Xvi32

Another tool for viewing Windows in hexadecimal format is xvi32, which is available and free. It is similar to frhed in that it uses a graphical user interface (GUI). Xvi32 seems to be a little more limited in its functionality because it does not have the option of partially opening files as frhed does, but other than that it seems to compete well.

You can download xvi32 from http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm.

Implementation

Double-click the xvi32 icon after you unzip the distribution. Choose File | Open and then select the file suspiciousfile.bin to open the xvi32 hex editing interface:

Because an analyst typically only views the contents of the files, only the search function will be presented in this section. It is much simpler to use than frhed in that no encoding is involved to search for hexadecimal bytes. To search for ASCII and hexadecimal within the contents, choose Search | Find to open the Find dialog box shown here:

Notice the option labeled Joker Char Hex. This is the hexadecimal representation of a character that will match any character. In this example, the 0x2E represents a “.”. By placing a “.” in our search criteria, we are telling xvi32 that any character can match here. Not only will xvi32 find text strings, but it can also find hexadecimal strings.

To have xvi32 find a hexadecimal string, select the Hex String option in the Find dialog box and fill in the search criteria. Again, the instance of the search is highlighted in the viewing window if a match is found.