Editor of 16-bit codes. Hex editors vs. malware: Selecting a hexadecimal editor to analyze binaries

Good day everyone.

For some reason, many people believe that working with hex editors is the domain of professionals and that novice users should not try them. But, in my opinion, if you have at least basic PC skills and an idea of ​​why you need a hex editor, then why not?!

Using a program of this kind, you can change any file, regardless of its type (many manuals and guides contain information on changing a particular file using a hex editor)! True, the user needs to have at least a basic understanding of the hexadecimal system (data in the hex editor is presented precisely in it). However, basic knowledge it is taught in computer science classes at school, and probably many have heard and have an idea about it (therefore I will not comment on it in this article). So, here are the best hex editors for beginners (in my humble opinion).

1) Free Hex Editor Neo

One of the simplest and most common editors for hexadecimal, decimal and binary files for Windows. The program allows you to open any type of file, make changes (the history of changes is saved), conveniently select and edit a file, debug and analyze.

It is also worth noting that good level productivity coupled with low system requirements to the machine (for example, the program allows you to open and edit fairly large files, while other editors simply freeze and refuse to work).

Among other things, the program supports the Russian language and has a well-thought-out and intuitive interface. Even a novice user will be able to figure it out and start working with the utility. In general, I recommend it to everyone who is starting their acquaintance with hex editors.

2) WinHex

This editor, unfortunately, is shareware, but it is one of the most versatile, supporting a bunch of different options and features (some of which are difficult to find among competitors).

In disk editor mode, it allows you to work with: HDDs, floppy disks, flash drives, DVDs, ZIP disks, etc. Supports file systems: NTFS, FAT16, FAT32, CDFS.

I can’t help but note the convenient tools for analysis: in addition to the main window, you can connect additional ones with various calculators, tools for searching and analyzing the file structure. In general, it is suitable for both beginners and experienced users. The program supports Russian language ( select the following menu: Help / Setup / Russian ).

WinHex, in addition to its most common functions (which support similar programs), allows you to “clone” disks and delete information from them so that no one can ever recover it!

3) HxD Hex Editor

A free and quite powerful binary file editor. Supports all major encodings (ANSI, DOS/IBM-ASCII and EBCDIC), files of almost any size (by the way, the editor allows, in addition to files, to edit RAM and directly write changes to the hard drive!).

You can also note a well-thought-out interface, a convenient and simple function for searching and replacing data, a stepped and multi-level system of backups and rollbacks.

After launch, the program consists of two windows: on the left is the hexadecimal code, and on the right is shown text translation and the contents of the file.

Among the minuses, I would highlight the lack of Russian language. However, many functions will be clear even to those who have never learned English...

4) HexCmp

HexCmp - this small utility combines 2 programs at once: the first allows you to compare binary files with each other, and the second is a hex editor. This is a very valuable option when you need to find differences in different files, it helps to explore the different structure of the most different types files.

By the way, places after comparison can be painted in different colors, depending on where everything matches and where the data is different. The comparison happens on the fly and very quickly. The program supports files whose size does not exceed 4 GB (quite enough for most tasks).

In addition to the usual comparison, you can also compare in text form (or even both at once!). The program is quite flexible, it allows you to customize the color scheme and specify buttons quick call. If you configure the program appropriately, you can work with it without a mouse at all! In general, I recommend that all novice “checkers” of hex editors and file structures should read it.

After the end of the series with the article “ The best tools pentester" the editor received many letters asking for a selection of hex editors. The interest, of course, is not the ability to edit binary data, but additional features such as automatic recognition of data structures and code disassembly. To make an overview, we found out the opinions of the people who most often have to tinker with such tools - virus analysts. And this is what they told us.

Any hex editor allows you to examine and modify a file at a low level, operating with bits and bytes. The contents of the file are presented in hexadecimal format. This is basic functionality. However, some editors offer users much more, allowing them to figure out exactly what is what in that incomprehensible set of characters that appears when opening a file. To do this, ASCII and Unicode strings are automatically extracted, known patterns are searched, basic data structures are recognized, and much more. There are quite a few hexadecimal editors, but if we decided to consider them in the context of studying malware samples, it is easy to highlight some of them. Only a few turn out to be really useful for analyzing malicious code and examining infected documents (say, PDF).

