VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The Hiew Plugin framework

roy g biv
September 2009

[Back to index] [Comments]

What is it?

Many people know about Hiew. It is great tool for viewing and editing files. It supports arithmetic operations and has an assembler, so it can be used for all kinds of reverse-engineering, unpacking, decrypting, etc. In case that was not enough functionality, it also supports plugins.


It is amazing, but I never used Hiew before until recently. Immediately, I wondered if a Hiew virus could be possible. There is an API to open the file for writing, so it is possible to infect the file that is being examined.

Hiew Plugins are DLL files with a special extension. The extension to use is "hem". The plugin must contain one export. This export must be called "Hem_Load". The export points to a function. The function receives a pointer to a hiewinfo_tag structure. We use only two fields in the structure. They are the gate and handle fields. The gate field contains the pointer to Hiew functions. The handle field contains the value that identifies the file uniquely. All functions that we call must pass the handle, else the function will fail.

The structure also contains a field that receives a pointer to a heminfo_tag structure. We must set in there the pointer to our heminfo_tag structure. The heminfo_tag structure contains everything about our plugin. It tells the name to display in the plugin list, the mode when the plugin can be called, and the entrypoint for the plugin.


The Hiew API is easy to use. We create a structure which contains the ID of the function to call, then pass the structure to the gate function. Hiew will change the structure if the function will do that (such as GETDATA), or read or write bytes in the file, etc.

When the plugin entrypoint is called, the file being examined can be accessed. Before then, no API can be called. We can find out about the file being examined by calling the GETDATA function. The GETDATA function fills in a structure that contains the filename and filesize, with some other things. I was interested only in the file size, since I use it for an infection marker, and the filename since I want to check for files protected by SFC.

Since Hiew supports read and write of the file, we have almost everything that we need to infect the file, in very oldskool way. :) There is no file mapping here, no SEH. The only thing that was missing for me was the check for SFC. For that, I needed three functions from kernel32.dll. They are GetProcAddress, LoadLibraryA, and MultiByteToWideChar. Yes, Hiew is complete ASCII internally. It cannot support Unicode, so we must convert the filename ourselves. I used the GETDATA function to get the filename, then convert to Unicode with MultiByteToWideChar, LoadLibraryA(sfc.dll), and GetProcAddress of SfcIsFileProtected. Everything else can be done with Hiew API. The read and write functions accept a structure that contains the file offset, so there is no seek function necessary. Hiew takes care to remove the read-only attribute when the file is opened for write.

What about stealth?

An obvious extension to the infection via plugin is to stealth the result. As it is right now, the changes don't show until the file is opened again, but by the time the plugin is loaded, Hiew has loaded the whole file, and I couldn't find a way to load automatically to hide the code. That's for someone else to discover. ;)

W32.Hiewg virus source code

Greets to friendly people (A-Z):

Active - Benny - izee - jqwerty - Malum - Obleak - Prototype - Ratter - Ronin - RT Fishel - sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna - Whitehead

rgb/defjam sep 2009
[email protected]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka