Comments on: Analyzing a Suspect WMF File

By: spinwobble.com » Dissecting a Suspect WMF File

spinwobble.com » Dissecting a Suspect WMF File — Thu, 30 Aug 2007 11:59:56 +0000

[...] is an amazing blog post. This guy, Randy Armknecht spotted a suspect WMF file and decided to analyze it further. The [...]

By: www.andrewhay.ca » Suggested Blog Reading - Wednesday August 29th, 2007

www.andrewhay.ca » Suggested Blog Reading - Wednesday August 29th, 2007 — Wed, 29 Aug 2007 21:56:52 +0000

[...] Analyzing a Suspect WMF File – Great article Didier! My analysis will show that this WMF file doesn’t contain shellcode. I use a tool I discovered recently, the 010 Editor, a professional hex editor with binary templates. Binary templates allow you to define the structure of a binary file with a C-like scripting language. A binary file parsed with a template is much easier to understand, as you will see. Unfortunately, I found no free alternative for this tool. [...]

By: Didier Stevens

Didier Stevens — Wed, 29 Aug 2007 16:40:12 +0000

Thanks for looking for free alternatives. I tried to find some free alternatives before posting this (see http://en.wikipedia.org/wiki/Comparison_of_hex_editors). I didn’t install them, I just looked at screenshots.

But I’ll find some time to play with Tiny Hex.

Please feel free to add your suggestions.

By: Daniel Bruce

Daniel Bruce — Wed, 29 Aug 2007 16:00:21 +0000

I’d just like to mention a free hex editor called “tiny hexer” as a free alternative to that editor. It touts a “structure viewer” feature which seems to aim to serve the same purpose as those templates. The scripting language used to run these scans seems less straight-forward, though. (You have to explicitly write out any info you want shown, f.ex.)
Even so, it might still be worth a look for the monetarily disabled.
It’s available from http://www.mirkes.de/en/freeware/tinyhex.php