Hiew+ – Editing process memory with Hiew hex editor

What’s is Hiew+

Hiew+ is based on the FsPlus project. FsPlus is an implementation of an idea that allows you to access non disk files as if they were disk files. Hiew+ is a real life example of FsPlus where we take Hiew (an excellent hex editor) and turn it into an excellent process editor. Each process will be view as a file with a size as much as SYSTEM_INFO.lpMaximumApplicationAddress returns. In theory FsPlus should work with any hex editor to provide process memory editing, but this release is just Hiew ready.

Hiew+ editing the process memory of a process being debugged by IDA Pro

Usage

To use FsPlus, you need to inject FsPlus.dll into Hiew’s process memory so that the APIs are hooked. After APIs are hooked, FsPlus will recognize and treat in a different manner any file name that has the following form: “pid|1234” where 1234 is a given PID. To make the usage even simpler, we provided a small GUI (FsPlusGui) to allow you launch Hiew conveniently.

In fact, Hiew+ can be considered as a nice addition to IDA Pro‘s debugger or any other debugger. Here’s a small screenshot when you run FsPlusGui:

You will need to double click on a process to have Hiew or the desired process launched.
Make sure you specify the settings correctly in FsPlus.ini:

[settings]
title=Hiew+ (c) lallous <lallousz-x86@yahoo.com>
hookdll=.\fsPlus.dll
launch=c:\hiew\hiew32.exe

Features

After you run it successfully, you will be able to start editing processes as if you were editing files. The catch is every process virtual address is now a physical offset in Hiew.

Modules as IMAGE_SECTION_HEADERs

For your convenience we have created additional IMAGE_SECTION_HEADER structures in the PE header of the main process, so that each loaded module is view as a PE section:

Textual information about process’ modules

In addition to view modules as PE sections, you will have an actual representation of all loaded modules just after the end of the PE header:

flower separator
batchography-good-resDo you want to master Batch Files programming? Look no further, the Batchography is the right book for you.

Available in print or e-book editions from Amazon.
flower separator

No Read Errors

To avoid reading errors and such, any unreadable memory page is filled with “BAD!” pattern.

Physical and Logical disk editing

This is not something added by FsPlus, rather it is a “less” documented feature of Hiew32 where you can run it with a disks device name and have it edit the disk. Using the provided GUI you can easily do just that.

Conclusion

Download – Release date: late 2008

This tool has been tested with Windows Vista (32) and Windows XP SP2 and with Hiew 7.29.
Hope you find this tool useful as Hiew itself.
Note: Please don’t contact me if you run into trouble. This tool is no longer supported.

You might also like:

Batchography: Embedding an executable file in a Batch script

batchography-good-resIn this blog post, I am going to share with you a recipe from the Batchography book that illustrates and explains in details how to embed executable files in the Batch file script and execute them after they are dropped.

This technique does not rely on using a polyglot Batch file where its first part is actually a Batch script and the other part is a VBS or JScript script. If you want to learn more about how to write polyglot Batch scripts, please refer to Chapter 4 in the Batchography book.

flower separator

Get the book from Amazon: the print editionbtn-buy-on-amazonor the e-book editionbtn-buy-on-amazon

flower separator

Continue reading

How to check who logged in and when via Windows Remote Desktop

Hello,

Remote Deskop is a nice facility built-in Microsoft Windows from XP and up.

You can use it to remotely administer your computer or simply do programming work.

Many times you may want to keep track and see who is logging into your PC for security reasons. This article will show you how. Let’s proceed!

rdp-cover Continue reading

How to capture and analyze HTTP/HTTPS from your smartphone or tablet using Fiddler

Hello,

In the previous article, I showed you how to capture traffic from WiFi devices. In this article, I will illustrate how to capture HTTP/HTTPS traffic using Fiddler.

This skill is very useful for web programmers or security engineers who want to debug their application or audit third party applications that use web services over an encrypted channel. Let’s get started! Continue reading

How to capture all network traffic going through your smartphone/tablet/laptop or other wireless devices

Hello,

In this blog post, I am going to show you how to record all inbound and outbound network traffic from a wireless device (smartphone, tablet, laptop, etc…).

People desire to capture traffic for many reasons, namely for/by:

  • Security Auditing and penetration testing
  • Programmers and testers
  • Application protocol analysis and recovery
  • etc…

Let’s get started! Continue reading