McAfee FileInsight

FileInsight is a free hex editor for Windows from McAfee Labs. The product, of course, fulfills all standard functionality, accompanying such software, offering user-friendly interface to view and edit files in hexadecimal and text modes. But this is just a drop in the ocean if you look at all its functionality. It’s worth starting with the fact that FileInsight is capable of parsing the structure of executable binaries for Windows (PE files), as well as OLE objects Microsoft Office. Not only that, but the user is offered a built-in x86 disassembler. Just select the part of the file you want to view as readable code, and FileInsight will show this fragment as a listing of assembly instructions. The disassembler is especially useful when looking for shellcode in malicious files. Other options that reversers will appreciate include the ability to import structure declarations. To do this, the program just needs to specify a header file with declarations like:

struct ANIHeader(
DWORD cbSizeOf; // Num bytes in AniHeader
DWORD cFrames; // Number of unique Icons
DWORD cSteps; // Number of Blits
};

In this case, the program itself will parse such structures. However, many intuitive algorithms for code processing are offered by default. We are talking, first of all, about decoding many obfuscation methods (xor, add, shift, Base64, etc.) - built-in scripts make such crypto protection a one-two punch. It should be noted here that the object of research does not necessarily have to be a binary; it can also be an ordinary web page that arouses suspicion. The program allows you to automate many actions using simple JavaScript scripts or Python modules, of which many have already been written. Alas, with all its advantages, FileInsight also has a serious drawback, which is the inability to process large files. For example, if you try to feed a file of 400-500 MB in size to the utility, the error “Failed to open document” appears.

Hex Editor Neo

There are two versions of this hex editor from HDD Software - a simple free version and an advanced commercial version. The freeware option is a solid, but unremarkable HEX editor that has a cool, customizable interface with support for different color schemes. No more. But the professional version of Hex Editor Neo provides several useful options that can be extremely useful when analyzing binaries. For example, the user gets the opportunity to decode code encrypted using the most common algorithms. In addition, it becomes possible to view and edit local resources such as NTFS streams, local disks, process memory, and RAM. In the most full version There is also support for a scripting language, allowing you to automate many processes using scripts in VBScript and JavaScript. But the best part is that you have a built-in disassembler at your service that works with x86, x64, and .NET binaries! Another feature - quick creation patches based on a comparison of two binaries. Sounds impressive, but is it better than FileInsight? Probably not. FileInsight looks more functional overall. On the other hand, any, even the free version of Hex Editor Neo works great even with very large files and allows you to search for ASCII and Unicode strings. The disassembler here is not limited to just the x86 platform, and the built-in resource editor is very convenient. There's a lot to think about.

FlexHex

FlexHex is a powerful commercial hex editor from Heaventools Software that includes many of the same features found in Hex Editor Neo. The only thing missing here is, perhaps, script support. But this full-featured editor handles binaries, OLE files, physical disks and alternative NTFS streams equally well. The latter is especially important because FlexHex allows you to edit data that other editors may not even see. In addition, you can immediately feel the focus on working with large amounts of information: no matter the size of the file, navigation through it is carried out without any lags or brakes. For even greater convenience, there is a system of convenient bookmarks. At the same time, FlexHex continuously keeps a history of all operations - you can cancel any action simply by selecting it from the list of changes (undo-list is not limited)! FlexHex supports all necessary operations with binary data, searching for ASCII and Unicode strings. If you need to process a structure with a previously known format, setting its parameters is not difficult using special tools. As a result, we get an excellent hex editor, but still much inferior to FileInsight. The only notable option is OLE file processing, but there are problems here too. Several times when trying to open an infected OLE, the program crashed with the error “The docfile has been corrupted.”

010 Editor

010 Editor is a well-known commercial product developed by SweetScape Software. If we compare it with the previous three tools, it can do everything: it supports working with very large files, provides cool capabilities for operating with data, allows you to edit local resources, and has a scripting system for automating routine actions (more than 140 different functions at your service). And 010 Editor also has a twist, a unique feature. The editor takes care of everyone thanks to the ability to parse various file formats using its own library of templates (the so-called Binary Templates). Here he has no equal. Many enthusiasts around the world are working on templates, hammering out various format and data structures. As a result, the process of navigating through different file formats becomes transparent and understandable. This also applies to the processing of Windows binaries (PE files), Windows shortcut files (LNK), Zip archives, Java class files and much more. Many people were able to realize the beauty of this feature when the famous security specialist Didier Stevens created a template for parsing PDF files for 010 Editor. Together with other utilities, this has greatly simplified the analysis of infected PDF documents, which for the last six months have not ceased to amaze with the number of places from which the reader program can be exploited. We add here a cool tool for comparing binaries, a calculator with C-like syntax, converting data between ASCII, EBCDIC, Unicode formats, and we get a very attractive tool with unique features.

