ABOUT HEX DEREF

HEX DEREF is a professional 64-bit reverse engineering software written in C#/C++ and it is designed for dynamic analysis.

For whatever reasons you may have need to hide the usermode process. A DKOM functionality is provided in the tool like a solution for reverse engineering and researching tasks.

For instance an advanced malware (or a VMP protected kernel level rootkit, that's what today's kernel level anti-cheats pretty much are) may not like the presense of monitoring tools such as HEX DEREF and closes itself when it detects one.

The long story short. As a result, because of a multi-threaded IDA PRO like disassembler the time spent on the task is significantly reduced when analysing a large binary and even the hobbyist can get involved without having to know how to script. HEX DEREF represents something like:

(A SIMPLIFIED DYNAMIC VERSION OF IDA PRO | AVX2 OPTIMIZED MEMORY SCANS | ADVANCED MEMORY FORENSICS TOOL FOR MALWARE/ROOTKIT ANALYSIS)

Despite all the efforts, the tool is a work in progress (WIP). The download is offline until I get some bugs fixed and the UI improved bit. No ETA for the public release.

QUICK NAVIGATION

Requirements as follows:

.NET Framework 4.7.2 or newer
https://aka.ms/vs/16/release/vc_redist.x64.exe

If you get an exception: System.DllNotFoundException: Unable to load DLL 'BeaEngine_5.3.0.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E). Install above "vc_redist.x64.exe" package.

KEY FEATURES

  • In active development. Simpler to use, more sophisticated and user-friendly than most of the competition
  • An advanced memory viewer with full memory editor, capable of drawing real-time any user's process and arbitrary kernel memory
  • Multi-threaded 64-bit disassembler that is designed for analysing large binaries
  • AVX2 optimized memory scanner for user mode processes
  • Interoperability between tools

KERNEL DRIVER FEATURES

Kernel features in the software are intended primarily for security researchers. "Driver.c" features as follows:
  • Test and "bypass" any user or kernel mode anti-cheat
  • Direct kernel object manipulation (DKOM) functionality enables you to read or write arbitrary windows kernel memory
  • Disassemble any kernel module with IDA PRO like 64-bit multi-threaded disassembler
  • Dump any module from any user process or from kernel
  • Able to obtain the following information: The process base address and size, the PEB with loaded modules, memory protection information for any user mode address
  • Able to read and write the registry via the driver
  • Registry filter: Show which process is querying which registry key
  • Find a sequence of bytes in kernel mode for any user or kernel module
  • Able to create an unique assembly signature pattern off the whole process for any kernel or user process module

MEMORY VIEWER KERNEL MODE

HEX DEREF - Memory Viewer Kernel Mode
The kernel mode in the HEX DEREF software is an advanced windows direct kernel object manipulation (DKOM) mode. In this mode the memory viewer can read and write any of the user's process memory and kernel memory through the driver without a handle.

From the picture above you can see what the kernel file handle object looks like in memory. As in user mode, you can see the kernel memory in real time as it changes.

MEMORY VIEWER

The "DATA/STRUCTURES" mode is a sophisticated alternative to any competition.

Helps you to understand memory alignment better, what a memory pointer is and how it looks like in process memory, how structures and primitive data types looks like in computer memory which is crucial in terms of learning a programming language such C#, C, C++.

The debug viewer tool extends fore mentioned functionality to the next level as it can grab the data behind the pointers and you will see the values that changes in the process memory.
HEX DEREF - Memory Viewer
  • The memory viewer includes both "DATA/STRUCTURES" and DISASSEMBLY mode. Change the mode on the fly between the two in the same instance!
  • Change the alignment on the fly (8 Bytes, 4 Bytes, 2 Bytes and 1 Byte)
  • Tab support
  • Fully dynamic (e.g static pointer references are shown in "DATA/STRUCTURES" mode on the fly while the code analysis is running)

WHAT IS THE MEMORY VIEWER'S DATA/STRUCTURES MODE?

It is a memory structure analysis mode that attempts to find out the structure of classes in memory without source code, the offsets are automatically applied to a given address. This functionality allows you to restructure undocumented windows kernel structures.

