Category Archives: Software Releases

HexDive 0.3

Posted on by

New version comes with lots of fixes and updates.

New stuff includes:

  • lots of new malware-specific APIs (I manually walked through thousands of them so over 1600+ APIs commonly used by malware is now being picked up)
  • banking URLs (all stuff from web injects from Zeus/SpyEye etc.)
  • domain names commonly changed via hosts file (anti-* routine to block security software, etc.)
  • minor fixes to existing strings (simple mistakes I spotted)
  • large files are now supported; it has been implemented since the beginning, but I have not tested it yet; if you come across issues, please let me know
  • extra option to avoid showing copyright banner (same as in SysInternals tools /q or -q)
  • better options handling (a’la Linux) so you can now specify -qfa instead of -q -f -a

What’s coming: Currently toying around with porting the code to yasm so elf32 version precompiled for Linux Ubuntu may appear soon 🙂

You can download current version of HexDive here.

If your .exe download is blocked, you can try a zip file.

Note:

If you find HexDive is missing strings, please let me know and I will add them. At some stage I plan to release all of the strings for free, but before I do it I want to ensure they are at least classified to some extent. Yes, I will do the dirty job 🙂 just let me know what is missing. If you have some features you would like to see, please let me know as well. And if you find any bugs, please also let me know.

Thanks for trying and don’t forget to check our other tools!

HexDive 0.2

Posted on by

I just released a new version of HexDive. Added really lots of new strings so it should be picking up more juice from malicious samples 🙂

New strings include:

  • pcap (winpcap related strings)
  • libraries
  • mime types
  • charset encodings
  • formatted strings patterns
  • OS file names
  • protocols
  • IPs
  • User agents
  • information-stealing related keywords
  • and more

Note, at this stage HexDive doesn’t search for any regexes (e.g. URLs/emails/etc ), but it is in the making, so stay tuned.

You can download it here.

If your .exe download is blocked, you can try a zip file.

Note1:

If you find HexDive is missing strings, please let me know and I will add them. At some stage I plan to release all of the strings ofr free, but before I do it I want to ensure they are at least classified to some extent. Yes, I will do the dirty job 🙂 just let me know what is missing. Thanks!

Note2:

hdive can be ran on static samples (unpacked) and process memory dumps as well; for the benchmark purposes – an example when it is ran on a 27MB file which is a process memory dump of a simple trojan takes 12-13 seconds.

TimeThis :  Command Line :  hdive malware.DMP
TimeThis :    Start Time :  Fri Jun 22 20:24:02 2012

TimeThis :  Command Line :  hdive malware.DMP
TimeThis :    Start Time :  Fri Jun 22 20:24:02 2012
TimeThis :      End Time :  Fri Jun 22 20:24:15 2012
TimeThis :  Elapsed Time :  00:00:12.683