HEX DEREF

HEX DEREF is a professional 64-bit reverse engineering software written in C#/C++ and it is designed for dynamic analysis.

Attempts are being made to develop the software to be more user-friendly, simpler to use and combine the most needed features into one. Since 06/2021 the tool has been developed for over 5 years, usually on a daily basis. Despite all the efforts, the tool is a work in progress (WIP).

The long story short. As a result, the time spent on the task is significantly reduced and even the hobbyist can get involved without having to know how to script. HEX DEREF have various not so easily to be coded tools in one and represents something like: (IDA LIKE DISASSEMBLER | X64DBG SIMPLIFIED | CE EQUIVALENT MEMORY SCANS | RECLASS.NET++)

QUICK NAVIGATION

HEX DEREF OVERLAY

Requirements as follows:

.NET Framework 4.7.2 or newer
https://aka.ms/vs/16/release/vc_redist.x64.exe

If you get an exception: System.DllNotFoundException: Unable to load DLL 'BeaEngine_5.3.0.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E). Install above "vc_redist.x64.exe" package.

KEY FEATURES

  • In active development. Simpler to use, more sophisticated and user-friendly than most of the competition
  • An advanced memory viewer with full memory editor, capable of drawing real-time any user's process and kernel memory
  • Multi-threaded 64-bit disassembler that is designed for analysing large binaries
  • Cheat Engine's equivalent core functionality with AVX2 optimized memory scanner
  • Interoperability between tools

KERNEL FEATURES

Kernel features are intended primarily for security researchers. C++ "Driver.c" features as follows:
  • Test and bypass any user and kernel mode anti-cheat
  • Direct kernel object manipulation (DKOM) functionality enables you to read or write the Windows kernel memory objects
  • Disassemble any kernel module with IDA PRO like 64-bit multi-threaded disassembler
  • Dump any module from any user process
  • Dump any module from the kernel
  • Able to obtain the following information: The process base address and size, the PEB with loaded modules, memory protection information for any user mode address
  • Able to write the registry
  • Write arbitrary windows kernel memory

MEMORY VIEWER KERNEL MODE

HEX DEREF - Memory Viewer Kernel Mode
The kernel mode in the HEX DEREF software is an advanced windows direct kernel object manipulation (DKOM) mode. In this mode the memory viewer can read and write any of the user's process memory and kernel memory through the driver without a handle.

From the picture above you can see what the kernel file handle object looks like in memory. As in user mode, you can see the kernel memory in real time as it changes.

MEMORY VIEWER

The memory viewer's basic functionality is a sophisticated alternative to ReClass.NET and this functionality is considerably better version of the CE's "Dissect data/structures" feature, making it easier to find different data that is needed.

The debug viewer tool extends fore mentioned functionality to the next level as it can grab the data behind the pointers and you will see the values that changes in the process memory.
HEX DEREF - Memory Viewer
  • The memory viewer includes both "Data/structures" and disassembly mode
  • Includes multi-threaded 64-bit disassembler powered by the BeaEngine
  • Switch on the fly between "Data/structures" and disassembly mode in the same instance
  • Change the alignment on the fly (8 Bytes, 4 Bytes, 2 Bytes and 1 Byte)
  • Tab support
  • Fully dynamic (e.g static pointer references are shown in 'Data/structures' mode on the fly while the code dissection is running)

WHAT IS THE MEMORY VIEWER'S DATA/STRUCTURES MODE?

It is a memory structure analysis mode that attempts to find out the structure of classes in memory without source code, the offsets are automatically applied to a given address. This functionality allows you to restructure undocumented windows kernel structures.

