First Responder Hex Workshop Overview Lab

FacebookTwitterGoogle+LinkedInEmail
Description
In this lab, we introduce you to Hex Workshop, a software tool used to edit the hex decimal information of a file. It takes you thru the install and config process, selects a number of the components and screen views and how to specific a wide variety of criteria to get started in your file analysis. You’ll observe and learn now to decipher the hex information of a given file, learn all the data displayed such as registry settings, and much more. [toggle_content title="Transcript"] Hi, Leo Dreiger here. I want to talk about, uh, Hex Workshop. Um, it's a relatively easy program to use to edit, uh, files and look at all the hexadecimal information inside of a file. So I want to run through the install, uh, real quick. You can choose to remove older versions if you like or install it side by side with other versions. Uh, I prefer that you, uh, remove the older versions. Accept the terms of conditions, do a complete install, and then go ahead and let it run. It generally only takes, oh, about a minute or so to run through the install. Most of it's just going to be just copying files. As you can see it's going to fly by through the install, add on icon to the desktop, and it will prompt you for reboot once you are finished installing this, this program. Um, you can either reboot or not reboot. I've had it work successfully, um, both ways. Um – we don't need to review the read-me file here. You want to restart? You can select no and at this point, we should have a Hex Workshop icon right on our desktop. So we'll go ahead and open that up, and here we go. So in this program, I'll give you, uh, um, a little overview of it and then we'll go grab a file, uh, which we can use, right? So this is our – basically our, our data visualization, um, window here. We have the different structures that will come down in here, and then we can compare results to the right here. Through the file menu, uh, you can import information if you already have it. You can set up a new page. You can open a particular drive, if you like. You can, um, do some basic customization in terms of options; for example, um, byte order, uh, versus offsets. Uh, it just really depends on the different types of files that you're using when you would choose these or not. You've got the, the different windows which you can view. These all correlate to the different windows right down here. So uh, for example, if you go to Data Inspector, you can see that, that adds, um, the Data Inspector window over here. You can go to the Expression Calculator. You can see where that turns off. So this is just a good idea to kind of learn what's what within this program, okay? And then of course, you can resize windows accordingly and things like that. You can do the Data Visualization window to your left here. You can, uh, show the Structure Viewer, which is down in the bottom. You can see that turn on and off, alright? So that's your Structure window. You can go down to the Results; that would have been the window to the right. You can go down here to the status bar, which is at the very, very bottom, okay? So it's right here, just says ready. I generally leave that on because, you know, for things like, you know, file size and things like that, that's helpful. Uh, you can also have a preference menu here. Uh, and I typically like programs that are laid out with the menus like this because you can go through and select everything from fonts, and colors, uh, different themes, uh, which I, I never really messed with any of that; um, different paths, different advanced option. So when you go through this the first time, you may want to just kind of go through this and get an idea of this stuff that in itself. You can choose what you want to import, whether it be C source code, or HTML, or Java, or rich text, or text document, etc, etc, etc, okay? And then different plugins and the – we're not going to cover any of those here and now, uh, but if you did have plugins, that's where you would put them. So we're going to go to Open, okay? And there's a variety of things that you can analyze with, with this tool. Like for example, if I want to start with the dll, we can open up that dll, and you will have the different, um, fields here, the different columns, if you will. If you notice when I click on five and six here, notice that changes five and six here, okay? So that will go along accordingly. So if you actually want to map it to exactly where it is and determine exactly what gets, um, changed where, you absolutely can do that. Also, notice as I'm clicking through here, notice that the offsets, um, change as well, okay? So you can, you can see that. You can see the different, uh, offsets, and go down, and look at everything from DOS dates, to time stamps, to what does the binary look like and things like that, alright? Um, so