I just released a new version of HexDive. Added really lots of new strings so it should be picking up more juice from malicious samples 🙂
New strings include:
- pcap (winpcap related strings)
- libraries
- mime types
- charset encodings
- formatted strings patterns
- OS file names
- protocols
- IPs
- User agents
- information-stealing related keywords
- and more
Note, at this stage HexDive doesn’t search for any regexes (e.g. URLs/emails/etc ), but it is in the making, so stay tuned.
You can download it here.
If your .exe download is blocked, you can try a zip file.
Note1:
If you find HexDive is missing strings, please let me know and I will add them. At some stage I plan to release all of the strings ofr free, but before I do it I want to ensure they are at least classified to some extent. Yes, I will do the dirty job 🙂 just let me know what is missing. Thanks!
Note2:
hdive can be ran on static samples (unpacked) and process memory dumps as well; for the benchmark purposes – an example when it is ran on a 27MB file which is a process memory dump of a simple trojan takes 12-13 seconds.
TimeThis :Â Command Line :Â hdive malware.DMP
TimeThis :Â Â Â Start Time :Â Fri Jun 22 20:24:02 2012
TimeThis :Â Command Line :Â hdive malware.DMP
TimeThis :Â Â Â Start Time :Â Fri Jun 22 20:24:02 2012
TimeThis :Â Â Â Â Â End Time :Â Fri Jun 22 20:24:15 2012
TimeThis :Â Elapsed Time :Â 00:00:12.683