Hiew

Hiew, in terms of distribution method, is not much different from its colleagues - this is also a commercial product developed by our compatriot Evgeny Suslikov. Having long history, the program was greatly loved by many specialists in information security. There are quite obvious reasons for this - powerful opportunities for research and editing of structure and content executable files both Windows (PE) and Linux binaries (ELF). Another very useful feature for reverse engineering is the built-in x86-64 assembler and disassembler. The latter even supports ARM instructions. Needless to say, the editor perfectly digests large files and allows you to edit logical and physical drives. Many tasks are easily automated through a system of keyboard macros, scripts, and even an API for developing extensions (Hiew Extrenal Modules). But before you rush into battle, keep in mind that the Hiew interface is a DOS-like window, which is quite inconvenient to work with if you are not used to it. But you can experience all the charm of old school.

Radare

Radare is a set free utilities for the Unix platform, which provide cool features for editing files in HEX mode. It includes the hex editor itself (radare) with the ability to open local and deleted files. The program analyzes executable files of various formats, both Linux (ELF) and Windows (PE). In addition to editing, the Radare package includes a tool for comparing binary files (radiff) and a built-in assembler/disassembler. And personally, a tool for generating shellcodes (rasc) came in handy a couple of times. Any operations can be easily automated and customized using a script system. Of the minuses, again, we can note the lack of a GUI interface - all actions are carried out from command line, but you can fully work with the utilities only after reading the documentation. On the other hand, the site has visual screencasts demonstrating both the main points and little secrets (like connecting a Python plugin).

So what should you choose?

We've reviewed several powerful hex editors that include useful options for analyzing suspicious files. Of all the products, FileInsight stands out, which, despite all its functionality (and it is truly impressive), remains free. 010 Editor provides a large number of templates for processing a wide variety of files, including PDF documents. This is a mega feature that should not be neglected. I use these two editors all the time; For the work of an analyst, perhaps they are best suited. If we talk about working under the Unix platform, then, of course, we cannot forget about Radare. The package offers very powerful features, although it is difficult to use due to the fact that it runs from the command line. Hiew is also not very friendly, although its capabilities certainly allow you to perform a variety of operations with binaries. In addition, Hiew is the choice of a large number of real pros, and this is worth a lot (and means a lot). As for Hex Editor Neo, it’s worth picking up if you’re interested in the ability to disassemble x86, x64 and .NET code.

How Windows notepad. Moreover, if you open the binary file text editor and save it to disk, then, in most cases, such a file will be damaged and will not run. To make correct edits, you must use hexadecimal editors (hex), which are sometimes also called binary editors.

Most ordinary users, it is unlikely that there will be any tasks or needs to use hexadecimal editors. However, for tech-savvy users, such editors can be indispensable tools.

Note: As a fact, but at one time, to edit standard asp.net 1.1 installers, you had to adjust the binary code. For example, in order to make one of the controls a password entry field.

IN this review We have collected some of the best free hex editors for different needs.

Review of Free Hex Editors

There are several excellent free hex editors available, ranging from small and simple to complex products that are comparable to commercial solutions. However, the hex editor category is one of those categories where personal needs and preferences are so important that comparing products is not only difficult, but also pointless. Therefore, you should not assume that the products are arranged in descending order.

HxD is an excellent hexadecimal hex editor

One of best utilities for editing binary code is . Firstly, the program is portable and does not require installation, which is especially important if you often need to edit executable files. Secondly, it has a nice interface. Thirdly, HxD processes large files without delays or screen freezes. Plus, add to this the ability to have an unlimited edit history, quick search and replacements, comparison of binary files, full support for ANSI, DOS/IBM-ASCII and EBCDIC. And a dozen more possibilities, some of which will be listed below. HxD also allows you to edit not only the disk, but also the RAM. As a fact, such a set of capabilities makes the program a dangerous toy in the hands of novice users. In addition, security applications may react to its actions in the same way, but experienced users understand that this happens due to the specifics of accessing data and the use of potentially dangerous functions.

Overall, HxD is great for those who frequently deal with various binary codes.

