HEX DEREF PRO
HEX DEREF is a professional reverse engineering software written in C#
and it is designed for generic reverse engineering, memory scanning, dynamic kernel and malware analysis.
Purchasing a professional version of the software is recommended if you work for or do at least one of the following tasks, either for fun or profit:
- A reverse engineering
- A malware analyst
- A cybersecurity analyst
- Security researcher
- If you're into learning windows internals, malware or rootkit analysis. Memory forensics is one part of the task and the software offers advanced memory scans for windows kernel and user mode processes
- Cheat developer
- An anti-cheat developer
- Security consultant
For whatever reasons you may have need to hide the usermode process: UNDETECTED CE
A DKOM functionality is provided in the tool like a solution for reverse engineering and researching tasks. For example an advanced malware may not like the presence of monitoring tools and closes itself when it detects one.
HEX DEREF PRO
- A non signed kernel driver is included in the professional version, allowing the memory viewer to read and write arbitrary user-mode process or kernel memory through the driver
- The handle elevation feature lets you attach your favorite game hacking tools, such as CE, to a game process with all
possible handle access rights (0x1FFFFF) that's protected by kernel-level anti-cheat
- Commercial use of the software is allowed
- No thread limitation in multi-threaded disassembler
The kernel page table walk feature allows you to dump pretty much every user and kernel memory page. This functionality enables an unattainable level of analysis and disclosure of information from the kernel memory
and makes many things possible such as offline memory forensics analysis for cases you suspect that your computer is infected with a malware or rootkit.
HEX DEREF represents something like:
(A SIMPLIFIED DYNAMIC VERSION OF IDA PRO | AVX2 OPTIMIZED MEMORY SCANNER) WITH AN ADVANCED MEMORY VIEWER
lkd> dt nt!_SE_AUDIT_PROCESS_CREATION_INFO
Looks as follows in the memory viewer when the kernel mode (KM) is enabled and the driver loaded:
Despite all the efforts, the tool is a work in progress (WIP).
Requirements as follows:
.NET Framework 4.7.2 or newer
If you get an exception: System.DllNotFoundException: Unable to load DLL 'BeaEngine_5.3.0.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E).
Install above "vc_redist.x64.exe" package.
- In active development. Simpler to use, more sophisticated and user-friendly than most of the competition
- An advanced memory viewer with full memory editor, capable of drawing real-time any user's process and arbitrary kernel memory
- Multi-threaded 64-bit disassembler that is designed for analysing large binaries
- AVX2 optimized memory scanner for user mode processes
- Interoperability between tools
- Kernel physical memory scanner
- Kernel memory viewer (R)
- Kernel memory editor (W)
The software includes both a signature scanner and a generator for user space processes and the kernel.
KERNEL DRIVER FEATURES
The driver is coded in C
and features as follows:
- Test and "bypass" any user or kernel mode anti-cheat. Tested with EAC and BattlEye
- Direct kernel object manipulation (DKOM) functionality enables you to read or write arbitrary windows kernel memory
- Kernel memory scanner
- Disassemble any kernel module including the kernel itself with IDA PRO like 64-bit multi-threaded disassembler
- Dump any protected user mode process
- Dump any kernel module
- Able to obtain the following information: The process base address and size, the PEB with loaded modules, memory protection information for any user mode address
- Able to read and write the registry via the driver
- Registry filter: Show which process is querying which registry key (WIP)
- Find a sequence of bytes in kernel mode for any user or kernel module
- Able to create an unique assembly signature pattern off the whole process for any kernel or user process module
- Find an array of bytes for physical memory
- Kernel page table walk which allows you either to scan or dump the entire physical kernel memory
- Arbitrarily modify kernel memory
- Enumerate PoolBigPageTable memory ranges
MEMORY VIEWER KERNEL MODE
The kernel mode (KM) in the HEX DEREF software is an advanced memory viewer mode that enables windows direct kernel object manipulation (DKOM).
In this mode the memory viewer can read and write arbitrary kernel memory through the driver (without the need to enable kernel debugging) making the tool a sophisticated alternative to WinDbg.
From the picture above you can see what the kernel file handle object looks like in kernel memory. As in user mode, you can see the kernel memory in real time as it changes.
The "DATA/STRUCTURES" mode is a sophisticated alternative to any competition.
Helps you to understand memory alignment better, what a memory pointer is and how it looks like in process or kernel memory, how structures and primitive data types looks like in computer memory which is crucial in terms of learning a programming language such C#, C, C++.
The debug viewer tool extends fore mentioned functionality to the next level as it can grab the data behind the pointers and you will see the values that changes in the process memory.
- The memory viewer includes both "DATA/STRUCTURES" and DISASSEMBLY mode. Change the mode on the fly between the two in the same instance!
