EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-01-2018, 22:24
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
HIEW32 Plugins Collection

Simple useful plugins for HIEW32, created 2017:
----------------------------------------------

CRACK.HEM HEM-PlugIn - compares binary files. Reports differences as CRK-file for using with CRACKER.EXE.
Adds to CRK as comment all available defined HIEW32 labels/names.
(Original idea by Jupiter).

GOTO.HEM HEM-PlugIn for locate some positions in MZ & PE-EXE.

PE_RWE.HEM HEM-PlugIn - sets attributes of all sections in PE into r/w/e. (See comment at post#3)
(Original idea by me).

PE_TAILS.HEM HEM-PlugIn - corrects "tails of sections" in PE. (Sets VirtSize>=PhisSize for all) (See comment at post#3)
(Original idea by me).

PE_HINTS.HEM HEM-PlugIn - for correcting import hints in 32-bit PE-file.
(Original idea by FalseMaster:
Discussed here: https://exelab.ru/f/index.php?action=vthread&forum=3&topic=24033
).

PE_OVL.HEM HEM-PlugIn - Manipulates with PE-file Overlay.

PE_ASLR.HEM HEM-PlugIn - Sets/Clears RelocationsStripped Bit in PE-header.

BLOCK.HEM HEM-PlugIn - operations with Block (Xor,Add,Sub string or file) (16Mb max.).
(It's minor modification of standard HEM-plugin example).

BL_MD5.HEM HEM-PlugIn - calculates MD5 sum of marked block (16Mb max.)

MBYTES2.HEM HEM-PlugIn - Converts selected block of bytes into C/Asm "DB/DW/DD" code. Paste it from Clipboard.

KBD_CYR.HEM HEM-PlugIn - for russify keyboard input in HIEW32.EXE.
Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics)
Starts when loaded, after pressing in HIEW32 <F11>-key.
(Original idea by me).
KBD_CYR.PNG - optional - Simple picture-help for KBD_CYR.HEM keyboard switcher.




---------------------------------------
1st released here:
https://exelab.ru/f/index.php?action...5147&page=6#22


See attached archive (Updated 23 June 2018)



Attached Files
File Type: rar HEMS.RAR (54.6 KB, 1 views)

Last edited by dosprog; 06-24-2018 at 02:54.
Reply With Quote
The Following User Gave Reputation+1 to dosprog For This Useful Post:
MarcElBichon (04-03-2018)
The Following 7 Users Say Thank You to dosprog For This Useful Post:
Asus (04-21-2018), computerline (04-02-2018), espkk (04-09-2018), hors (04-02-2018), niculaita (04-02-2018), sh3dow (06-17-2018), VodoleY (04-23-2018)
  #2  
Old 04-01-2018, 22:40
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
Fix to HIEW32.EXE v.8.43 for cacheing of GOTO address

Fix to HIEW32.EXE v.8.43 for cacheing of GOTO address (when <F5> pressed).

File HIEW32.EXE v.8.43 must be unpacked.
Use CRACKER.EXE with given patch file "GOTO_843.CRK".

Discussed here:
https://exelab.ru/f/index.php?action...5147&page=6#11


--Add--
This feature is already implemented in the new HIEW32 v.8.60.


Attached Files
File Type: rar GOTO_843.RAR (2.5 KB, 17 views)

Last edited by dosprog; 04-09-2018 at 18:04.
Reply With Quote
The Following User Says Thank You to dosprog For This Useful Post:
niculaita (04-02-2018)
  #3  
Old 04-02-2018, 17:13
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
===================================
Comment for HEM-plugin PE_TAILS.HEM
===================================

Original PE-sections table of target example file:
Quote:
N Name.... VirtSize...... RVA....... PhysSize.... Offset..... Flag
1 .text...... 00028874 00001000 00028A00 00000400 60500060
2 .data..... 00000084 0002A000 00000200 00028E00 C0300040
3 .rdata.... 00008970 0002B000 00008A00 00029000 40700040
4 .eh_fram 000065A8 00034000 00006600 00031A00 40300040
5 .bss...... 00010F20 0003B000 00000000 00000000 C0700080
6 .idata.... 00000A68 0004C000 00000C00 00038000 C0300040
7 .CRT...... 00000018 0004D000 00000200 00038C00 C0300040
8 .tls........ 00000020 0004E000 00000200 00038E00 C0300040
PE-sections table of target example file after PE_TAILS.HEM working:
Quote:
N Name.... VirtSize...... RVA....... PhysSize.... Offset..... Flag
1 .text...... 00028A00 00001000 00028A00 00000400 60500060
2 .data..... 00000200 0002A000 00000200 00028E00 C0300040
3 .rdata.... 00008A00 0002B000 00008A00 00029000 40700040
4 .eh_fram 00006600 00034000 00006600 00031A00 40300040
5 .bss...... 00010F20 0003B000 00000000 00000000 C0700080
6 .idata.... 00000C00 0004C000 00000C00 00038000 C0300040
7 .CRT...... 00000200 0004D000 00000200 00038C00 C0300040
8 .tls........ 00000200 0004E000 00000200 00038E00 C0300040
See column <VirtSize> ~before & ~after.




