• Stars
    star
    144
  • Rank 255,590 (Top 6 %)
  • Language
    C
  • Created over 4 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A port of Kaitai to the Hiew hex editor

Introduction

Kiewtai is a HEM (aka plugin) for the Hiew hex editor that makes all the binary parsers from the Kaitai project available. This means you can get all the fields marked and decoded for dozens of popular file formats. You can also use the Kaitai format to write a new template for a file format you're analyzing.

Click here to see a list of all the formats supported by Kaitai.

Want to see it in action? See some Screenshots!

Installation

If you don't want to build it yourself, check out the releases tab

Copy kiewtai.hem to your hem folder, which should be where you installed hiew.

Usage

Press F11 and Select Kiewtai: Kaitai Struct format parsers.

You will be shown a list of all supported parsers, select the one you want.

Kiewtai will highlight the different fields, and add a comment describing the field.

Kiewtai JPEG Demo

Advanced Usage

If you want Kiewtai to analyze a section of a larger file, for example you have a firmware blob or filesystem image, Simply mark the section you want analyzed. If you work in DFIR, you probably call this "carving".

  • Press F2 to toggle between Simple and Detailed parsing.

The default parsing mode is verbose, try this if you prefer.

  • Press F3 to enable or disable comments.

Kiewtai will add comments to Hiew describing each field, these are displayed as you navigate around. You can also browse and search them with F12.

  • Press F4 to enable or disable markers.

Kiewtai will add color markers by default so you can easily see where the different fields are. Press F4 if you don't like this.

  • Press F5 to search for a parser.

The list of parsers is quite long, press F5 and enter some search terms if you like.

Kiewtai EXE Demo

Notes

If you're a Hiew user and want to help make better documentation, click here!

This project uses the following third party libraries:

Please feel free to file an issue for any bugs, missing features or documentation!

Oh, and I prounounce Kiewtai "cue-tie". ๐Ÿ™‚

Screenshots

Here are some screenshots of different Kiewtai screens.

Browsing a GIF header

You can see the magic, version, descriptors, dimensions are all identified.

The comment shows Kiewtai knows the cursor is on the applicationId field.

The individual R/G/B bytes are hilighted, which makes the data look stripey. If that's too much verbosity, press F2 on the parser list and Kiewtai will reduce the level of detail it generates.

Screenshot

Show the recognized fields in an EXE file.

You can load multiple Kaitai parsers at once, this screenshot shows the DosMz and MicrosoftPE parsers loaded simultaneously.

If you have an embedded file, simply mark it and Kiewtai will only analyze that block.

Kiewtai MZ/PE fields

Browsing the chunks of a PNG image.

The field names display as comments as you navigate around a file.

Kiewtai PNG chunks

Browsing Formats available.

Kaitai has parsers for dozens of popular formats already made, you can see the full list online here. The list is long, you type F5 to serach it.

Kiewtai Parser List

Automatically handle common subformats.

Here Kiewtai parsed a pcap file, and all the Tcp, Udp, Icmp, packets and Ethernet frames inside the pcap are automatically recognized. This all happened automatically when loading the Pcap parser!

Viewing the MAC address

List all the PCAP fields

Building

If you don't want to build it yourself, check out the releases tab

I used Visual Studio 2019 to develop Kiewtai.

This project uses submodules for some of the dependencies, be sure that you're using a command like this to fetch all the required code.

git submodule update --init --recursive

  1. Download and Install the Kaitai Struct compiler.
  2. If you don't have them already, install Open JDK, GNU make, and GNU binutils.

If you use chocolatey, this command should be enough:

> choco install make openjdk mingw
  1. Open a Visual Studio Developer Command Prompt.
  2. Type make.exe

If everything worked, you should have a file called kiewtai.hem

If you get The system cannot find the file specified errors, verify objcopy.exe, make.exe and kaitai-struct-compiler.bat are all in your %PATH%.

Testing

There are some simple tests in the test directory that verify some common formats are working as expected.

Simply type make in the test directory to run them.

Author

Tavis Ormandy [email protected]

More Repositories

1

loadlibrary

Porting Windows Dynamic Link Libraries to Linux
C
4,330
star
2

ctypes.sh

A foreign function interface for bash.
C
2,060
star
3

ctftool

Interactive CTF Exploration Tool
C
1,636
star
4

123elf

A native port of Lotus 1-2-3 to Linux.
C
1,171
star
5

avscript

Avast JavaScript Interactive Shell
C
664
star
6

wpunix

WordPerfect for UNIX Character Terminals
C
615
star
7

rbndr

Simple DNS Rebinding Service
C
613
star
8

hotcorner

Tiny Hot Corners for Windows 10
C
380
star
9

nntpit

minimalist reddit2nntp gateway
C
231
star
10

rarvmtools

Minimal RarVM Toolchain
C
228
star
11

cefdebug

Minimal code to connect to a CEF debugger.
C
193
star
12

lotusdrv

Lotus 1-2-3 R4D Display Driver for DOSEMU
C
147
star
13

sharapi

Simpsons: Hit & Run JavaScript API
JavaScript
112
star
14

swisstable

Access Abseil Swiss Tables from C
C
103
star
15

dbusmap

This is a simple utility for enumerating D-Bus endpoints, an nmap for D-Bus.
C
76
star
16

scanlimits

Tool to examine the behaviour of setuid binaries under constrained limits.
C
62
star
17

katamascii

An ascii-art physics puzzle, roll around your terminal collecting ascii-art objects!
C
43
star
18

timex

A hello world for the timex m851
C
31
star
19

minirun

Run commands with hidden console.
C
30
star
20

iknowthis

iknowthis Linux SystemCall Fuzzer
C
20
star
21

hiewdocs

Documentation and notes on using the Hiew editor.
HTML
17
star
22

mpgravity

MicroPlanet Gravity
C++
14
star
23

nssecurity

Netscape Plugin Security
C
8
star
24

defermap

Add a server mode to X11 clients
C
7
star
25

hiewkey

Keyboard helper for Hiew
C
4
star
26

wpdfilter

Enable Windows to Index WordPerfect UNIX Documents
C++
3
star
27

ncpro

Commandline Interface to NoteCase Pro
Shell
1
star
28

stfjson

Convert Lotus Agenda STF files to JSON
C
1
star