- Change the alignment on the fly (8 Bytes, 4 Bytes, 2 Bytes and 1 Byte)
- Tab support
- Fully dynamic (e.g static pointer references are shown in "DATA/STRUCTURES" mode on the fly while the code analysis is running)
WHAT IS THE MEMORY VIEWER'S DATA/STRUCTURES MODE?
It is a memory structure analysis mode that attempts to find out the structure of classes in memory without source code, the offsets are automatically applied to a given address. This functionality allows you to restructure undocumented windows kernel structures.
- Shows all intermodular function calls to the external API functions
- Code execution cross-references (XREF's)
- Static pointer references like in IDA PRO
- String references
- Fully dynamic multi-threaded 64-bit disassembler
- The import address table (IAT) auto-detect feature that attempts to detect also redirected IAT's without the need to use WINAPI functions.
- The disassembler includes a built-in assembly signature maker plugin that attempts to generate unique signatures off the whole process
- If the list of functions and functions arguments are not included in features, the code dissection feature in the memory viewer does pretty much the same dynamically that IDA PRO does statically in terms of the initial analysis
- Windows debugger that uses windows debug API's to debug: DebugActiveProcess, DebugActiveProcessStop, WaitForDebugEvent and ContinueDebugEvent.
- A 64-bit VEH debugger written in C++ (x86_64)
- All major breakpoint methods are supported (Hardware (HWBP), INT3 and page faults) in both debugger modes.
MEMORY POINTER SCANNER
The memory pointer scanner tries to resume from where it left off in other similar softwares. Note the interoperability with the code dissection feature of the memory viewer as you can see the pointers with the code XREF.
Custom path scanning enables for a previously an unattainable level of analysis without the need to generate a pointer map.
HEX DEREF INJECTOR
The software includes also a basic DLL injector. The injection is done by using native injection. The native injection means that no attempt is made to hide the injection in the process.
HEX DEREF SOURCE CODE
The source code of the software has not been released anywhere (exception to the codes I posted on GitHub
The software is not a port of any existing tool. It has been pretty much written from scratch because I literally wanted to learn coding in C#/C++ and understand reverse engineering basics.
I am self taught coder currently without a daily job. My motto is. If I need to get something done. I will just do it and I am usually very good at what I do. How long you been coding? As of 10/2021:
- PHP/MySql 10+ years: One of the many examples what I've coded in PHP (I can for example, port Ipv4DB to C#): IPv4DB
- C# 7+ years
- C++ 1.5+ years
What you've been doing the past 6 months as of 02/2022?
- Windows kernel researching/reverse engineering. I am currently testing DKOM functionality in my driver as well (hide a process, elevate a handle and so forth). This information is available for sale if the price is reasonable enough. I am emulating (reproducing) pretty much what kernel level anti-cheats does in my "C" kernel driver to understand how they work and how to bypass anti-cheats. While I did aforementioned things. I also learned network based windows kernel debugging with WinDbg Preview. I also have a better understanding of kernel crash dumps.
How long you been hacking and reverse engineering?
- For years. It's not up to time because one learns things faster than the other. However though, I do know reverse engineering basics.
SPONSORS ARE NEEDED
I've spent a considerable amount of time researching and coding the software, and the project literally takes all of my free time. Therefore I must ask for a little contribution towards the project.
If you cannot use PayPal to support the development of the software. The following cryptocurrencies are accepted: Bitcoin (BTC) and Ethereum (ETH)
The kernel driver is not included in the free version of software. If you host a quality security research related forum or blog, and write related articles. It is possible to get the driver for advertising my site and the software.
A sponsor can have their company logo on this site with a backlink. Shoot me an email or PM me (White Byte) in the tool Live Support.
- Comodo standard code signing certificate (85.00 USD/year)
The larger the process is, the more you will benefit off a multi-threaded disassembler ("Analyze the code" feature in a memory viewer).
HEX DEREF disassembly benchmark is included in the main software which translates machine instructions into human-readable more convenient assembly language statements using the BeaEngine
Sometimes simple is better. Therefore I've implemented probably the most simplest chat in the tool.
NOTE: Use the live support in the tool for bug reports and questions. If none is online. Ask a question and check back later.
HEX DEREF software later referred to as "the software", is provided "AS IS", without warranty of any kind, for educational and informational purposes ONLY.
The authors, it's affiliates, partners, suppliers, or licensors will NOT be liable for any misuse done by the end user.
By using the software the user accepts all responsibility for any and all actions performed.
Free for non-commercial use only.
CURRENT DEVELOPMENT VERSION: v1.10
- Added support for kernel physical memory scans as follows: Physical memory scan options
- Fixed an issue with the process name when dumping a process
Added the following options for Tools−>Search−>Find a sequence of bytes:
- Find the byte pattern only in the modules loaded by the kernel, including the kernel itself
- Scan every user mode process for the byte pattern
- Added progress indicator when scanning user mode memory
- Fixed an issue when drawing the primitive value from the address pointed by the instruction in disassembly mode
- Added Tools−>Scan for memory patches in the current view. The results are currently echoed on the console, and the value of each unique base address can change up to (4) times
- Fixed an issue with the section list when analysing the code
- Show the section name for the currently entered address in disassembly mode
- Use the same monospaced font for the tabs and the base address
- Update the tab name to the hexadecimal value of the address you entered
- When analyzing code, added an option to list code execution references (XREF) that refer to a specific hexadecimal value while analysing the code
- Generate automatically a C#-style byte array after generating a signature for the instruction
- Show DATA execution references (XREF's) for the address pointed by an instruction in disassembly mode
- Stability fixes
"C" kernel driver
- Fixed BSDO in physical memory scanner when scanning every user mode process for the byte pattern
- Added an option to enumerate big page pool memory regions (PoolBigPageTable)
May 15th, 2022 v1.09
- Fixed an issue in kernel mode (KM) when retrieving the base address and size of an image
- Fixed an issue in result files with reading and writing UInt64 values
- Added support for kernel memory scans (Byte, 2 Bytes, 4 Bytes, 8 Bytes and Hex)
- Default memory scans as follows: 2 Bytes (UInt16), 4 Bytes (UInt32), 8 Bytes (Int64), Hex (UInt64)
- Fixed an issue with pointer validation in a non-kernel mode
- Draw a primitive value from the address pointed by the instruction in disassembly mode. e.g "FFFFF80646DA1783 - 44 84 3D 48 89 88 00 - test byte ptr [FFFFF8064762A0D2h], r15L". Draws a value from a bold address.
- Tools−>Dump or disassemble the module−>Sections−>Added "Use the file on the disk for comparison instead of memory"
- Tools−>Dump or disassemble the module−>Sections−>Added an option to scan selected section for memory patches or the entire image
- Fixed a "flicker" problem when pointer values were changing constantly
- Tools−>Search−>Find a sequence of bytes−>Search the entire kernel memory for the byte pattern
- Fixed a logic issue in the disassembly mode. Draw the data in the following order at the address pointed by the instruction: 1) Draw API information 2) Draw a string reference. A string reference is a string at the address pointed by the instruction. 3) If the first and the latter one does not exists, draw a primitive value such a byte
- Tools−>Views−>Sections−>Added an option to scan the entire image for memory patches
March 31th, 2022 v1.08
- Fixed logic issue with automatic process attach
- Fixed unhandled exceptions with protected processes where an anti-cheat downgraded handle access
- Added an option in settings to refresh the process list automatically
"C" kernel driver
- Added process handle elevation DKOM feature (elevate a handle to PROCESS_ALL_ACCESS 0x1FFFFF). All possible access rights for a process object
- Added DKOM based process hiding functionality
- Minor UI optimizations (a slightly less lag when drawing user process memory)
- By default show the values as unsigned
- When you modify a value in memory, the value entered can also be a hexadecimal number
- Fixed various unhandled exceptions with protected processes
January 31th, 2022 v1.07
- Added an option to sort processes by PID
- Show protected processes in gray in the process list
- Added an option to dump with the right-click the protected user mode process (a stripped handle access) with the driver
- Edit−>Settings−>General−>The size of the buffer when reading memory is customizable
- Filter non-printable characters also when reading the Unicode UTF-16 string
- Tools−>Process modules−>When listing kernel modules, translate the path of the NT namespace to the actual module path
- Tools−>Views−>Sections−>Map the PE file as SEC_IMAGE so the sections gets correctly aligned and displayed in section view
- Tools−>Views−>Sections−>Added an option to find an array of bytes in the selected section
- Tools−>Views−>Sections−>Added an option to scan the selected section for memory patches
- Fixed an issue in the logic that determines whether or not the section is executable
- Take a peek behind the pointer feature shows the values as unsigned
"C" kernel driver
- Implemented a page table walk which is pretty much effectively able to find every allocated user or kernel memory page in a matter of few seconds
- Added the following process features with the right-click in both user and kernel mode: Suspend, Resume, Terminate
- Find an array of bytes functionality has been moved in the memory viewer
- Added support for reading and writing arbitrary kernel memory (including any user mode process) through the driver.
- Dereference memory pointers as a 64-bit unsigned integers. This enables the windows arbitrary kernel memory to be read and written through the "Driver.c"
- Use a mono-spaced font for "equal columns" and pad a primitive data types with leading zeros for a better readability
- Added Tools−>Dump or disassemble the module−>List the modules of an open process
- Added Tools−>Dump or disassemble the module−>List kernel modules
- Added Search−>Find a sequence of bytes
- Added checkbox option Search−>Find a sequence of bytes->Find the byte pattern only in the active module
- Added an option to modify the value of the selected address as Unicode UTF-16 string
- Fixed an issue where the last message the user posted did not appeared in the chat
White Byte © 2022 HEXDEREF.COM - DO NOT REPRODUCE CONTENT WITHOUT PERMISSION