DISASSEMBLER FUNCTIONALITY

  • Shows all intermodular function calls to the external API functions
  • Code execution cross-references (XREF's)
  • Static pointer references like in IDA PRO
  • String references
  • Fully dynamic multi-threaded 64-bit disassembler
  • The import address table (IAT) auto-detect feature that attempts to detect also redirected IAT's without the need to use WINAPI functions.
  • The disassembler includes a built-in assembly signature maker plugin that attempts to generate unique signatures off the whole process
  • If the list of functions and functions arguments are not included in features, the code dissection feature in the memory viewer does pretty much the same dynamically that IDA PRO does statically in terms of the initial analysis
HEX DEREF - 64-bit disassembler

DEBUGGER FUNCTIONALITY

  • Windows debugger that uses windows debug API's to debug: DebugActiveProcess, DebugActiveProcessStop, WaitForDebugEvent and ContinueDebugEvent.
  • A 64-bit VEH debugger written in C++ (x86_64)
  • All major breakpoint methods are supported (Hardware (HWBP), INT3 and page faults) in both debugger modes.
64-bit debugger

MEMORY POINTER SCANNER

The memory pointer scanner tries to resume from where it left off in other similar softwares. Note the interoperability with the code dissection feature of the memory viewer as you can see the pointers with the code XREF. Custom path scanning enables for a previously unattainable level of analysis without the need to generate a pointer map.
Memory pointer scanner

HEX DEREF INJECTOR

The software includes also a basic DLL injector. The injection is done by using native injection. The native injection means that no attempt is made to hide the injection in the process.
HEX DEREF Injector

HEX DEREF SOURCE CODE

The source code of the software has not been released anywhere (exception to the codes I posted on GitHub). The software is not a port of any existing tool. It has been pretty much written from scratch because I literally wanted to learn coding in C#/C++ and understand reverse engineering basics.

ABOUT AUTHOR

I am self taught coder currently without a daily job. My motto is. If I need to get something done. I will just do it and I am usually very good at what I do. How long you been coding? As of 10/2021:
  • PHP/MySql 10+ years
  • C# 7+ years
  • C++ 1.5+ years
How long you been hacking and reverse engineering?
  • It’s not up to time because one learns things faster than the other. However though, I do know reverse engineering basics.

SPONSORS ARE NEEDED

I've spent a considerable amount of time researching and coding the software, and the project literally takes all of my free time. Therefore I must ask for a little contribution towards the project. If you cannot use PayPal to support the development of the software. The following cryptocurrencies are accepted: Bitcoin (BTC) and Ethereum (ETH):

Bitcoin: 38nGwPCXrwPSK4MtNdEy4tcQieFvaCnAFL (Only send BTC to this address)
Ethereum: 0xAdD7C13f9B2514c3317b16c4CDf3FFe3C7FE8939 (Only send ETH to this address)
A sponsor can have their company logo on this site with a backlink. Shoot me an email or PM me (White Byte) in the tool Live Support. Current sponsor opportunities:
  • Themida Developer License 199.00 €
  • Comodo standard code signing certificate (85.00 USD/year)

DISASSEMBLY BENCHMARK

The larger the process is, the more you will benefit off a multi-threaded disassembler ("Analyze the code" feature in a memory viewer).

HEX DEREF disassembly benchmark is included in the main software which translates machine instructions into human-readable more convenient assembly language statements using the BeaEngine.
HEX DEREF - Disassembly benchmark

LIVE SUPPORT

Sometimes simple is better. Therefore I've add probably the most simplest chat in the tool. NOTE: Use the live support in the tool for bug reports and questions. If none is online. Ask a question and check back later. You can use the live support private chat feature if you don't want to share your main IM with people you do not actually know.

EULA

HEX DEREF software later referred to as "the software", is provided "AS IS", without warranty of any kind, for educational and informational purposes ONLY. The authors, it's affiliates, partners, suppliers, or licensors will NOT be liable for any misuse done by the end user. By using the software the user accepts all responsibility for any and all actions performed. Free for non-commercial use only.

CHANGELOG

13/01/2022 1.06

Main view

  • Added the following process features with the right-click in both user and kernel mode: Suspend, Resume, Terminate
  • Find an array of bytes functionality has been moved in the memory viewer

Memory viewer

  • Added support for reading and writing arbitrary kernel memory (including any user mode process) through the driver.
  • Dereference memory pointers as a 64-bit unsigned integers. This enables the windows arbitrary kernel memory to be read and written through the "Driver.c"
  • Use a mono-spaced font for "equal columns" and pad a primitive data types with leading zeros for a better readability
  • Added Tools−>Dump or disassemble the module−>List the modules of an open process
  • Added Tools−>Dump or disassemble the module−>List kernel modules
  • Added Search−>Find a sequence of bytes
  • Added checkbox option Search−>Find a sequence of bytes->Find the byte pattern only in the active module
  • Added an option to modify the value of the selected address as Unicode UTF-16 string
  • .

Live support

  • Fixed an issue where the last message the user posted did not appeared in the chat