FileInsight-plugins: decoding toolbox of McAfee FileInsight hex editor

FileInsight-plugins: decoding toolbox of McAfee FileInsight hex editor for malware analysis

FileInsight-plugins is a large set of plugins for the McAfee FileInsight hex editor. It adds many capabilities such as decryption, decompression, searching XOR-ed text strings, scanning with a YARA rule, code emulation, disassembly, and more! It is useful for various kinds of decoding tasks in malware analysis (e.g. extracting malware executables and decoy documents from malicious document files).

List of plugins (113 plugins)

Basic operations

• Copy to new file
  Copy selected region (the whole file if not selected) to a new file
• Bookmark
  Bookmark selected region with specified comment and color
• Cut binary to clipboard
  Cut binary data of selected region to clipboard as hex-encoded text
• Copy binary to clipboard
  Copy binary data of selected region to clipboard as hex-encoded text
• Paste binary from clipboard
  Paste binary data (converted from hex-encoded text) from clipboard
• Delete before
  Delete all region before the current cursor position
• Delete after
  Delete all region after the current cursor position
• Fill
  Fill selected region with specified hex pattern
• Invert
  Invert bits of selected region
• Reverse order
  Reverse order of selected region
• Swap nibbles
  Swap each pair of nibbles of selected region
• Swap two bytes
  Swap each pair of bytes of selected region
• To upper case
  Convert text to upper case of selected region
• To lower case
  Convert text to lower case of selected region
• Swap case
  Swap case of selected region

Compression operations

Compress

• aPLib
  Compress selected region with aPLib compression library
• Bzip2
  Compress selected region with bzip2 algorithm
• Gzip
  Compress selected region with gzip format
• LZ4
  Compress selected region with LZ4 algorithm
• LZMA
  Compress selected region with LZMA algorithm
• LZNT1
  Compress selected region with LZNT1 algorithm
• LZO
  Compress selected region with LZO algorithm
• PPMd
  Compress selected region with PPMd algorithm
• QuickLZ
  Compress selected region with QuickLZ compression library
• Raw deflate
  Compress selected region with Deflate algorithm without header and checksum (equivalent to gzdeflate() in PHP language)
• XZ
  Compress selected region with XZ format
• zlib (deflate)
  Compress selected region with zlib (Deflate algorithm)
• Zstandard
  Compress selected region with Zstandard algorithm

Decompress

• aPLib
  Decompress selected region with aPLib compression library
• Bzip2
  Decompress selected region with bzip2 algorithm
• Gzip
  Decompress selected gzip-compressed region
• LZ4
  Decompress selected region with LZ4 algorithm
• LZMA
  Decompress selected region with LZMA algorithm
• LZNT1
  Decompress selected region with LZNT1 algorithm
• LZO
  Decompress selected region with LZO algorithm
• PPMd
  Decompress selected region with PPMd algorithm
• QuickLZ
  Decompress selected region with QuickLZ compression library
• Raw inflate
  Decompress selected Deflate compressed region that does not have header and checksum (equivalent to gzinflate() in PHP language)
• XZ
  Decompress selected XZ compressed region
• zlib (inflate)
  Decompress selected region with zlib (Deflate algorithm)
• Zstandard
  Decompress selected region with Zstandard algorithm

Crypto operations

Decrypt

• AES
  Decrypt selected region with AES
• ARC2
  Decrypt selected region with ARC2 (Alleged RC2)
• ARC4
  Decrypt selected region with ARC4 (Alleged RC4)
• Blowfish
  Decrypt selected region with Blowfish
• ChaCha20
  Decrypt selected region with ChaCha20
• DES
  Decrypt selected region with DES
• Salsa20
  Decrypt selected region with Salsa20
• TEA
  Decrypt selected region with TEA (Tiny Encryption Algorithm)
• Triple DES
  Decrypt selected region with Triple DES
• XTEA
  Decrypt selected region with XTEA (eXtended Tiny Encryption Algorithm)

Encrypt

• AES
  Encrypt selected region with AES
• ARC2
  Encrypt selected region with ARC2 (Alleged RC2)
• ARC4
  Encrypt selected region with ARC4 (Alleged RC4)
• Blowfish
  Encrypt selected region with Blowfish
• ChaCha20
  Encrypt selected region with ChaCha20
• DES
  Encrypt selected region with DES
• Salsa20
  Encrypt selected region with Salsa20
• TEA
  Encrypt selected region with TEA (Tiny Encryption Algorithm)
• Triple DES
  Encrypt selected region with Triple DES
• XTEA
  Encrypt selected region with XTEA (eXtended Tiny Encryption Algorithm)