===================================
Comment for HEM-plugin PE_RWE.HEM
===================================


Original PE-sections table of target example file:
Quote:
N Name.... VirtSize...... RVA....... PhysSize.... Offset..... Flag
1 .text...... 00028874 00001000 00028A00 00000400 60500060
2 .data..... 00000084 0002A000 00000200 00028E00 C0300040
3 .rdata.... 00008970 0002B000 00008A00 00029000 40700040
4 .eh_fram 000065A8 00034000 00006600 00031A00 40300040
5 .bss...... 00010F20 0003B000 00000000 00000000 C0700080
6 .idata.... 00000A68 0004C000 00000C00 00038000 C0300040
7 .CRT...... 00000018 0004D000 00000200 00038C00 C0300040
8 .tls........ 00000020 0004E000 00000200 00038E00 C0300040
PE-sections table of target example file after PE_RWE.HEM working:
Quote:
N Name.... VirtSize...... RVA....... PhysSize.... Offset..... Flag
1 .text...... 00028874 00001000 00028A00 00000400 FF500060
2 .data..... 00000084 0002A000 00000200 00028E00 FF300040
3 .rdata.... 00008970 0002B000 00008A00 00029000 FF700040
4 .eh_fram 000065A8 00034000 00006600 00031A00 FF300040
5 .bss...... 00010F20 0003B000 00000000 00000000 FF700080
6 .idata.... 00000A68 0004C000 00000C00 00038000 FF300040
7 .CRT...... 00000018 0004D000 00000200 00038C00 FF300040
8 .tls........ 00000020 0004E000 00000200 00038E00 FF300040
See column <Flag> ~before & ~after.





Last edited by dosprog; 04-02-2018 at 19:34.
Reply With Quote
  #4  
Old 04-08-2018, 02:00
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
PE_ASLR.HEM PlugIn for HIEW32
for set/clear flag "Relocations Stripped" in PE-EXE file.

See Start Post



Last edited by dosprog; 06-09-2018 at 15:15.
Reply With Quote
The Following User Says Thank You to dosprog For This Useful Post:
niculaita (05-30-2018)
  #5  
Old 04-09-2018, 09:02
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
Updated:
KBD_CYR.HEM HEM-PlugIn v.0.000b- for russify keyboard input in HIEW32.EXE vv.7.51, 8.10, 8.15, 8.40, 8.41, 8.43, 8.63.
Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics)
Starts when loaded, after pressing in HIEW32 <F11>-key.

Version 0.000b - added support for HIEW32.EXE v.8.63.

See ->Start Post <-



Last edited by dosprog; 06-09-2018 at 15:21.
Reply With Quote
The Following User Says Thank You to dosprog For This Useful Post:
niculaita (04-09-2018)
  #6  
Old 04-09-2018, 17:28
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
Mbytes2.HEM - HEM-PlugIn for converting HIEW multibyte selection into "DB/DW/DD" C/Asm code.
Based on standard HIEW32 plugIn example Mbyte2c.HEM by Dmitry.Andriyankov ,(c)2010.

See ->Start Post <-




Last edited by dosprog; 06-09-2018 at 15:21.
Reply With Quote
The Following 3 Users Say Thank You to dosprog For This Useful Post:
kienmanowar (04-20-2018), niculaita (04-09-2018), serseri_1453 (04-20-2018)
  #7  
Old 04-19-2018, 18:33
an0rma1 an0rma1 is offline
Friend
 
Join Date: Feb 2002
Posts: 184
Rept. Given: 105
Rept. Rcvd 25 Times in 16 Posts
Thanks Given: 280
Thanks Rcvd at 52 Times in 24 Posts
an0rma1 Reputation: 25
I use this plugin a lot:

DIE's plugin for HIEW
http://ntinfo.biz/index.html , check it the link there.

Very useful.
Reply With Quote
The Following 2 Users Say Thank You to an0rma1 For This Useful Post:
dosprog (04-21-2018), serseri_1453 (04-20-2018)
  #8  
Old 04-20-2018, 10:59
kienmanowar's Avatar
kienmanowar kienmanowar is offline
Friend
 
Join Date: Jan 2006
Location: VN
Posts: 74
Rept. Given: 37
Rept. Rcvd 17 Times in 10 Posts
Thanks Given: 109
Thanks Rcvd at 40 Times in 17 Posts
kienmanowar Reputation: 17
Quote:
Originally Posted by dosprog View Post
Mbytes2.HEM - HEM-PlugIn for converting HIEW multibyte selection into "DB/DW/DD" C/Asm code.
Based on standard HIEW32 plugIn example Mbyte2c.HEM by Dmitry.Andriyankov ,(c)2010.
[/b]
I pasted it into Hiew folder then use Hiew to load executable file, but don't know how to use this plug?

