Skip to content

Home

Jump to bottom Edit New page
mtivadar edited this page Jul 18, 2015 · 21 revisions

Qiew hex editor, PE file viewer

Functions

  • Main window

    • TAB will change view mode
    • F2 switch between view/edit mode
    • SHIFT + arrows will begin selection, also works with PageUp/PageDown
    • CTRL + arrows will scroll vertically/horizontally with one line
    • s will jump over bytes of same value
    • e will go to next qword of value 0
    • / opens search window
    • n search next
    • b search previous
    • F10 opens dropper window. Dropped bytes are saved in same file name + '.drop' suffix
      • From current selected text or whole file
      • Type specifies what to drop
        • Binary will drop byte values
        • Hex will drop text, every byte value represented as two hex digits, values separated by space. eg '90 90 90 4d 5a'
        • PE will drop all PE files contained in selection or file

  • PE

    • F3 will change address mode between Relative Virtual Address/Virtual Address/File Address
    • [ and ] will iterate through sections
    • 0 will jump to overlay if present
    • F7 jumps to Entry Point
    • ALT+g opens/closes go to window
      • VirtualAddress/FileAddress/RVA values are possible
      • hex values must be written with 0x prefix
      • available symbols: EP entry point, END end of file
      • eg. EP - 0x100
    • ALT+h opens/closes header view
    • ALT+d opens/closes directory window
      • Enter goes to directory start
      • F9 selects directory entry
    • ALT+s opens/closes sections view
      • Enter goes to section starting offset
      • F9 selects entire section
    • ALT+i opens/closes import view
      • Enter goes to import entry in IAT
    • ALT+e opens/closes export view
    • ALT+v opens/closes version info view
    • ALT+f closes the window

  • BootSector

    • F3 will change address mode between File Address and Memory Address. The latter will consider that code starts at 0x7c00
    • ALT+p opens/closes partition table view
    • [ and ] iterates through partitions
    • ALT+g opens/closes go to window
      • MemAddress/FileAddress values are possible

  • Binary

This plugin will load the file if no other plugin recognizes the file format. Go to, text selection, dropper are available, also jump over same values with 's'.

Highlights

  • PE plugin

    • MZ, PE\x00\x00 are highlighted
    • ASCII text is highlighted
    • WIDECHAR(ascii) text is highlighted
    • call [IAT] instructions are also highlighted

  • Bootsector plugin

    • partition table is highlighted

Text Selection

In every plugin if text is selected, it will be also highlighted all occurrences of current selection

Binary view mode

binview

Hex view mode

hexview

Disassembly view mode

disasmview

Powered by: Python, Qt4, Terminus font, pefile, distorm

binview

Add a custom sidebar
Clone this wiki locally