Other features and characteristics:

  • Secure access to files that other programs use
  • Checksum generator: Checksum, CRCs, Custom CRC, SHA-1, SHA-512, MD5, ...
  • Export data to various formats
  • Inserting code templates
  • Ability to safely delete files.
  • Splitting or merging files
  • Various types of groupings in columns (1,2,4,8,16 bytes)
  • Highlighting changed data
  • Quickly jump to an address
  • Support for copying clipboard data from other programs: Visual Studio/Visual C++, WinHex, HexWorkshop, ...
  • Bookmarks
  • And much more...

Hex editor Hexplorer is an analogue of HxD with the ability to view images when analyzing steganography

Another great hex editor is open source source code. The program has a number of unique features that make it also a powerful binary image editor. This means you can look at everything graphic files not only in terms of their visual representation, but also their binary code. Of course, it is difficult to imagine editing pictures in hexadecimal in everyday life. However, it can be used for purposes such as steganography.

Overall, Hexplorer is suitable not only for those who frequently edit binary code, but also for those who use non-standard ways to use binary code.

Main features and characteristics:

  • Six interface color schemes for various tasks.
  • Unlimited command history
  • x86 disassembler
  • Import and export in 20 different formats binary files, including Intel Hex, Motorola S-Record, Atmel standard, etc.
  • Ability to find recurring patterns in data
  • Viewing Images
  • Filtering text from binary data
  • Boyer-Moore search algorithm
  • Quick navigation to addresses
  • Allows you to create structures simple types data, such as integers or floating point numbers
  • Pseudo-random number generator
  • Allows you to record macros (scripts) to automate tasks

Other hex editors

There are other hex editors that are also worthy of attention and may come in handy.

Hexadecimal editor XVI32 simple and convenient

XVI32 is a free hexadecimal editor whose name comes from the Roman numeral XVI (16).

  • Supports scripts to automate tasks.
  • Search by pattern
  • ASCII/ANSI
  • Character conversion based on user definitions
  • Writing individual blocks to a file
  • And other possibilities...
  • Stores open file in memory, so there will be problems with large files.
  • As such, there is no command history. This means that any changes you make are made "as is" and you will have to write them down or remember them.

Supports Windows 9x/NT/2000/XP/Vista/7

Hex editor HexEdit with a specialized calculator

HexEdit is another free binary editor from MiTeC.

  • No need to install (portable)
  • Editor random access memory and disk
  • Specialized calculator
  • Can compare files
  • Can dump data from RAM to disk (create a dump)
  • And others...
  • Stores open files in memory

Supports Windows 2000 - Windows 7

Cygnus Free simple hex editor

Cygnus Free is a free hex editor that is one of the older versions of the commercial editor. Therefore functionality is limited.

  • Fast and easy to use
  • Quick search and replace
  • Drag & drop
  • And other possibilities...
  • Stores an open file in RAM with all the ensuing problems
  • Technical support from free version No
  • Trimmed for functionality

Supports Windows

Quick Selection Guide (Links to download free hex editors)

HxD

Supports many languages, including Russian. Disk and RAM editor. Quickly edits large files. Allows you to generate checksums. Able to compare files. Can safely delete, merge and split files.
All changes are immediately saved to disk. Therefore, before editing, always create backups files.
http://mh-nexus.de/en/hxd/
http://mh-nexus.de/en/downloads.php?product=HxD
850 KB 1.7.7.0 Unrestricted freeware Windows 95 - 7

Hexplorer

RAM and disk editor. Additional functions, such as the Fourier transform. View images. Can recognize NTFS/FAT, BMP headers, and so on. Supports macros to automate tasks
Keeps the open file entirely in memory, making large files difficult to edit. By default, the font and display settings are not very well chosen.

HxD Hex Editor is a data editor with support for ANCI encoding. The application uses hexadecimal representation for any opened files, can work with elements of RAM, and save changes on the hard drive. Allows you to search and replace values ​​automatically or manual mode. Includes tools for exporting data, creating checksums, and erasing code fragments.

The program can divide files into parts of the required size and supports processing a large amount of information. Uses a modular interface with the ability to view standard and hexadecimal code. Allows you to cancel any changes made, contains navigation tools by context and line address.

The HEX editor is capable of interacting with any type of file and can be used to search and replace executable values ​​of running processes.

Download the full Russian version of HxD Hex Editor for free from the official website without registration and SMS.

System requirements

  • Supported OS: Windows 8.1, Vista, 10, 8, 7, XP
  • Bit depth: 64 bit, x86, 32 bit