HexDive – Intelligent String Extractor

June 7, 2012 in HexDive, Malware Analysis, Software Releases

In my last two posts, I mentioned I am working on a new tool. The tool’s idea is to extract a subset of all strings from a given file/sample in order to reduce time needed for finding ‘juicy’ stuff – meaning: any string that can be associated with a) malware b) any other category;

This should help in a quick assessment of a file w/o going through lots of noise coming from typical strings tools (they ‘see’ a few bytes looking like ASCII/Unicode and assume it is a string).

Hopefully the tool will help in batch analysis (on unpacked files, or memory dumps).

This is a first release so expect bugs; for various reasons I stripped part of the database as I am still working on full classification of all keywords (this is a one hell of work).

By default, the tool works like an enhanced HAPI. It extracts interesting strings to the output, but includes not only APIs, but also other stuff .

To see a full categorization and also include _all_ recognized strings use options as described and shown on a few screenshots below.

I hope it works for you and will be useful. If you find any bugs, I will really appreciate if you let me know. Also, if you see some strings being missed, please be patient and wait for next release (and ideally drop me an email listing all the stuff hdive missed; I will add it in a next release).

Thanks for trying!

Update:

elhoim  is asking about speed and programing language; it’s x86 assembly, for small files it’s a blitz; for larger e.g. 30MB, there is a short moment of ‘thinking’, but it’s reasonable. Didn’t test on a large collection, but for this I would need to add a processing for directories to speed it up (I have it on todo list). IT searches for over 100K unique keywords at the moment (including both ANSI, Unicode, some case sensitive).

Update #2

Check this nice post about MBR Analysis on http://www.sysforensics.org/2012/06/mbr-malware-analysis.html to see what difference HexDive makes in string analysis.

 

To Run:

--------------------------------------------------------------
  hexdive v0.1 (c) Hexacorn 2012. All rights reserved.
  Visit us at https://www.hexacorn.com
--------------------------------------------------------------
Usage:
   hdive [-/]<options> <filename>
      where options are:
      - a - show all strings (only malware-related are shown by default)
      - f - show |-separated classification (default output are raw strings)
Example:
   hdive -a malware.exe
   hdive -f malware.exe
   hdive -a -f malware.exe
--------------------------------------------------------------

Gimme a file name!

 

Examples of use:

hdive c:\Windows\System32\notepad.exe

and

hdive -f c:\Windows\System32\notepad.exe

 

hdive -a c:\Windows\System32\notepad.exe

hdive -f c:\Windows\System32\notepad.exe

You can download it here.

Comments are closed.