Hexacorn

It’s time for a new version of HexDive!

Today’s changes introduce many new keywords and some new features + bug fixes:

Keywords:

Delphi package/library/unit names (I posted some subset of this list previously)
Compiler-related strings (not that really useful for malware analysis, but may help to identify the compiler-specific strings)
Copyright banners (I posted some previously)
Registry key/value names (also posted some previously)
More information stealing-related strings (some more software targeted by infostealers, including some old ones e.g. The Bat, ICQ, AOL, etc.)
Game-related strings (to highlight malware targeting various computer games)
A lot new generic malware strings (from the top of the histogram of all strings extracted from 1M+ samples); many of these strings are not categorized yet, but still – better to have them being picked up than wait for a classification to be complete 🙂 – use -a option to see what ‘juicy’ stuff is being picked up

New features:

The output produced by -a option now includes physical offsets and may include context (see next point)
I added a new experimental feature that shows context of the strings – basically, some bytes before and after the string in a file; this should help to quickly assess what’s the potential usefulness of the string and its context; it may also help to find other strings that are not picked up by HexDive for various reasons and that are stored inside the file within a close proximity of a found string. To see context, use a new command line options ‘-c’. See example below to see how it works in practice and how to use it to quickly locate strings of interest in a hex viewer.

Bug fixes:

sometimes some strings were not picked up due to a bug in the processing algorithm; this affected strings that were using mixed lower/uppercase; should be fixed now; note: this bugfix introduces a side-effect that makes the output a bit noisier (e.g. New, NEW, NeW are being picked up; I may introduce some filtering of the output if it becomes an issue)
sometimes some strings were printed twice – should be fixed now
strings were not picked up at the end of the file – should be fixed now

You can download current version of HexDive here.

If your .exe download is blocked, you can try a zip file.

Example of strings with a context

When ran with -c option, HexDive shows a string with a context:

At the moment, it shows a string in one row, then in a next row the actual context of the string and finally 10 hexadecimal values

that you can copy and paste into a Search/Find in your favorite Hex Viewer

to quickly locate the string of interest and it’s context without worrying about Unicode/ANSI/non-printable values:

A few months back I released the first version of HMFT – a small utility written in x86 assembly that reads $MFT directly from a physical disk (or raw image file/DD format) and saves it to a file. Today I am releasing a new version of this tool that now can also extract $MFT metadata and print it out to the output file. It is very similar to AnalyzeMFT from David Kovar, mft.pl (wfa3e.zip) from Harlan Carvey, and fls from Sleuthkit as well as other similar utilities.

The main difference is that it is very small, fast, works on both live systems and images, and tries to parse the attributes and print out raw data in a way that includes all gore details from $MFT FILE records to help in analysis and learning the NTFS internals.

Apart from a new functionality, I also fixed one bug – the actual $MFT FILE record was not saved to the output file in a previous version; this is now fixed.

As usual:

it’s a work in progress and at the moment it only supports FILE_NAME and STANDARD_INFORMATION attributes as well as data LCNs. Hopefully I will be able to add other information later on.
it may contain bugs so if you spot any, please do let me know and I will try to fix them.
any feedback is much appreciated, thanks!

Download a new version here.

Enjoy!

The new version now takes 3 arguments from a command line:

Usage:
   hmft [drive:] [-/options] [output filename]
      where options are:
      - l - enumerate $MFT and list FILE record attributes (partially implemented)
      - d - dump $MFT to a file

Examples:
   hmft -d c: c_mft.dat
   hmft -l c: c_mft_listing.dat

Example session on a 1.2GiB $MFT:

Example output:

