EXETOOLS FORUM

EXETOOLS FORUM (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   HIEW32 Plugins Collection (https://forum.exetools.com/showthread.php?t=18736)

dosprog 04-01-2018 22:24

HIEW32 Plugins Collection
 
1 Attachment(s)
Simple useful plugins for HIEW32, created 2017:
----------------------------------------------

CRACK.HEM HEM-PlugIn - compares binary files. Reports differences as CRK-file for using with CRACKER.EXE.
Adds to CRK as comment all available defined HIEW32 labels/names.
(Original idea by Jupiter).

GOTO.HEM HEM-PlugIn for locate some positions in MZ & PE-EXE.

PE_RWE.HEM HEM-PlugIn - sets attributes of all sections in PE into r/w/e. (See comment at post#3)
(Original idea by me).

PE_TAILS.HEM HEM-PlugIn - corrects "tails of sections" in PE. (Sets VirtSize>=PhisSize for all) (See comment at post#3)
(Original idea by me).

PE_HINTS.HEM HEM-PlugIn - for correcting import hints in 32-bit PE-file.
(Original idea by FalseMaster:
Discussed here: https://exelab.ru/f/index.php?action=vthread&forum=3&topic=24033
).

PE_OVL.HEM HEM-PlugIn - Manipulates with PE-file Overlay.

PE_ASLR.HEM HEM-PlugIn - Sets/Clears RelocationsStripped Bit in PE-header.

BLOCK.HEM HEM-PlugIn - operations with Block (Xor,Add,Sub string or file) (16Mb max.).
(It's minor modification of standard HEM-plugin example).

BL_MD5.HEM HEM-PlugIn - calculates MD5 sum of marked block (16Mb max.)

MBYTES2.HEM HEM-PlugIn - Converts selected block of bytes into C/Asm "DB/DW/DD" code. Paste it from Clipboard.

KBD_CYR.HEM HEM-PlugIn - for russify keyboard input in HIEW32.EXE.
Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics)
Starts when loaded, after pressing in HIEW32 <F11>-key.
(Original idea by me).
KBD_CYR.PNG - optional - Simple picture-help for KBD_CYR.HEM keyboard switcher.




---------------------------------------
1st released here:
https://exelab.ru/f/index.php?action...5147&page=6#22


See attached archive (Updated 23 June 2018)




dosprog 04-01-2018 22:40

Fix to HIEW32.EXE v.8.43 for cacheing of GOTO address
 
1 Attachment(s)
Fix to HIEW32.EXE v.8.43 for cacheing of GOTO address (when <F5> pressed).

File HIEW32.EXE v.8.43 must be unpacked.
Use CRACKER.EXE with given patch file "GOTO_843.CRK".

Discussed here:
https://exelab.ru/f/index.php?action...5147&page=6#11


--Add--
This feature is already implemented in the new HIEW32 v.8.60.



dosprog 04-02-2018 17:13

===================================
Comment for HEM-plugin PE_TAILS.HEM
===================================

Original PE-sections table of target example file:
Quote:

N Name.... VirtSize...... RVA....... PhysSize.... Offset..... Flag
1 .text...... 00028874 00001000 00028A00 00000400 60500060
2 .data..... 00000084 0002A000 00000200 00028E00 C0300040
3 .rdata.... 00008970 0002B000 00008A00 00029000 40700040
4 .eh_fram 000065A8 00034000 00006600 00031A00 40300040
5 .bss...... 00010F20 0003B000 00000000 00000000 C0700080
6 .idata.... 00000A68 0004C000 00000C00 00038000 C0300040
7 .CRT...... 00000018 0004D000 00000200 00038C00 C0300040
8 .tls........ 00000020 0004E000 00000200 00038E00 C0300040
PE-sections table of target example file after PE_TAILS.HEM working:
Quote:

N Name.... VirtSize...... RVA....... PhysSize.... Offset..... Flag
1 .text...... 00028A00 00001000 00028A00 00000400 60500060
2 .data..... 00000200 0002A000 00000200 00028E00 C0300040
3 .rdata.... 00008A00 0002B000 00008A00 00029000 40700040
4 .eh_fram 00006600 00034000 00006600 00031A00 40300040
5 .bss...... 00010F20 0003B000 00000000 00000000 C0700080
6 .idata.... 00000C00 0004C000 00000C00 00038000 C0300040
7 .CRT...... 00000200 0004D000 00000200 00038C00 C0300040
8 .tls........ 00000200 0004E000 00000200 00038E00 C0300040
See column <VirtSize> ~before & ~after.




