HexDive 0.5 – Adding a bit of a context…

Posted on by

It’s time for a new version of HexDive!

Today’s changes introduce many new keywords and some new features + bug fixes:

Keywords:

  • Delphi package/library/unit names (I posted some subset of this list previously)
  • Compiler-related strings (not that really useful for malware analysis, but may help to identify the compiler-specific strings)
  • Copyright banners (I posted some previously)
  • Registry key/value names (also posted some previously)
  • More information stealing-related strings (some more software targeted by infostealers, including some old ones e.g. The Bat, ICQ, AOL, etc.)
  • Game-related strings (to highlight malware targeting various computer games)
  • A lot new generic malware strings (from the top of the histogram of all strings extracted from 1M+ samples); many of these strings are not categorized yet, but still – better to have them being picked up than wait for a classification to be complete 🙂 – use -a option to see what ‘juicy’ stuff is being picked up

New features:

  • The output produced by -a option now includes physical offsets and may include context (see next point)
  • I added a new experimental feature that shows context of the strings – basically, some bytes before and after the string in a file; this should help to quickly assess what’s the potential usefulness of the string and its context; it may also help to find other strings that are not picked up by HexDive for various reasons and that are stored inside the file within a close proximity of a found string. To see context, use a new command line options ‘-c’. See example below to see how it works in practice and how to use it to quickly locate strings of interest in a hex viewer.

Bug fixes:

  • sometimes some strings were not picked up due to a bug in the processing algorithm; this affected strings that were using mixed lower/uppercase; should be fixed now; note: this bugfix introduces a side-effect that makes the output a bit noisier (e.g. New, NEW, NeW are being picked up; I may introduce some filtering of the output if it becomes an issue)
  • sometimes some strings were printed twice – should be fixed now
  • strings were not picked up  at the end of the file – should be fixed now

You can download current version of HexDive here.

If your .exe download is blocked, you can try a zip file.

Example of strings with a context

When ran with -c option, HexDive shows a string with a context:

At the moment, it shows a string in one row, then in a next row the actual context of the string and finally 10 hexadecimal values

that you can copy and paste into a Search/Find in your favorite Hex Viewer

to quickly locate the string of interest and it’s context without worrying about Unicode/ANSI/non-printable values: