GitHub - MalwareMechanic/FileInsight-plugins: FileInsight-plugins: tiny plugins for McAfee FileInsight hex editor useful for various kind of decoding tasks in malware analysis.

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 59 Commits
ARC4 decrypt		ARC4 decrypt
Binary to hex text		Binary to hex text
Byte frequency		Byte frequency
Bzip2 compress		Bzip2 compress
Bzip2 decompress		Bzip2 decompress
Copy to new file		Copy to new file
Custom base64 decode		Custom base64 decode
Custom base64 encode		Custom base64 encode
Decremental XOR		Decremental XOR
Delete after		Delete after
Delete before		Delete before
Fill		Fill
Find PE file		Find PE file
Guess 256 byte XOR keys		Guess 256 byte XOR keys
Gzip compress		Gzip compress
Gzip decompress		Gzip decompress
Hash values		Hash values
Hex text to binary		Hex text to binary
Incremental XOR		Incremental XOR
Invert		Invert
LZNT1 compress		LZNT1 compress
LZNT1 decompress		LZNT1 decompress
Null-preserving XOR		Null-preserving XOR
ROT13		ROT13
Raw deflate		Raw deflate
Raw inflate		Raw inflate
Reverse order		Reverse order
Send to		Send to
Swap nibbles		Swap nibbles
Swap two bytes		Swap two bytes
TrID		TrID
Visual decrypt		Visual decrypt
Visual encrypt		Visual encrypt
XOR hex search		XOR hex search
XOR text search		XOR text search
XOR with next byte		XOR with next byte
aPLib compress		aPLib compress
aPLib decompress		aPLib decompress
LICENSE.txt		LICENSE.txt
README.ja.txt		README.ja.txt
README.txt		README.txt

Repository files navigation

FileInsight-plugins: tiny plugins for McAfee FileInsight hex editor

These plugins would be useful for various kind of decoding tasks in malware analysis
(e.g. extracing malware executables and decoy documents from malicious document files).

How to use:
Please copy plugin folders to %USERPROFILE%\Documents\FileInsight\plugins .
You need Python 2.7 (x86) installed in addition to FileInsight.

*** IMPORTANT NOTE ***
Python 2.7.11 causes FileInsight to crash. Please use 2.7.10 or try the workaround
described in http://www.hexblog.com/?p=949 .


For the "aPLib compress" and "aPLib decompress" plugins, they require aplib.dll.
Please download aPLib from http://ibsensoftware.com/download.html and copy
aplib.dll (32 bits version) into these plugin folders.

For the "ARC4 decrypt" plugin, it requires PyCrypto Python module.
Please get it from http://www.voidspace.org.uk/python/modules.shtml#pycrypto .

For the Find PE file plugin, it requires pefile Python module.
Please get it from https://code.google.com/p/pefile/ .

For the "Send to" plugin, please edit launcher.py to run your favorite programs.

For the TrID plugin, please edit TRID_PATH variable in main.py according to
your TrID installation path.


List of plugins:
* aPLib compress
  Compress selected region with aPLib compression library

* aPLib decompress
  Decompress selected region with aPLib compression library

* ARC4 decrypt
  Decrypt selected region with ARC4 (Alleged RC4)

* Binary to hex text
  Convert binary of selected region into hex text

* Byte frequency
  Show byte frequency of selected region (the whole file if not selected)

* Bzip2 compress
  Compress selected region with bzip2 algorithm

* Bzip2 decompress
  Decompress selected region with bzip2 algorithm

* Custom base64 decode
  Decode selected region with custom base64 table

* Custom base64 encode
  Encode selected region with custom base64 table

* Copy to new file
  Copy selected region (the whole file if not selected) to new file

* Decremental XOR
  XOR selected region while decrementing XOR key

* Delete after
  Delete all region after current cursor position

* Delete before
  Delete all region before current cursor position

* Fill
  Fill selected region with specified hex pattern

* Find PE file
  Find PE file from selected region (the whole file if not selected)

* Guess 256 byte XOR keys
  Guess 256 byte XOR keys from selected region (the whole file if not selected)
  based on the byte frequency

* Gzip compress
  Compress selected region with gzip format

* Gzip2 decompress
  Decompress selected gzip compressed region

* Hash values
  Calculate MD5, SHA1, SHA256 hash values of selected region (the whole
  file if not selected)

* Hex text to binary
  Convert hex text of selected region into binary

* Incremental XOR
  XOR selected region while incrementing XOR key

* Invert
  Invert bits of selected region

* LZNT1 compress
  Compress selected region with LZNT1 algorithm

* LZNT1 decompress
  Decompress selected region with LZNT1 algorithm

* Null-preserving XOR
  XOR selected region while skipping null bytes and XOR key itself

* Raw deflate
  Compress selected region with Deflate algorithm without header and checksum
  (Equivalent to gzdeflate() in PHP language)

* Raw inflate
  Decompress selected Deflate compressed region that does not have header and
  checksum (Equivalent to gzinflate() in PHP language)

* Reverse order
  Reverse order of selected region

* ROT13
  Decode selected region with ROT13 algorithm

* Send to
  Send selected region (the whole file if not selected) to other programs

* Swap nibbles
  Swap each pair of nibbles of selected region

* Swap two bytes
  Swap each pair of bytes of selected region

* TrID
  Send selected region (the whole file if not selected) to TrID

* Visual encrypt
  Encode selected region with visual encrypt algorithm that is used by Zeus trojan

* Visual decrypt
  Decode selected region with visual decrypt algorithm that is used by Zeus trojan

* XOR hex search
  Search XORed / bit-rotated data in selected region (the whole file
  if not selected)

* XOR text search
  Search XORed / bit-rotated string in selected region (the whole file
  if not selected)

* XOR with next byte
  XOR selected region while using next byte as XOR key

Author: Nobutaka Mantani (Email: nobutaka@nobutaka.org, Twitter: nmantani)
License: The BSD 2-Clause License (http://opensource.org/licenses/bsd-license.php)