that would be, a, a basic dll, you know, and then the first thing I would say, just to get an idea of what a dll does is, you know, just kind of scroll through and look for some text, uh, in this section here. So you can see it pulled out, you know, a little bit of code, um, look for example, clear last error, you know, get last error, uh, get raw mode, right? So it does pull some, some regular text out. You may see things like in a registry settings, or reference to other dlls, and files, and things like that, okay? So that's there. You can see a little bit of code, you know, assembly, um, XMLNS. You are in the universal, uh, resource naming scheme, alright? So we can pull XML information out. You can see some padding, padding, padding, padding, padding, padding, padding, padding all the way through here. So something like that, uh, is pretty indicative and uh, this is something would, like, repeat over, and over, and over again so you can see 50, 41, 40, uh, etc. And you can see those patterns. Uh another way to kind of make it easier to look at it if you just do padding XX and then padding XX, right? You can kind of see how it wraps around, alright? Um, so that would be a dll file. Now let's go open up, uh, you know another type of file, alright? So let's go grab the calculator, alright? So this is more of an executable. Um, this program cannot be run in DOS mode, alright? Because it's one, GUI-oriented. You can see that it'll pull out the different text and some different code here. In, in later labs, we're going to get a little creative with this tool. Right now, I just want to give you an overview of how this tool works, uh, because it's a, it's a little – um, it's, it's definitely a new way of looking at a file, uh, in terms of like the grand scheme of things. So the first time I showed this tool to people, people were like you know, wow, that's cool. I've no idea what I'm supposed to do with this. So we'll kind of cover what you can do with it in, in other labs. Right now I just want to kind of give you the, the brief overview of how actual – the tool's laid out and can work, and in lies a few different files, okay? So you can see the calculator references, an OCX file, uh, for processor information. You can pull some text out of this. There's a whole bunch of text down here, alright? Um, but any, any sort of pattern or any, anything that's reference able, you know, that's what I would certainly note at, at this point. Um, here you can see basically a repeating, you know, pattern 32, 32, 32, 32, 32, uh, over, and over, and over again, right? So that's more of what executable would look like in this – in a file. Also, note, like, the Data Viewer. This is kind of convenient to pop out here. Uh, if you look at the Data Visualizer; the different types of information here kind of gives you a, an idea of what it would look like, uh, to show you the different trends and patterns. So you can kind of go down here and you know, look at this blue and say okay well, you know what? That actually correlates, um, uh, to text and then interestingly enough, it pulls out a URL, uh, right here, which is a thought over at Thought.com. Or for – I maybe go down here to the other blue section. You can see OCSP, Online Certificate Status Protocol, um, Verisign, right? So that's another certificate piece here. Or maybe come down here to this blue section, or maybe look at a green section, okay? So any, any, uh, blue or green is probably going to be some good places to look as opposed to like, um, other parts which are not as interesting to look at. So that's a, a program. Now let's go open up, um, maybe a, a picture, alright? So we're going to come down here. I'm going to go into, um, Windows and, uh, let's see if we can't make this a little bigger here. Uh, you can sort by type here. That's helpful to do. So we – we're clearly not going to do any of the folders, but there's other applications. So um, uh, well, let's start with the easy stuff here. Here's Notepad, right? If you want to open up Notepad and see what that looks like, um, and look at your Data Viewer first, you can say wow, that's a different pattern here, and you can poke around, uh, inside there to see, you know, what this stuff looks like. So you can start seeing some text pop out and things like that as opposed to if you go down here, uh, you, you get some letters and numbers but nothing really interesting, okay? So something as simple as Notepad, and then we can go ahead and open up – uh, let's go down here, uh, regular text to documents, uh, as opposed to the Notepad program, okay? So you can go Data Viewer here and you can see a whole bunch of green here, which is, you know, green is going to be the, uh, text. And you can zoom in, you can zoom into that, if you like, or you can zoom out. That's uh, definitely something helpful that I, I frequently do, alright? So – or zoom in 100%, zoom 100% out, uh, and also you can do it segmented in terms of a palette. You can do it gray scale if you like. Uh, I typically don't like gray scale realistically at all. I'd rather see the colors personally, okay? So let's go get another file, and then you can see that, uh – well, let's actually go get, uh, a picture, alright? So if you wanted a picture, the easiest thing to go do that, I would say, is go down to your C drive and then search for, you know, star.PNG or something like that, or JPEG, PNG. Let it search your hard drive, uh, and then basically just find any one of these pictures, uh, here and then just find out what the location is, alright? So um, this one you could do. Let's see, uh, I want to see the option Open, uh, File Location here, okay? So here you go, here's some, here's some pictures. And then up here, you can get the, the full path to where that is. So we're going to kind of mirror these, uh, just for a second here and then you can get the idea. So let me close out of that. Let me get this open here. Um, and then see if I can't get this displayable in a nicer way. So let's do an Open, okay? And so this is going to be – we're going to go to Windows when – alright, so let's just start here, Windows, WINSSX. Alright so we're going down in here, uh and then we can grab – bear with me here, uh, because, you know, this is very much what you end up doing, uh, when you're looking for something. So we're going to grab, uh, X86, uh, directory, uh, and there's going to be several of them. So we actually have to find the right one here. Probably have picked a picture with an easier – so this is going to be X86_Microsoft Windows. Um, or you know what? Maybe we can cheat here. If I go back to this, copy that path location, and then here go, directly to it, yay. So what I did, uh, if you want to file alone there I just went to Explore, found the file that I want, and then went into the open dialog box, pasted it right in here, and it goes and finds it right away. And so any one of these pictures is going to be fine to see what a picture looks like. So go ahead and, um, you know, click Open, okay? And so it looks like I actually grabbed the, uh, BMP file, and I know – well, that's – I have a PNG highlighted, but you'll notice right here, uh, in the beginning of the file, it should tell us the, uh, file type right above here. Uh, yeah, in the beginning because every file has a beginning header portion of the file and in some cases, you can simply duplicate, um, that particular file. And so yeah, I'd recognize it was a BMP because I saw a BM8, but another way to kind of find that out is if you just highlight over the tab down here and then look at the full extension. At the very, very end, um you'll actually see that it's a, uh WMPNSS_32, uh, .BMP, uh, but again like I said, I will just happen to recognize that that way. So this particular, uh, BMP file, uh, if we had a problem with that – let's say it was corrupt or something like that, we can actually just replace the header of the BMP file, uh, just as easier just like that, alright? Then if you wanted to see what the, you know, these different types of files do, uh, I can just open them up and kind of play through them in any editor, um, and just kind of play through them so they look like, uh, it just happened to be in a Windows icon, uh, directory of sorts, okay? So uh, I'm just scrolling through just to show you kind of, but I am in a picture directory, alright? What we can – we can close out of that because we don't need to see the picture viewer ,per se. Um, so that's basically it. You know, that, that's where you're going to spend a lot of your time just getting familiar with the program. So all I did is, is go in, go to file, um, and then open up, uh, you know, dlls, calculators, Notepad, um, a log file, uh, setup, backed up log, uh, a picture, and get the basic feel for what this looks like from a hexadecimal point of view, alright? And then later, we'll start actually using this program to do, I don't know, some cooler stuff. I, I'll just leave it at some cooler stuff. Um, but for right now, I, I – you know, the objective would be I, like, just want you guys to get useful – to analyzing the, the program, um, because there's definitely some, some other features that, that you can do, okay? So that's it for now. Um, get used to Hexadecimal Workshop. It's something that you'll probably use quite frequently once we get into some of the advanced labs with it, uh, but for right now, just want to get you guys setup, understand how to install it, how to look at it, and get you some basic navigation of how to actually use it, and then we can make some, some sense out of this as we go. So thanks for watching. My name is Leo Dreiger, and I'll see ya in the next video. Hey, and don't forget to check us out on Facebook, LinkedIn, YouTube, and Twitter. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel