Definition

First, a definition:  what is a hex editor?  It is a program that allows you to edit raw data, which means data without any translations applied to it.  “Hex editor” is a bad name because it puts the emphasis on just one of many possible view formats:  viewing numbers in hexadecimal.  However, the point isn’t that you’re looking at numbers in hexadecimal; after all, these programs allow the user to select other number formats like octal or decimal.  Rather, the point is that you’re looking at raw data without a filter, or translation of the data.

For example, ASCII is a translation of data.  Take the number 0x4E—does that mean “N”?  Well, that’s what 0x4E means in ASCII, but in EBCDIC 0x4E means “+”.  So the point of a hex editor is to allow the user to just see and manipulate the 0x4E, ignoring numeric translations like ASCII or EBCDIC.

The list of hex editors is large.  There is a Wikipedia article that fancies itself as the authority on hex editors, but it only scratches the surface of what is available out there.

Landscape of Hex Editor Industry

I would describe the landscape of hex editors by classifying them into three different categories:

  1. Text editor as hex editor
    • Any programmer’s text editor (pretty much anything more sophisticated than NOTEPAD.EXE) will allow you to open files in hex editing mode.  The result is typically bare-bones, but it will work if you have no other option.
  2. Shareware/freeware hex editors
    • This is the mid-range set of hex editors, and here I would classify HxD, WinHex, and Hex Workshop.  For zero to moderate cost you get abilities like:
      • open disk directly
      • open RAM directly
      • create templates to easily find and manipulate structures in your data
  3. Sophisticated commercial hex editors
    • In this category I would put X-Ways.  X-Ways is crazy powerful, as well as crazy expensive.  Expect to pay thousands of dollars, and expect the vendor to require you to use a dongle to enforce copy protection.  X-Ways is meant for computer forensics professionals who spend hours per day using the tool.

HxD

Having said all that, I’m a big fan of HxD, and I recommend it for all firmware developers.  After all, what have you got to lose?  It’s freeware, fast, supports file sizes up to 8EB (!), does fast searching, file compare, opens disks and RAM, easy and intuitive to use…

Recently I wanted to do a secure erase on a hard drive I was discarding.  I used Disk Wipe to do the job, selected an erase methodology, and waited for the job to finish.  I wanted to audit it to see if my disk were really wiped, so I fired up HxD, and opened the disk with it.

I can see the NTFS header, beginning at sector 0:

image

And I can see the end of the NTFS header and the beginning of a random value (0x7F) blasted over the rest of the drive:

image

(give me a break—I didn’t have the time for Guttman!)  Smile  Do yourself a favor and grab HxD today.

Conclusion

I hope you found this post helpful.  I realize that a lot of this is subjective, so I would appreciate hearing your thoughts.  What hex editor do you recommend, and why?  Leave a comment!

Post a Comment

Be sure to select an account profile (e.g. Google, OpenID, etc.) before typing your comment!