It’s time for a new version of HexDive!
Today’s changes introduce many new keywords and some new features + bug fixes:
- Delphi package/library/unit names (I posted some subset of this list previously)
- Compiler-related strings (not that really useful for malware analysis, but may help to identify the compiler-specific strings)
- Copyright banners (I posted some previously)
- Registry key/value names (also posted some previously)
- More information stealing-related strings (some more software targeted by infostealers, including some old ones e.g. The Bat, ICQ, AOL, etc.)
- Game-related strings (to highlight malware targeting various computer games)
- A lot new generic malware strings (from the top of the histogram of all strings extracted from 1M+ samples); many of these strings are not categorized yet, but still – better to have them being picked up than wait for a classification to be complete 🙂 – use -a option to see what ‘juicy’ stuff is being picked up
- The output produced by -a option now includes physical offsets and may include context (see next point)
- I added a new experimental feature that shows context of the strings – basically, some bytes before and after the string in a file; this should help to quickly assess what’s the potential usefulness of the string and its context; it may also help to find other strings that are not picked up by HexDive for various reasons and that are stored inside the file within a close proximity of a found string. To see context, use a new command line options ‘-c’. See example below to see how it works in practice and how to use it to quickly locate strings of interest in a hex viewer.
- sometimes some strings were not picked up due to a bug in the processing algorithm; this affected strings that were using mixed lower/uppercase; should be fixed now; note: this bugfix introduces a side-effect that makes the output a bit noisier (e.g. New, NEW, NeW are being picked up; I may introduce some filtering of the output if it becomes an issue)
- sometimes some strings were printed twice – should be fixed now
- strings were not picked up at the end of the file – should be fixed now
You can download current version of HexDive here.
If your .exe download is blocked, you can try a zip file.
Example of strings with a context
At the moment, it shows a string in one row, then in a next row the actual context of the string and finally 10 hexadecimal values
that you can copy and paste into a Search/Find in your favorite Hex Viewer
to quickly locate the string of interest and it’s context without worrying about Unicode/ANSI/non-printable values: