{"id":1014,"date":"2012-06-07T14:34:19","date_gmt":"2012-06-07T14:34:19","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1014"},"modified":"2012-06-08T15:07:53","modified_gmt":"2012-06-08T15:07:53","slug":"hexdive-intelligent-string-extractor","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/06\/07\/hexdive-intelligent-string-extractor\/","title":{"rendered":"HexDive \u2013 Intelligent String Extractor"},"content":{"rendered":"

In my last two <\/a>posts<\/a>, I mentioned I am working on a new tool. The tool’s idea is to extract a subset of all strings from a given file\/sample in order to reduce time needed for finding ‘juicy’ stuff – meaning: any string that can be associated with a) malware b) any other category;<\/p>\n

This should help in a quick assessment of a file w\/o going through lots of noise coming from typical strings tools (they ‘see’ a few bytes looking like ASCII\/Unicode and assume it is a string).<\/p>\n

Hopefully the tool will help in batch analysis (on unpacked files, or memory dumps).<\/p>\n

This is a first release so expect bugs; for various reasons I stripped part of the database as I am still working on full classification of all keywords (this is a one hell of work).<\/p>\n

By default, the tool works like an enhanced HAPI<\/a>. It extracts interesting strings to the output, but includes not only APIs, but also other stuff .<\/p>\n

To see a full categorization and also include _all_ recognized strings use options as described and shown on a few screenshots below.<\/p>\n

I hope it works for you and will be useful. If you find any bugs, I will really appreciate if you let me know. Also, if you see some strings being missed, please be patient and wait for next release (and ideally drop me an email listing all the stuff hdive missed; I will add it in a next release).<\/p>\n

Thanks for trying!<\/p>\n

Update:<\/strong><\/p>\n

elhoim\u00a0 is asking about speed and programing language; it’s x86 assembly, for small files it’s a blitz; for larger e.g. 30MB, there is a short moment of ‘thinking’, but it’s reasonable. Didn’t test on a large collection, but for this I would need to add a processing for directories to speed it up (I have it on todo list). IT searches for over 100K unique keywords at the moment (including both ANSI, Unicode, some case sensitive).<\/p>\n

Update #2<\/strong><\/p>\n

Check this nice post about MBR Analysis on http:\/\/www.sysforensics.org\/2012\/06\/mbr-malware-analysis.html<\/a> to see what difference HexDive makes in string analysis.<\/p>\n

 <\/p>\n

To Run:<\/p>\n

--------------------------------------------------------------\r\n\u00a0 hexdive v0.1 (c) Hexacorn 2012. All rights reserved.\r\n\u00a0 Visit us at https:\/\/www.hexacorn.com\r\n--------------------------------------------------------------\r\nUsage:\r\n\u00a0\u00a0 hdive [-\/]<options> <filename>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 where options are:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 - a - show all strings (only malware-related are shown by default)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 - f - show |-separated classification (default output are raw strings)\r\nExample:\r\n\u00a0\u00a0 hdive -a malware.exe\r\n\u00a0\u00a0 hdive -f malware.exe\r\n\u00a0\u00a0 hdive -a -f malware.exe\r\n--------------------------------------------------------------\r\n\r\nGimme a file name!<\/pre>\n
 <\/p>\n
Examples of use:<\/p>\n
hdive c:\\Windows\\System32\\notepad.exe<\/strong><\/p>\n
and<\/p>\n
hdive -f c:\\Windows\\System32\\notepad.exe<\/strong><\/p>\n
 <\/p>\n
\"\"<\/a><\/p>\n
hdive -a c:\\Windows\\System32\\notepad.exe<\/strong><\/p>\n
\"\"<\/a><\/p>\n
hdive -f c:\\Windows\\System32\\notepad.exe<\/strong><\/p>\n
\"\"<\/a><\/p>\n
You can download it here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
In my last two posts, I mentioned I am working on a new tool. The tool’s idea is to extract a subset of all strings from a given file\/sample in order to reduce time needed for finding ‘juicy’ stuff – … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[23,9,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1014"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1014"}],"version-history":[{"count":14,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1014\/revisions"}],"predecessor-version":[{"id":1027,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1014\/revisions\/1027"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1014"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}