, double-click on the desired cell and enter a new value. Proceeding similarly, I make the following changes: To fix the error “MS SQL Server 6.5 + Service Pack 5a or higher is required!” change the fields: at offset 000d9cca value 83 is changed to eb at offset 000d9ccb value e8 is changed to 15 at offset 000db130 value 83 is changed to eb at offset 000db131 value e8 is changed to 10 To correct the error “The sort order set for the database is different from the system one! ": at offset 0018a79d the value 75 is changed to eb To correct the error "Incorrect syntax about keyword“TRANSACTION” The phrase DUMP TRANSACTION %s WITH TRUNCATE_ONLY, which is located at offset 002856B0, is replaced with the phrase ALTER DATABASE %s SET RECOVERY SIMPLE To correct the error “The database cannot be opened in single-user mode”, we change the fields: at offset 0028549c the value 64 is changed at 6b at offset 0028549d the value 62 is changed to 70
You can not only select, but also view, edit, replace and analyze data; you can download Free Hex Editor Neo below.
Using Hex Editor for the RO client. exe files can be edited manually to get some benefit. If you.
Video for the Free Hex Editor Neo program. Here are some videos related to Free Hex Editor Neo. How to use Free.
HxD for editing files in hexadecimal code. Starting to write a review of the hex editor with the short name HxD, we...
| Created 04 Jul 2015 | |||||||||
Now there will be a lot of material on the topic of what data consists of and how it can be edited. Many people know that any file on a computer (picture, text or multimedia) is a binary code - zeros and ones. To edit such files use HEX editors– an application that edits data consisting of byte code. Bytes in the editor are represented in hexadecimal format.
File extension
The problem is the huge number of file types and at first it is not clear how operating system defines text, multimedia or archive and other types of data. As you know, the system identifies a file using an extension added after the name, for example, “.exe”, “.txt” and others.
The settings in the OS are flexible, which means the extension of any file can be deleted, but then the operating system will not be able to open it, it will not understand which program to launch it with. In this case, the logical structure of the object will not change. The image shows text file, and next to it is the same thing, but without an extension and its icon is white.
If an object without an extension is still the same file with a logical character set, then the extension does not determine its type, but then what? There is such a thing as format- this defines the type, it is also a specification of the data structure. Expansion is a completely different term. What to do if the user initially came across a file without an extension, but urgently needs to open it, and with what is unknown?
Descriptors
All files can be roughly divided into two components - a header, which contains object identification data, and various metadata. The second component is the “body” of the object, with the help of which the type of the object and parts of the header, which has the name of the descriptor, are determined. Two popular descriptors – ASCII And HEX. The second option is analyzed using the editors mentioned at the beginning.
The first ASCII method is defined using text editor, for example, Notepad++, however, it is worth considering one point - some sets of bytes cannot be converted to ASCII format, which means it is recommended to use HEX editors. By launching any file using such a utility, the window will display a matrix view with a sequence of bytes, where one byte is contained in one of the cells. Information about the descriptor is usually found in the first 3 cells, rarely in more quantities. Cells are counted horizontally. The data displayed in the cells is presented in hexadecimal code.
Decryption of the descriptor
To understand what kind of data is there, you need to decipher the code. For this you will need special service, which defines file formats, for example, open-file.ru. But there are other resources that are easy to find on the Internet. After uploading the file to the site, the data will be analyzed and then the result will be displayed. A table with the type, format and description of the file will appear below.
What we discussed above is the use of HEX editors. Now let's understand the ASCII code. This code can be analyzed using the same open-file.ru. In other words, both codes are checked on the resource and nothing actually needs to be entered.
Sometimes the format is not so easy to determine. This applies to ASCII headers. The fact is that the first few characters may be related to file extensions, and maybe to several formats.
Of course, there is an option to define the format. Multiple rows will be used for analysis rather than just one. Then any of the elements located there will, in any case, indicate the type of the object.
What else can you do with the HEX editor
In addition to the fact that HEX editors help analyze any file, it is possible to:
- work with disk images;
- edit sections;
- change the contents of RAM;
- change the virtual address space of the process, etc.
For example, utilities of this type are used in software development. When you need to enter data after compiling the program, but you don’t want to recompile it. Any program code can be changed using a HEX editor. Of course, you need to be able to do this and find the necessary data. In this way, they seek to correct errors in the code, or use it for hacking and cheating. This means that HEX editors are widely used.
Which HEX editors to use
There are many programs for editing data, and here they are presented below:
Popular utility for Windows. Using it, the user will not be able to open any type of file and change it. If something is edited incorrectly, the utility has a history of changes and you can always return to the original state.
The tool works very quickly, does not weigh much, and is capable of working with large files. The interface is simple and suitable for beginners, there is a Russian language.
This editor can be used in the demo version for a while, and then you need to purchase it. The tool is universal, where many interesting options are found.
It is possible to work not only with files, but also with hard drives, flash drives, optical discs and even floppy disks. All are supported file systems Windows. Supports partition cloning and complete removal data beyond recovery
If you are a beginner, then this program will be enough for you, especially since in the Help section there is an option to switch to the Russian-language interface.
The utility is 2 in 1, as it has a file comparison function and a built-in HEX editor. Sometimes you may need to compare these files to determine differences and similarities, and analyze the structure of objects in different formats.