DISASSEMBLER FUNCTIONALITY

  • Shows all intermodular function calls to the external API functions
  • Code execution cross-references (XREF's)
  • Static pointer references
  • String references
  • Fully dynamic multi-threaded 64-bit disassembler
  • The import address table (IAT) auto-detect feature that attempts to detect also redirected IAT's without the need to use WINAPI functions.
  • The disassembler includes a built-in assembly signature maker plugin that attempts to generate unique signatures off the whole process
  • If the list of functions and functions arguments are not included in features, the code dissection feature in the memory viewer does pretty much the same dynamically that IDA PRO does statically in terms of the initial analysis
HEX DEREF - 64-bit disassembler

DEBUGGER FUNCTIONALITY

  • Windows debugger that uses windows debug API's to debug: DebugActiveProcess, DebugActiveProcessStop, WaitForDebugEvent and ContinueDebugEvent.
  • A 64-bit VEH debugger written in C++ (x86_64)
  • All major breakpoint methods are supported (Hardware (HWBP), INT3 and page faults) in both debugger modes.
64-bit debugger

MEMORY POINTER SCANNER

The memory pointer scanner tries to resume from where it left off in other similar softwares. Note the interoperability with the code dissection feature of the memory viewer as you can see the pointers with the code XREF. Custom path scanning enables for a previously unattainable level of analysis without the need to generate a pointer map.
Memory pointer scanner

HEX DEREF INJECTOR

The software includes also a basic DLL injector. The injection is done by using native injection. The native injection means that no attempt is made to hide the injection in the process.
HEX DEREF Injector

HEX DEREF SOURCE CODE

The source code of the software has not been released anywhere (exception to the codes I posted on GitHub). The software is not a port of any existing tool. It has been pretty much written from scratch because I literally wanted to learn coding in C#/C++ and understand reverse engineering basics.

ABOUT AUTHOR

I am self taught coder currently without a daily job. My motto is. If I need to get something done. I will just do it and I am usually very good at what I do. How long you been coding? As of 10/2021:
  • PHP/MySql 10+ years
  • C# 7+ years
  • C++ 1.5+ years
How long you been hacking and reverse engineering?
  • It’s not up to time because one learns things faster than the other. However though, I do know reverse engineering basics.

SPONSORS ARE NEEDED

This project literally takes all of my free time. Therefore I must ask for a little contribution towards the project. Every sponsor will get a great deal of visibility for nearly "free".
  • Themida Developer License 199.00 €
  • Comodo standard code signing certificate (85.00 USD/year) for C++ Windows kernel "Driver.c" that I do currently develop. The driver project is related to test any anti-cheat and to analyse malwares, spywares, and windows kernel level rootkits.

DISASSEMBLY BENCHMARK

The larger the process is, the more you will benefit off a multi-threaded disassembler (the code dissection feature in a memory viewer).

HEX DEREF disassembly benchmark is included in the main software which translates machine instructions into human-readable more convenient assembly language statements using the BeaEngine.
HEX DEREF - Disassembly benchmark

LIVE CHAT

Sometimes simple is better. Therefore I've add probably the most simplest chat in the tool. NOTE: Use the live support in the tool for bug reports and questions. If none is online. Ask a question and check back later. You can use the live support private chat feature if you don't want to share your main IM with people you do not actually know. All private messages older than one month will be automatically deleted for additional privacy. This may not be the case for other IM services.

EULA

HEX DEREF software later referred to as "the software", is provided "AS IS", without warranty of any kind, for educational and informational purposes ONLY. The authors, it's affiliates, partners, suppliers, or licensors will NOT be liable for any misuse done by the end user. By using the software the user accepts all responsibility for any and all actions performed. Free for non-commercial use only.

CHANGELOG

1.06

Main view

  • Added the following process features with the right-click in both user and kernel mode: Suspend, Resume, Terminate
  • Find an array of bytes functionality has been moved in the memory viewer

Memory viewer

  • Added support for reading and writing the virtual memory address of windows kernel objects through the driver
  • Dereference memory pointers as a 64-bit unsigned integers. This enables the windows kernel memory to be read and written through the "Driver.c"
  • Use a mono-spaced font for "equal columns" and pad a primitive data types with leading zeros for a better readability
  • Added Tools−>Dump or dissect the module−>List the modules of an open process
  • Added Tools−>Dump or dissect the module−>List kernel modules
  • Added Search−>Find a sequence of bytes
  • Added checkbox option Search−>Find a sequence of bytes->Find the byte pattern only in the active module
  • .
  • .