Binaire bestanden bekijken en wijzigen met de Linux-commando's hexedit en xxd

Linux systems support many file editors – such as vi, vim, neovim, ne, GNU Emacs, etc. But you can also install an editor that allows you to view the contents of binary files and make changes to them – hexedit.

With hexedit, you can edit images, executables, and other binary files, although you must know a lot about the file format you are editing in order to make effective changes that do not break the file format. After all, you will be editing one byte at a time. This does not mean that you cannot use this command to view or edit text files. There is little or no reason to do so.

Use hex editing

Despite the comment above about text files, the following example uses hexedit to view/modify a text file, but only to illustrate how the command displays the contents of the file and to suggest an easy way to get used to the way hexedit works.Edge computing gateway

$ hexedit myfile.txt

00000000 54 68 69 73 20 69 73 20 61 20 74 65 78 74 20 66 This is a text f

00000010 69 6C 65 20 74 68 61 74 20 49 20 63 72 65 61 74 ile that I create

00000020 65 64 20 75 73 69 6E 67 20 76 69 20 6F 6E 20 6D ed using vi on m

00000030 79 20 4C 69 6E 75 78 20 73 79 73 74 65 6D 2E 0A y Linux system..

00000040 49 74 20 63 6F 6E 74 61 69 6E 73 20 6F 6E 6C 79 It contains only

00000050 20 61 20 66 65 77 20 6C 69 6E 65 73 20 6F 66 20 a few lines of

00000060 74 65 78 74 2E 0A 54 68 65 20 45 6E 64 21 0A text..The End!.

The display above shows that a newline (“0A” in the hex output) appears as a period in the text on the right. Each additional 2-byte segment shown between the line number (hexadecimal) on the left and the text on the right represents a character. For example, the four double-byte strings (54 68 69 73) on the left side of the first line of text correspond to the word “This” shown on the right. If you want to change this word to “That”, you can tap the right arrow key to reach 9 and type “1”, then tap right again to reach 3 and type “4”. The text displayed on the right will be adjusted accordingly.

You can use ^s to search for specific bytes. You will be prompted to enter what you want to search for. If you want to save changes, exit with ^x and respond with “y”. Press and hold the down arrow key to scroll down the row of data.

Moving within a binary file will work the same way, but you have to understand what parts of the file you can change without breaking the file format.

Executable files usually start with something like this:

00000000 7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF…………

00000010 03 00 3E 00 01 00 00 00 10 6B 00 00 00 00 00 00 ..>……k……

00000020 40 00 00 00 00 00 00 00 40 22 02 00 00 00 00 00 @…..@”……

00000030 00 00 00 00 40 00 38 00 0D 00 40 00 1F 00 1E 00 ….@.8…@…..

00000040 06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 ……..@…….

00000050 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 @…..@…..

00000060 D8 02 00 00 00 00 00 00 D8 02 00 00 00 00 00 00 …………

00000070 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 …………

The ELF on the top line to the right of . identifies this file as an ELF file. ELF is the universal standard for executable files, but the content will not be readable text; it will be compiled code. If you were to change anything in this file, there’s a good chance it won’t run properly anymore and could cause a segmentation fault.

The hexedit command is sometimes used in cybercrime investigations because nothing is hidden from the viewer, so it can help find embedded malware, etc. However, it helps to know what you’re looking for and where you might find this data. It’s always a good idea to back up any file you plan to edit so you can easily restore it if the need arises.

The man page for the hexedit command describes how to move within files, exit without/without saving changes, perform searches, and perform other operations. Once you know which changes are valid, it’s very easy to move around the file and make changes.

Use xxd

The xxd command allows you to create a hex dump from a file. In other words, you get basically the same output as hexedit, but xxd only displays the output. It does not provide any way to edit the file contents. In the example below, we use xxd to display the hex content at the top of a jpg file along with the available hex-to-character translations. You may notice that the image in question appears to have been created using Photoshop.

$xxd micro.jpg | head

00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0048……JFIF…..H

00000010: 0048 0000 ffe1 004c 4578 6966 0000 4d4d .H….LExif..MM

00000020: 002a 0000 0008 0001 8769 0004 0000 0001 .*…….i……

00000030: 0000 001a 0000 0000 0003 a001 0003 0000 …………

00000040: 0001 0001 0000 a002 0004 0000 0001 0000 …………

00000050: 002a a003 0004 0000 0001 0000 0036 0000 .*…….6..

00000060: 0000 ffed 0038 5068 6f74 6f73 686f 7020 …..8Photoshop

00000070: 332e 3000 3842 494d 0404 0000 0000 0000 3.0.8BIM…..

00000080: 3842 494d 0425 0000 0000 0010 d41d 8cd9 8BIM.%…..

00000090: 8f00 b204 e980 0998 ecf8 427e ffc0 0011 …..B~….

You can also redirect the output of the xxd command to a file for later analysis.

$xxd micro.jpg > micro.txt

$ headmicro.txt

00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0048……JFIF…..H

00000010: 0048 0000 ffe1 004c 4578 6966 0000 4d4d .H….LExif..MM

00000020: 002a 0000 0008 0001 8769 0004 0000 0001 .*…….i……

00000030: 0000 001a 0000 0000 0003 a001 0003 0000 …………

00000040: 0001 0001 0000 a002 0004 0000 0001 0000 …………

00000050: 002a a003 0004 0000 0001 0000 0036 0000 .*…….6..

00000060: 0000 ffed 0038 5068 6f74 6f73 686f 7020 …..8Photoshop

00000070: 332e 3000 3842 494d 0404 0000 0000 0000 3.0.8BIM…..

00000080: 3842 494d 0425 0000 0000 0010 d41d 8cd9 8BIM.%…..

00000090: 8f00 b204 e980 0998 ecf8 427e ffc0 0011 …..B~….

Note that hexedit uses uppercase letters in its hexadecimal characters, while xxd uses lowercase letters and displays the value in four-byte chunks instead of two-byte chunks.

Samenvatten

The hexedit command can be used to display the contents of binary files (images, executables, etc.) and the xxd command can be used to display and save the contents of these files for later analysis in the format shown above.

X

Neem contact met ons op

Neem contact met ons op