===================================
Comment for HEM-plugin PE_RWE.HEM
===================================


Original PE-sections table of target example file:
Quote:

N Name.... VirtSize...... RVA....... PhysSize.... Offset..... Flag
1 .text...... 00028874 00001000 00028A00 00000400 60500060
2 .data..... 00000084 0002A000 00000200 00028E00 C0300040
3 .rdata.... 00008970 0002B000 00008A00 00029000 40700040
4 .eh_fram 000065A8 00034000 00006600 00031A00 40300040
5 .bss...... 00010F20 0003B000 00000000 00000000 C0700080
6 .idata.... 00000A68 0004C000 00000C00 00038000 C0300040
7 .CRT...... 00000018 0004D000 00000200 00038C00 C0300040
8 .tls........ 00000020 0004E000 00000200 00038E00 C0300040
PE-sections table of target example file after PE_RWE.HEM working:
Quote:

N Name.... VirtSize...... RVA....... PhysSize.... Offset..... Flag
1 .text...... 00028874 00001000 00028A00 00000400 FF500060
2 .data..... 00000084 0002A000 00000200 00028E00 FF300040
3 .rdata.... 00008970 0002B000 00008A00 00029000 FF700040
4 .eh_fram 000065A8 00034000 00006600 00031A00 FF300040
5 .bss...... 00010F20 0003B000 00000000 00000000 FF700080
6 .idata.... 00000A68 0004C000 00000C00 00038000 FF300040
7 .CRT...... 00000018 0004D000 00000200 00038C00 FF300040
8 .tls........ 00000020 0004E000 00000200 00038E00 FF300040
See column <Flag> ~before & ~after.





dosprog 04-08-2018 02:00

PE_ASLR.HEM PlugIn for HIEW32
for set/clear flag "Relocations Stripped" in PE-EXE file.

See Start Post



dosprog 04-09-2018 09:02

Updated:
KBD_CYR.HEM HEM-PlugIn v.0.000b- for russify keyboard input in HIEW32.EXE vv.7.51, 8.10, 8.15, 8.40, 8.41, 8.43, 8.63.
Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics)
Starts when loaded, after pressing in HIEW32 <F11>-key.

Version 0.000b - added support for HIEW32.EXE v.8.63.

See ->Start Post <-



dosprog 04-09-2018 17:28

Mbytes2.HEM - HEM-PlugIn for converting HIEW multibyte selection into "DB/DW/DD" C/Asm code.
Based on standard HIEW32 plugIn example Mbyte2c.HEM by Dmitry.Andriyankov ,(c)2010.

See ->Start Post <-




an0rma1 04-19-2018 18:33

I use this plugin a lot:

DIE's plugin for HIEW
http://ntinfo.biz/index.html , check it the link there.

Very useful.

kienmanowar 04-20-2018 10:59

Quote:

Originally Posted by dosprog (Post 112995)
Mbytes2.HEM - HEM-PlugIn for converting HIEW multibyte selection into "DB/DW/DD" C/Asm code.
Based on standard HIEW32 plugIn example Mbyte2c.HEM by Dmitry.Andriyankov ,(c)2010.
[/b]

I pasted it into Hiew folder then use Hiew to load executable file, but don't know how to use this plug?

Tks!

zeuscane 04-20-2018 16:52

By Hiew External Module
"Hem modules are not loaded until the key F11 is pressed in any of the modes (Text/Hex/Code). If you were brave enough to press the key F11 and engage Hem modules, Hiew will scan special folder and its subfolders for Hem files. For each found file Hiew loads it, looks for exported entry point, and uses it for invoking module initializer. Subsequent Hem menu invocations processed without directory scan. "

zeuscane

dosprog 04-21-2018 08:16

Quote:

Originally Posted by kienmanowar (Post 113076)
I pasted it into Hiew folder then use Hiew to load executable file, but don't know how to use this plug?

Press <F11> key within opened file and marked range of bytes in it.
Then select item in plugins catalogue: "Marked bytes to C / Asm Source",
select mode "Byte / Word / Dword", choose language "C / Asm"
- selection set of bytes will be converted into "DB" source code
and result of conversion will be copied into clipboard.


kienmanowar 04-21-2018 19:33

Here is my screen shot when i loaded file, marked ranges of bytes and pressed F11, but can not see "Marked bytes to C / Asm Source" option in plugins catalogue:

https://imgur.com/a/JsWJZON

Regards,

dosprog 04-21-2018 23:21

Hmm..
I'm tested this ->Ok<-.

Note: Hiew selection of bytes must be ended by prssing <*> again.
Then plugin that works with blocks will be present in plugins catalogue.


dosprog 04-23-2018 08:20

Updated:
KBD_CYR.HEM HEM-PlugIn v.0.001a- for russify keyboard input in HIEW32.EXE (all versions).
Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics)
Starts when loaded, after pressing in HIEW32 <F11>-key.

Version 0.001b - added support for any version of HIEW32.EXE .


See ->Start Post <-



an0rma1 04-24-2018 21:03

I found this: https://github.com/lallousx86/pyhiew

And an example able to retrieve results from virustotal: https://github.com/matrosov/pyHiew/blob/master/vt_check.py

dosprog 04-25-2018 06:41

Quote:

Originally Posted by an0rma1 (Post 113130)
I found this: https://github.com/lallousx86/pyhiew

) Mix python and hiew is a delicate perversion, IMHO.


All times are GMT +8. The time now is 10:57.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2018, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX