There are different levels to things. From cakes to threat levels, we tend to categorize things. Sometimes there are objective tests to apply, and sometimes we decide on our own, based purely on gut instinct, which level something fits into.
Today’s cool tool is HxD, a hex editor that works on files and directly on the disk. Even though my favorite sister-in-law really enjoys these Cool Tool Tuesday posts, I’m going to classify this tool as seriously geeky. Angie, you have been warned.
HxD is a power tool. It’s available in 18 different languages, in case you want to show off your knowledge of Slovakian (or Slovenian). It can edit files, disk addresses, or even memory. It can be installed as an application, or run portably. It allows you to update files or disk places, and it lets you be safe, opening a file in read-only mode, keeping you safe from yourself.
Once you open up a file, you see all the inside parts that are normally hidden. Notepad++ shows that readme file and interprets the lines the way a human would.
but when you open it in HxD, it shows the carriage return and line feed (0D 0A) that are part of the data:
In looking at the twiddly knobs, you also get to choose how wide you want to see the data, what format it’s in, and what representation you’re comfortable with.
In the show-off category, HxD can do analysis of character frequency in your file. I have the “E” bar highlighted.
The tall bar on the left is the space character. The twin towers are CR and LF. The program can also do simple file comparisons. Here’s the readme and the license file compared, with the first mismatch highlighted.
This would work best when the files are close but not identical.
But enough fru-fru. Does thing do what it’s supposed to do? Yes, it does. And well.
For a test, I want to see if I can change the binary program. I do a search on the “HxD -” of the title, and locate it.
Looks to me like Steve would fit in there. But when I try, I get busted:
That’s right. I did tell it “read-only”, didn’t I? Good job, HxD! And due to operating system limitations, I can’t edit the program using the program, since it’s in use by another process. Okay, let’s find another way to skin this cat, digging a little more dangerously. Let’s see what we can find on the disk.
Under Extras you will find Open disk.
Notice the Readonly is checked. This is intentional, and is meant for my own protection. If I was having to do some serious work, instead of demonstrating capabilities, I’d uncheck the box. And triple-check my work.
Opening up the C: drive provides a look at the boot manager.
I know my way around this logically, but not physically. That’s lower level than I want to get. But since I’m here, I may as well look around a bit.
Except that a search of a terabyte disk for the characters HxD.exe will take a while.
I shall stipulate that it works. So on to the last frontier: editing memory. Again under Extras. Here the program makes assumptions: you don’t want to go rampaging randomly through memory, but rather work on a specific program in memory.
The other thing I notice is that HxD does not let you edit itself.
Another great idea, down in flames. I’ll try IrfanView. Something simple – not replacing any code, but replacing the Thanks in the help.
Locating it is a bit difficult, since the letters of the words are null-stopped, probably for Unicode.
Replacing the individual letters will be easy. And it shows changes in red.
Save the changes, answer Yes to the warning message, and the results:
That’s right – it’s in the title of the screen, instead of the menu entry. So it works – you can alter memory of a running program. And it’s a precaution: make sure you know exactly what you are doing before you make serious changes. Hitting a text string in memory for a program that will be reloaded fresh is not a big thing. Changing that program on disk is another thing. And that other thing is what makes HxD a power tool instead of a play-thing.