HexWalk
HexWalk is a sophisticated hex editor and binary analyzer designed for forensic investigations, reverse engineering, and low-level binary file examination. It provides visual hex inspection, pattern searching, and detailed memory analysis capabilities essential for digital forensics and security research.
Installation
# Kali Linux (pre-installed)
hexwalk --version
# Manual installation
sudo apt-get update
sudo apt-get install hexwalk
# From source
git clone https://github.com/kalilinux/hexwalk.git
cd hexwalk
make
sudo make install
# Verify installation
which hexwalk
hexwalk --helpBasic Usage
| Command | Description |
|---|---|
hexwalk <file> | Open file in hex editor |
hexwalk -i <file> | Interactive mode with navigation |
hexwalk -o <offset> <file> | Start at specific offset |
hexwalk --help | Display help information |
hexwalk -v | Verbose output mode |
hexwalk -s <string> <file> | Search for string pattern |
hexwalk -H <hex> <file> | Search for hex pattern |
Hex Inspection and Analysis
Basic Hex Dump
# Display file in hex format
hexwalk myfile.bin
# Display first 256 bytes
hexwalk -n 256 suspicious.exe
# Start from offset 0x1000
hexwalk -o 0x1000 memory.dump
# Show ASCII representation alongside hex
hexwalk -a myfile.binPattern Searching
# Search for ASCII string
hexwalk -s "MZ" executable.exe
# Search for hex pattern
hexwalk -H "4D5A9000" file.bin
# Case-insensitive search
hexwalk -s -i "admin" config.dat
# Find all occurrences
hexwalk -s -a "password" database.dbBinary File Comparison
# Compare two files
hexwalk -c file1.bin file2.bin
# Identify differences
hexwalk -d original.exe suspicious.exe
# Generate diff report
hexwalk -c file1.bin file2.bin > comparison.txtAdvanced Forensic Analysis
Memory Dump Analysis
# Analyze memory dump
hexwalk memory.dump
# Examine specific memory region
hexwalk -o 0x400000 -n 4096 memory.dump
# Look for executable signatures
hexwalk -H "4D5A" memory.dump # PE header
# Find string references
hexwalk -s "http://" memory.dumpExecutable File Analysis
# Analyze PE executable
hexwalk malware.exe
# Find entry point
hexwalk -H "55" executable.exe # PUSH RBP instruction
# Examine import address table
hexwalk -o 0x3000 -n 512 library.dll
# Identify packed sections
hexwalk -s "UPX" packed.exeData Carving and Recovery
# Find JPEG headers
hexwalk -H "FFD8FF" disk_image.img
# Locate ZIP archives
hexwalk -H "504B0304" unallocated.bin
# Search for PDF files
hexwalk -H "25504446" filesystem.img
# Extract carved data
hexwalk -s -e 0x1000 suspicious.bin output.binInteractive Mode Operations
Navigation in Interactive Mode
# Enter interactive mode
hexwalk -i file.bin
# Commands within hexwalk:
# g <offset> - Go to offset
# s <string> - Search string
# h <hex> - Search hex
# n - Next match
# p - Previous match
# q - Quit
# h - HelpHex Editing Operations
# Open in edit mode
hexwalk -e file.bin
# Modify bytes at offset
# Enter hex values at prompted offset
# Save changes (w command)
# Exit without saving (q command)
# Create backup before editing
cp sensitive.bin sensitive.bin.bak
hexwalk -e sensitive.binFile Type Identification
Common File Signatures
# Identify file type by magic bytes
hexwalk -n 4 unknown.file
# PE Executable (Windows .exe, .dll)
hexwalk -H "4D5A" *.exe
# ELF Executable (Linux)
hexwalk -H "7F454C46" *.bin
# ZIP/Office files
hexwalk -H "504B0304" *.docx
# PNG image
hexwalk -H "89504E47" *.png
# JPEG image
hexwalk -H "FFD8FFDB" *.jpg
# PDF document
hexwalk -H "25504446" *.pdfSignature Scanning Scripts
#!/bin/bash
# Scan directory for specific signatures
for file in *; do
result=$(hexwalk -H "4D5A" "$file" 2>/dev/null)
if [ $? -eq 0 ]; then
echo "PE executable found: $file"
fi
done
# Search multiple signatures
signatures=("4D5A" "7F454C46" "504B0304")
for sig in "${signatures[@]}"; do
echo "Searching for $sig..."
hexwalk -H "$sig" target.bin
doneForensic Investigation Workflows
Malware Analysis Workflow
# 1. Initial examination
hexwalk suspicious.exe | head -100
# 2. Search for known patterns
hexwalk -s "cmd.exe" suspicious.exe
hexwalk -s "powershell" suspicious.exe
# 3. Identify sections
hexwalk -n 256 suspicious.exe
# 4. Extract suspicious data
hexwalk -s "http://" suspicious.exe
hexwalk -s "\\windows" suspicious.exe
# 5. Compare with known malware
hexwalk -c malware.exe suspicious.exeMemory Forensics Workflow
# 1. Analyze memory dump
hexwalk memdump.img
# 2. Search for process structures
hexwalk -s "PEB" memdump.img
# 3. Find loaded modules
hexwalk -H "4D5A" memdump.img
# 4. Extract suspicious regions
hexwalk -o 0x00400000 -n 0x1000 memdump.img
# 5. Analyze network structures
hexwalk -s "127.0.0.1" memdump.imgDisk Forensics Workflow
# 1. Scan disk image
hexwalk disk.img | head -200
# 2. Find deleted files
hexwalk -H "FFD8FF" disk.img # JPEG headers
# 3. Locate file system structures
hexwalk -H "1FE" disk.img # Boot sector
# 4. Carve data
hexwalk -s -e 0x1000 disk.img recovered.dat
# 5. Analyze partitions
hexwalk -o 0x10000 disk.imgOutput Formatting and Export
Customized Output
# Show only hex, no ASCII
hexwalk --hex-only file.bin
# Show only ASCII, no hex
hexwalk --ascii-only file.bin
# Verbose mode with metadata
hexwalk -v file.bin
# Quiet mode (minimal output)
hexwalk -q file.binSaving Analysis Results
# Save hex dump to file
hexwalk file.bin > hexdump.txt
# Save with grep filtering
hexwalk file.bin | grep -i "admin" > admin_refs.txt
# Export specific range
hexwalk -o 0x1000 -n 512 file.bin > range.txt
# Create analysis report
hexwalk -v file.bin > analysis_report.txt 2>&1Command Reference
Search Operations
| Operation | Syntax | Example |
|---|---|---|
| String search | hexwalk -s <string> <file> | hexwalk -s "admin" config.bin |
| Hex search | hexwalk -H <hex> <file> | hexwalk -H "48C7C0" binary.bin |
| Case-insensitive | hexwalk -s -i <string> | hexwalk -s -i "password" data.bin |
| Offset start | hexwalk -o <offset> | hexwalk -o 0x2000 file.bin |
| Byte limit | hexwalk -n <count> | hexwalk -n 1024 file.bin |
| Comparison | hexwalk -c <file1> <file2> | hexwalk -c orig.exe new.exe |
Advanced Techniques
Signature Analysis
# Create signature database
cat > signatures.txt << EOF
4D5A:PE Executable
7F454C46:ELF Binary
504B0304:ZIP Archive
EOF
# Multi-signature scan
while IFS=: read sig type; do
echo "Scanning for $type"
hexwalk -H "$sig" target.bin
done < signatures.txtBatch Processing
#!/bin/bash
# Analyze multiple files
for file in *.bin; do
echo "=== Analyzing $file ==="
hexwalk -v "$file" | head -50
echo ""
done
# Generate summary report
for file in *; do
size=$(hexwalk "$file" | wc -l)
echo "$file: $size lines"
done > summary.txtData Extraction
# Extract specific range to new file
hexwalk -o 0x1000 -n 4096 large.bin > extracted.bin
# Extract between offsets
hexwalk -o 0x2000 -n 0x3000 file.bin > middle_section.bin
# Extract around pattern
hexwalk -s "MZ" file.bin -e 512 > around_match.binCommon Use Cases
- Malware analysis - Identify PE headers, imports, and suspicious strings
- Memory forensics - Analyze memory dumps for artifacts and injected code
- Data recovery - Locate and extract deleted files by signatures
- Reverse engineering - Examine binary structure and assembly patterns
- Breach investigation - Search for evidence of compromise in system files
- Compliance validation - Verify proper data sanitization and deletion
Tips and Best Practices
- Always work with copies of forensic data
- Document all findings and offsets
- Use signature databases for known file types
- Compare suspicious files with known-good versions
- Save detailed analysis reports with timestamps
- Use grep to filter hexwalk output for specific patterns
- Maintain chain of custody documentation
- Verify findings with multiple methods
Troubleshooting
# File not found or permission denied
sudo hexwalk /restricted/file.bin
# Large file analysis
hexwalk -o 0x10000000 huge_file.bin
# Memory issues
ulimit -n 4096 # Increase file descriptors
hexwalk large.bin
# Search not finding matches
hexwalk -v -s "pattern" file.bin # Verbose mode
# Encoding issues with strings
hexwalk --encoding utf-8 file.binHexWalk is essential for forensic examiners, security researchers, and incident responders who need to understand binary file structures and memory contents at the lowest level.