Tks!
Reply With Quote
  #9  
Old 04-20-2018, 16:52
zeuscane's Avatar
zeuscane zeuscane is offline
VIP
 
Join Date: Jun 2010
Location: In the world and sometimes on the moon
Posts: 232
Rept. Given: 616
Rept. Rcvd 152 Times in 62 Posts
Thanks Given: 283
Thanks Rcvd at 83 Times in 37 Posts
zeuscane Reputation: 100-199 zeuscane Reputation: 100-199
By Hiew External Module
"Hem modules are not loaded until the key F11 is pressed in any of the modes (Text/Hex/Code). If you were brave enough to press the key F11 and engage Hem modules, Hiew will scan special folder and its subfolders for Hem files. For each found file Hiew loads it, looks for exported entry point, and uses it for invoking module initializer. Subsequent Hem menu invocations processed without directory scan. "

zeuscane
__________________
"Educate yourselves because we'll need all your intelligence.
Stir yourselves because we'll need all your enthusiasm.
Organize yourselves because we'll need all your strength."
Reply With Quote
The Following User Says Thank You to zeuscane For This Useful Post:
tonyweb (04-24-2018)
  #10  
Old 04-21-2018, 08:16
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
Quote:
Originally Posted by kienmanowar View Post
I pasted it into Hiew folder then use Hiew to load executable file, but don't know how to use this plug?
Press <F11> key within opened file and marked range of bytes in it.
Then select item in plugins catalogue: "Marked bytes to C / Asm Source",
select mode "Byte / Word / Dword", choose language "C / Asm"
- selection set of bytes will be converted into "DB" source code
and result of conversion will be copied into clipboard.


Last edited by dosprog; 04-21-2018 at 16:02.
Reply With Quote
The Following 2 Users Say Thank You to dosprog For This Useful Post:
niculaita (04-21-2018), tonyweb (04-24-2018)
  #11  
Old 04-21-2018, 19:33
kienmanowar's Avatar
kienmanowar kienmanowar is offline
Friend
 
Join Date: Jan 2006
Location: VN
Posts: 74
Rept. Given: 37
Rept. Rcvd 17 Times in 10 Posts
Thanks Given: 109
Thanks Rcvd at 40 Times in 17 Posts
kienmanowar Reputation: 17
Here is my screen shot when i loaded file, marked ranges of bytes and pressed F11, but can not see "Marked bytes to C / Asm Source" option in plugins catalogue:

https://imgur.com/a/JsWJZON

Regards,
Reply With Quote
  #12  
Old 04-21-2018, 23:21
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
Hmm..
I'm tested this ->Ok<-.

Note: Hiew selection of bytes must be ended by prssing <*> again.
Then plugin that works with blocks will be present in plugins catalogue.


Last edited by dosprog; 04-22-2018 at 01:21.
Reply With Quote
  #13  
Old 04-23-2018, 08:20
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
Updated:
KBD_CYR.HEM HEM-PlugIn v.0.001a- for russify keyboard input in HIEW32.EXE (all versions).
Available 6 keyboard mappings (LAT, RUS/UKR DOS/WIN, and DOS-ps.graphics)
Starts when loaded, after pressing in HIEW32 <F11>-key.

Version 0.001b - added support for any version of HIEW32.EXE .


See ->Start Post <-



Last edited by dosprog; 06-09-2018 at 15:22.
Reply With Quote
  #14  
Old 04-24-2018, 21:03
an0rma1 an0rma1 is offline
Friend
 
Join Date: Feb 2002
Posts: 184
Rept. Given: 105
Rept. Rcvd 25 Times in 16 Posts
Thanks Given: 280
Thanks Rcvd at 52 Times in 24 Posts
an0rma1 Reputation: 25
I found this: https://github.com/lallousx86/pyhiew

And an example able to retrieve results from virustotal: https://github.com/matrosov/pyHiew/blob/master/vt_check.py
Reply With Quote
  #15  
Old 04-25-2018, 06:41
dosprog dosprog is offline
Friend
 
Join Date: Feb 2018
Posts: 60
Rept. Given: 0
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 23
Thanks Rcvd at 71 Times in 34 Posts
dosprog Reputation: 7
Quote:
Originally Posted by an0rma1 View Post
I found this: https://github.com/lallousx86/pyhiew
) Mix python and hiew is a delicate perversion, IMHO.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 15:34.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX