How to edit process memory with Hiew

- Press F9 to toggle Hiew HEM modules
- Select PyHiew and then the fsPlus script

- After successful activation you should get this:

This step is required only once.

- Now press F9 to show the files list (you may want to press Alt-F4 to refresh the files list):

Processes and files will be listed along side each other. Processes will have the following format: {ProcessName.extension}.pid|{PID}. The process name and PID will be replaced with the actual process name and ID. Now you’re ready to edit the process in question. Just press ENTER to select the file!

The first few pages (virtual address 0 and on) are not mapped in processes, for this reason fsPlus will provide “virtual” information to Hiew and construct a “special” PE file header describing all the loaded modules and some textual information after that:

Pressing ENTER (to switch to Hex view) then F8 then F6 (to view the PE sections) will reveal all the loaded modules:

You may press ENTER to jump to any section in memory. In the following screenshot, we have a view crossing from one page to another. The first page is not mapped thus fsPlus will return “BAD!” whenever it cannot read memory and the following page contains the actual process memory bytes:

It is possible to copy blocks (for example to copy sections from an unpacked program), edit the process (by pressing F3) and save the changes or even achieve most of the File I/O operations you do on a normal files.

It is possible to configure fsPlus so that a folder if your choice will contain the process list (instead of having the listing showing in the current directory). For this, you need to edit the “fsPlus.ini” file:

; Specify the process hook path. The folder must *EXIST* (but not necessarily empty) and have a trailing backslash
; For example, if it can be: "C:\_processes\" or simply the current directory: ".\"

[ProcessAsFile]
ProcessDir=.\

If another folder is specified, then when you press F9 to toggle the file list in Hiew, make sure you navigate to the folder you just specified in order to get the processes list.

That’s it! If you have questions let me know.

Download the PyHiew 0.3.0 package and get started!

For this reason, I created a small PyHiew script that allows you to detect the packer directly from Hiew using a text files having the same format as PEiD’s signature database .

A PEiD signature file is essentially an INI file with the packer name as the section name and two keys: the signature key containing the byte pattern and the ep_only key (which is ignored by the PEiD.py script), example:

[Packer Name]
signature = B4 4D CD 21 E8 ?? ?? FD E8 ?? ?? B4 51 CD  21
ep_only = true

In order to run the script you need to get the latest PyHiew (PyHiew 0.2.1a) and a copy of UserDb.TXT (it used to be here http://research.pandasecurity.com/blogs/images/userdb.txt):

• Unpack the Pyhiew archive into Hiew’s folder
• Copy “UserDb.txt” to %hiew%\PyHiew
• Now open a PE file with Hiew
  • Switch to Hex view (press ENTER)
  • Press F8 to show the header info
  • Press F5 to jump to OEP
• Now press F11 to load the HEM plugins
  • Select PyHiew
  • Select PEiD script

Please note that you can configure PEiD.py to use any signature database or databases of your choice. Simply edit the script and adjust the following lines:

# Add more PEiD signatures to this list
PEID_DATABASES      = ['UserDB.TXT']

When PEiD.py parses the signature files, it will generate a cache file (peid-db.cache) so that the next time scanning will be faster. Please delete the cache file if you edit your signature files (it will be regenerated again).

And here is PyHiew’s PEiD in action:

The depth value indicates after how many bytes scanned the pattern was matched. If there is more than one match, the output window will display the rest of the matches.

In this blog post I demonstrate how to use these facilities to transfer names between IDA Pro and Hiew.

Here’s a summary of the script logic:

• A PyHiew script will act as a server
• It will display an information dialog and setups up a server socket then wait for connections
• An IDA Pro python script will act as a client to send the names from IDA to Hiew
• Hiew receives and populates the names

Using the script

Load the IDA client script (pyhiew\3rd\IDA-Names-Client.py) from the PyHiew package

A message box will show, do not close it until you proceed with Hiew

Now run Hiew and open the desired file and press F11 to toggle the HEM modules.
Select PyHiew and then the IDA-Names-Server script
The script will display a message window like this:

Depending on what you want to transfer you may press one of the function keys.

After selecting an option, Hiew will display a wait box. Now switch back to IDA and press OK to connect to Hiew and start the name transfer.

If the operation succeeds then the name count will be displayed:

In Hiew (Hex/Asm view) you may press F12 to display the name window:

That’s it! This script ships with PyHiew 0.2.1

It wraps most of the functionality present in the HEM SDK, thus allowing the users to programmatically access Hiew and do things like:

• Create windows
• Create menus
• Show messages
• Get input from user
• File I/O: Read, Write, Find
• etc…

For example, here is a “Hello world” script:

import hiew

hiew.Message(“Hi”, “Hello world!”)

To demonstrate how it works, let us download the pre-compiled package and install it:

• Unzip the package to %HIEW%
• Verify that %HIEW%\pyhiew folder exists
• Make sure that Python 2.7 is installed
• Run hiew32 against an input file
• Press F11 to launch Hiew’s the external modules browser

If other HEMs are installed they will be listed too.

Pressing ENTER to select “Python Hiew” will take you to PyHiew’s script browser:

What you see is a list of PyHiew scripts (in %HIEW%\pyhiew) that come with the package:

• ClipText: a script that allows you to copy Hiew selection to clipboard into various formats (C source, Pascal, text, …)
• Decompress: a script that will allow you to decompress a gzip compatible stream from inside Hiew
• hello: the hello world script
• test_pyshell: a simple script that allows you to execute Python statements

Let us now play with ClipText by making a block selection with Hiew and pressing F11 –> PyHiew –> ClipText

We select “Copy as C array” and press ENTER:

To verify that it works, let us open a text editor and paste from the clipboard:

It works!

Let us now run the Decompress script by first loading a PDF file that got some streams with FlateDecode filter:

We manually select the stream (we don’t have to if we write a small script that detected the boundaries for us) and press F11 –> PyHiew –> Decompress:

The script will ask for an output file name, and after that we can open that file and verify if decompression went okay:

Neat huh?!

If you’re curious, here’s the Decompress.py source code:

That’s it for now. Make sure you refer to the “doc” folder if you want to write your own scripts.

A discussion group has been created to share useful scripts and address technical problems.

Last but not least, for those who do not know, you can have process editing facilities in Hiew simply by using my old utility Hiew+  (which still works with the latest versions of Hiew). Get it from http://lgwm.org/projects/hiewplus/.

Stay tuned!
Elias