Encoding operations

Decode

• Hex text to binary data
  Convert hex text of selected region into binary
• Decimal text to binary data
  Convert decimal text of selected region into binary data
• Octal text to binary data
  Convert octal text of selected region into binary data
• Binary text to binary data
  Convert binary text of selected region into binary data
• Custom base16 decode
  Decode selected region with custom base16 table
• Custom base32 decode
  Decode selected region with custom base32 table
• Custom base58 decode
  Decode selected region with custom base58 table
• Custom base64 decode
  Decode selected region with custom base64 table
• Custom base85 decode
  Decode selected region with custom base85 table
• Protobuf decode
  Decode selected region as Protocol Buffers serialized data without .proto files
• From quoted printable
  Decode selected region as quoted printable text
• Unicode unescape
  Unescape Unicode escape sequence of selected region
• URL decode
  Decode selected region as percent-encoded text that is used by URL

Encode

• Binary data to hex text
  Convert binary of selected region into hex text
• Binary data to decimal text
  Convert binary of selected region into decimal text
• Binary data to octal text
  Convert binary of selected region into octal text
• Binary data to binary text
  Convert binary of selected region into binary text
• Custom base16 encode
  Encode selected region with custom base16 table
• Custom base32 encode
  Encode selected region with custom base32 table
• Custom base58 encode
  Encode selected region with custom base58 table
• Custom base64 encode
  Encode selected region with custom base64 table
• Custom base85 encode
  Encode selected region with custom base85 table
• ROT13
  Rotate alphabet characters in selected region by the specified amount (default: 13)
• To quoted printable
  Encode selected region into quoted printable text
• Unicode escape
  Escape Unicode characters of selected region
• URL encode
  Encode selected region into percent-encoded text that is used by URL

Misc operations

• Emulate code
  Emulate selected region as an executable or shellcode with Qiling Framework (the whole file if not selected)
• File comparison
  Compare contents of two files
• Hash values
  Calculate MD5, SHA1, SHA256, ssdeep, imphash, impfuzzy hash values of selected region (the whole file if not selected)
• Send to
  Send selected region (the whole file if not selected) to other programs

Parsing operations

• Binwalk scan
  Scan selected region (the whole file if not selected) to find embedded files
• Disassemble
  Disassemble selected region (the whole file if not selected)
• File type
  Identify file type of selected region (the whole file if not selected)
• Find PE file
  Find PE file from selected region (the whole file if not selected)
• Parse file structure
  Parse file structure of selected region (the whole file if not selected) with Kaitai Struct
  Supported file formats: Gzip, RAR, ZIP, ELF, Mach-O, PE, MBR partition table, BMP, GIF, JPEG, PNG, Windows shortcut
• Show metadata
  Show metadata of selected region (the whole file if not selected) with ExifTool
• Strings
  Extract text strings from selected region (the whole file if not selected)

Search operations

• Regex search
  Search with regular expression in selected region (the whole file if not selected)
• Replace
  Replace matched data in selected region (the whole file if not selected) with specified data
• XOR hex search
  Search XORed / bit-rotated data in selected region (the whole file if not selected)
• XOR text search
  Search XORed / bit-rotated string in selected region (the whole file if not selected)
• YARA scan
  Scan selected region (the whole file if not selected) with YARA.

Visualization operations

• Bitmap view
  Visualize the whole file as a bitmap representation
• Byte histogram
  Show byte histogram of selected region (the whole file if not selected)
• Entropy graph
  Show entropy graph of selected region\n(the whole file if not selected)

XOR operations

• Decremental XOR
  XOR selected region while decrementing XOR key
• Incremental XOR
  XOR selected region while incrementing XOR key
• Null-preserving XOR
  XOR selected region while skipping null bytes and XOR key itself
• XOR with next byte
  XOR selected region while using next byte as XOR key
• Guess multibyte XOR keys
  Guess multibyte XOR keys from the selected region (the whole file if not selected) based on revealed keys that are XORed with 0x00
• Visual encrypt
  Encode selected region with visual encrypt algorithm that is used by Zeus trojan
• Visual decrypt
  Decode selected region with visual decrypt algorithm that is used by Zeus trojan

Install & Use

Copyright (c) 2012 Nobutaka Mantani
All rights reserved.