In my previous post, I talked about using far manager in speeding up malware analysis work. I also talked about integrating hiew(Hacker's view) into far manager.
With arrival of new tools like IDA pro , Hiew is being forgotten . But it's still worth to look into the tool. It is a lightweight tool with Hex Editor,PE(Portable Executable) parser, x86 Disassembler,string viewer and some other notable features which can help antivirus researcher's to do some quick static analysis on a suspect file . I have been using it for years for writing AV signatures.
If you open a file in hiew ,it tries shows content of the file in text mode of hiew. This mode is It is same as opening a file in notepad.
With arrival of new tools like IDA pro , Hiew is being forgotten . But it's still worth to look into the tool. It is a lightweight tool with Hex Editor,PE(Portable Executable) parser, x86 Disassembler,string viewer and some other notable features which can help antivirus researcher's to do some quick static analysis on a suspect file . I have been using it for years for writing AV signatures.
If you open a file in hiew ,it tries shows content of the file in text mode of hiew. This mode is It is same as opening a file in notepad.
To know what all you can do with hiew see the pane a the bottom.
F1 is for help
F5 can be used to go to particular offset in file
F7 for searching a string.
To change mode you can use F4.
Hiew has two other modes other than text , that is Hex and Decode. you can switch modes by pressing F4 and then select the mode using arrow keys and press enter.
Hiew has a hex editor embedded in it. If you want to see the equivalent hex bytes you need change the mode to hex . you can do it by pressing the keys F4, then use arrow key to go to hex and then press enter. The third mode is decode which can disassemble a line .Also you can press enter to switch between modes.
The first column is file offset(in case of PE files this shows as Virtual address by default . you need to press ALT+F1 to see file offsets). Middle column is hex bytes. Third is text.
To see strings in a file in any mode you can press Alt+ F6. This eliminates the need to use another string viewer tool like strings from sysinternal.
The blue strings are ascii while red are unicode. To see the offset of the string in the file you can move the cursor to the string and press enter .
You can see at offset "0x00334DF0" ,"October " string is there .
Let's look into the PE parser of hiew. Open windows executable(32 bit) in hex mode. By default Virtual address is shown instead of file offsets.
If you want to see offsets you can press "Alt+F1".
Also notice what comes at the bar at bottom of hiew.
F4-changing mode
F5- to go to an address. If you want to go a offset press F5 then type the address . If it is virtual address start with a "." and the type the virtual adress.
F6 stands for Reference . This is like XRefs feature of IDA pro of "find reference " of ollydbg. It tells where a particular data or piece of code is referenced .
F8 for viewing the PE header .
Let me press F8 and see what happens.
The PE header pops up and the options at bottom of screen also changes. If you press F4 it goes to PE Header in disassemble.
F5 goes to entry point
F6 displays section header
F9 shows exports if it is a dll
F10 is used to show data directories
F7 shows import table
To go to a section in the PE file you can press enter. To go to the Entry point go to header then press F6. Then press enter to see the disassembly at entry point.
Hiew has got lot more features . One can go through the help or play around by pressing different keys. Though the tool does not have too many features still can save time of researchers.