[NTFS BOOT RECORD]
  BytesPerSector = 512
  SectorsPerCluster = 8
  MFTStartCluster = 786432
  ----------------------------------------------
  [FILE]
    SignatureD                    = 1162627398
    OffsetToFixupArrayW           = 48
    NumberOfEntriesInFixupArrayW  = 3
    LogFileSequenceNumberQ        = 99422051935
    SequenceValueW                = 1
    LinkCountW                    = 1
    OffsetToFirstAttributeW       = 56
    FlagsW                        = 1
    UsedSizeOfMFTEntryD           = 616
    AllocatedSizeOfMFTEntryD      = 1024
    FileReferenceToBaseRecordQ    = 0
    NextAttributeIdD              = 7
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 16
      LengthOfAttributeD       = 96
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 0
      --
      SizeOfContentD          = 72
      OffsetToContentW        = 24
      --
        MFTA_STANDARD_INFORMATION
            CreationTimeQ         = 128880037529117193
            ModificationTimeQ     = 128880037529117193
            MFTModificationTimeQ  = 128880037529117193
            AccessTimeQ           = 128880037529117193
            FlagsD                = 6
            MaxNumOfVersionsD     = 0
            VersionNumberD        = 0
            ClassIdD              = 0
            OwnerIdD              = 0
            SecurityIdD           = 256
            QuotaQ                = 0
            USNQ                  = 0
            CreationTime (epoch)    = 1243530152
            ModificationTime (epoch)  = 1243530152
            MFTModificationTime (epoch)  = 1243530152
            AccessTime (epoch)           = 1243530152
   --

    RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 48
      LengthOfAttributeD       = 104
      NonResidentFlagB         = 0
      LengthOfNameB            = 0
      OffsetToNameW            = 24
      FlagsW                   = 0
      AttributeIdentifierW     = 3
      --
      SizeOfContentD          = 74
      OffsetToContentW        = 24
      --
        MFTA_FILE_NAME
            ParentID6             = 5
            ParentUseIndexW       = 5
            CreationTimeQ         = 128880037529117193
            ModificationTimeQ     = 128880037529117193
            MFTModificationTimeQ  = 128880037529117193
            AccessTimeQ           = 128880037529117193
            CreationTime (epoch)    = 1243530152
            ModificationTime (epoch)  = 1243530152
            MFTModificationTime (epoch)  = 1243530152
            AccessTime (epoch)           = 1243530152
            AllocatedSizeQ        = 1051983872
            RealSizeQ             = 1051983872
            FlagsD                = 6
            ReparseValueD         = 0
            LengthOfNameB         = 4
            NameSpaceB            = 3
     FileName = $MFT
   --

    NON_RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 128
      LengthOfAttributeD       = 80
      NonResidentFlagB         = 1
      LengthOfNameB            = 0
      OffsetToNameW            = 64
      FlagsW                   = 0
      AttributeIdentifierW     = 1
      --
      StartingVCNQ          = 0
      EndingVCNQ            = 293647
      OfsToRunListW         = 64
      CompressionUnitSizeW  = 0
      UnusedD               = 0
      AllocateSizeQ         = 1202782208
      ActualSizeQ           = 1202782208
      InitializedSizeQ      = 1202782208
      --
        MFTA_DATA
              len = 2
              ofs = 3
              LCN_Ofs = 786432
              LCN_Len = 17312
              len = 3
              ofs = 4
              LCN_Ofs = 16909768
              LCN_Len = 276336
              len = 0
              ofs = 0
   --

    NON_RESIDENT ATTRIBUTE
      AttributeTypeIdentifierD = 176
      LengthOfAttributeD       = 272
      NonResidentFlagB         = 1
      LengthOfNameB            = 0
      OffsetToNameW            = 64
      FlagsW                   = 0
      AttributeIdentifierW     = 6
      --
      StartingVCNQ          = 0
      EndingVCNQ            = 36
      OfsToRunListW         = 64
      CompressionUnitSizeW  = 0
      UnusedD               = 0
      AllocateSizeQ         = 151552
      ActualSizeQ           = 148896
      InitializedSizeQ      = 148896
      --
        MFTA_BITMAP
  NumOfClustersBlocks = 2
  ----------------------------------------------

Download a new version here.

Hexacorn

HexDive 0.5 – Adding a bit of a context…

HMFT update: listing $MFT attributes