If there is a difference in two files, the areas on the matrix will be painted in a certain color, and the comparison itself takes place in a matter of seconds. However, files no larger than 4 GB are suitable for analysis.
The utility itself has the ability to change the interface. Which means the user can customize it for himself. The work will happen faster.
This thing comes free, but it can work with large data of any formats and encodings. It is possible to change the RAM and hard drive.
The program combines hexadecimal code output and ASCII text output. The interface for the English interface is quite simple, so working with it will not be difficult, especially if you have already worked in similar editors.
If a file does not open in one editor, then it will open in this one. That's why I've given here a list of several utilities. The specified tool is responsible for opening binary files. There are many settings, and system requirements are available for any computer.
Working in this editor is as simple as printing in Word. There are options for comparing files, their checksums and exporting analysis to various formats, such as html.
If you need to convert one code to another number system, then Hex Workshop has a converter. The program is shareware, which can be considered one of the disadvantages.
Now you have learned what HEX editors are and why they are used. In the future I will try to write articles on working with them, for example, when you need to edit a file.
Hex Editor Neo is a free version of a hexadecimal and binary file editor, capable of editing large objects. Allows you to undo/redo multiple times after editing. In addition, convenient tools for searching and replacing data are built-in.
Hex Editor Neo has capabilities for highlighting, viewing, editing, replacing, debugging and analyzing data. An important quality of the program is the ability to simultaneously open several files (tabbed support). With the editor, for example, you can make patches to a file with two clicks.
Manipulate your EXE, DLL, DAT, AVI, MP3, JPG files with unlimited undo/redo capabilities (undo/redo). The history of the work done appears in a tree form; you can always easily return to the desired or original type of data.
Features of Hex Editor Neo
- Edit binary files of any size at the fastest speed
- Find and replace data in binary files
- Writing microcode programs
- Studying functionality any executable file
Good day everyone.
For some reason, many people believe that working with hex editors is the domain of professionals and that novice users should not try them. But, in my opinion, if you have at least basic PC skills and an idea of why you need a hex editor, then why not?!
Using a program of this kind, you can change any file, regardless of its type (many manuals and guides contain information on changing a particular file using a hex editor)! True, the user needs to have at least a basic understanding of the hexadecimal system (data in the hex editor is presented precisely in it). However, basic knowledge of it is taught in computer science classes at school, and probably many have heard and have an idea about it (therefore I will not comment on it in this article). So, here are the best hex editors for beginners (in my humble opinion).
1) Free Hex Editor Neo
One of the simplest and most common editors for hexadecimal, decimal and binary files for Windows. The program allows you to open any type of file, make changes (the history of changes is saved), conveniently select and edit a file, debug and analyze.
It is also worth noting a very good level of performance coupled with low system requirements to the machine (for example, the program allows you to open and edit fairly large files, while other editors simply freeze and refuse to work).
Among other things, the program supports the Russian language and has a well-thought-out and intuitive interface. Even a novice user will be able to figure it out and start working with the utility. In general, I recommend it to everyone who is starting their acquaintance with hex editors.
2) WinHex
This editor, unfortunately, is shareware, but it is one of the most versatile, supporting a bunch of different options and features (some of which are difficult to find among competitors).
In disk editor mode, it allows you to work with: HDDs, floppy disks, flash drives, DVDs, ZIP disks, etc. Supports file systems: NTFS, FAT16, FAT32, CDFS.
I can’t help but note the convenient tools for analysis: in addition to the main window, you can connect additional ones with various calculators, tools for searching and analyzing the file structure. In general, it is suitable for both beginners and experienced users. The program supports Russian language ( select the following menu: Help / Setup / Russian ).
WinHex, in addition to its most common functions (which support similar programs), allows you to “clone” disks and delete information from them so that no one can ever recover it!
3) HxD Hex Editor
A free and quite powerful binary file editor. Supports all major encodings (ANSI, DOS/IBM-ASCII and EBCDIC), files of almost any size (by the way, the editor allows you to edit files in addition to RAM, directly write changes to the hard drive!).
You can also note a well-thought-out interface, a convenient and simple function for searching and replacing data, a stepped and multi-level system backup copies and kickbacks.
After launch, the program consists of two windows: on the left is the hexadecimal code, and on the right is the text translation and the contents of the file.
Among the minuses, I would highlight the lack of Russian language. However, many functions will be clear even to those who have never learned English...
4) HexCmp
HexCmp - this small utility combines 2 programs at once: the first allows you to compare binary files with each other, and the second is a hex editor. This is a very valuable option when you need to find differences in different files, helps to explore the various structures of the most different types files.
By the way, places after comparison can be painted in different colors, depending on where everything matches and where the data is different. The comparison happens on the fly and very quickly. The program supports files whose size does not exceed 4 GB (quite enough for most tasks).
Except ordinary comparison, you can make comparisons in text form (or even both at once!). The program is quite flexible, allows you to customize it for yourself color scheme, specify shortcut buttons. If you configure the program appropriately, you can work with it without a mouse at all! In general, I recommend that all novice “checkers” of hex editors and file structures should read it.
5) Hex Workshop
Loading...
