Dumping File Contents in Hex (in PowerShell)

Published: 2019-07-10. Last Updated: 2019-07-10 13:49:46 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

I got to thinking about file dumps in hexadecimal this week.  This is something I do at least a few times a week - usually to look at file headers or non-printable characters for one reason or another.

File headers will usually let you know what type of file you're looking at (no matter what the file extension is).  More here on that: https://linux.die.net/man/1/file

When looking at or for non-printable characters, this can be for any number of reasons, but almost always it's to figure out what some crazy application is doing with CRLF (Carriage Return / Line Feed) so that I can fix the output to properly feed the next script or tool, or so that Word will read it correctly (which I guess is the same thing).

Anyway, the go-to tool for this is XXD:

# xxd /usr/bin/vi | more
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF............
00000010: 0300 3e00 0100 0000 b0b4 0600 0000 0000  ..>.............
00000020: 4000 0000 0000 0000 a066 3000 0000 0000  @........f0.....
00000030: 0000 0000 4000 3800 0900 4000 1d00 1c00  ....@.8...@.....
00000040: 0600 0000 0500 0000 4000 0000 0000 0000  ........@.......
00000050: 4000 0000 0000 0000 4000 0000 0000 0000  @.......@.......
00000060: f801 0000 0000 0000 f801 0000 0000 0000  ................

More on XXD here (or type"man xxd"): https://linux.die.net/man/1/xxd

If you're on a stripped-down Linux version, something like busybox, XXD won't be there (it comes with VIM, not VI), but often those distro's will still have the "hexdump" command:

# hexdump -C /bin/vi | more
00000000  7f 45 4c 46 01 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  03 00 03 00 01 00 00 00  88 63 00 00 34 00 00 00  |.........c..4...|
00000020  6c bf 05 00 00 00 00 00  34 00 20 00 08 00 28 00  |l.......4. ...(.|
00000030  1f 00 1c 00 06 00 00 00  34 00 00 00 34 00 00 00  |........4...4...|
00000040  34 00 00 00 00 01 00 00  00 01 00 00 05 00 00 00  |4...............|
00000050  04 00 00 00 03 00 00 00  34 01 00 00 34 01 00 00  |........4...4...|
00000060  34 01 00 00 13 00 00 00  13 00 00 00 04 00 00 00  |4...............|

But what if you're on a customer Windows host?  And what if they haven't installed any of the Linux tools?  Well, as you might guess, "PowerShell to the rescue!"  Powershell's "format-hex" command gives you much the same output:

PS C:\> Get-Content \windows\system\cmd.exe |format-hex |more


           00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000   4D 5A 3F 00 03 00 00 00 04 00 00 00 3F 3F 00 00  MZ?.........??..
00000010   3F 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ?.......@.......
00000020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030   00 00 00 00 00 00 00 00 00 00 00 00 3F 00 00 00  ............?...
00000040   0E 1F 3F 0E 00 3F 09 3F 21 3F 01 4C 3F 21 54 68  ..?..?.?!?.L?!Th
00000050   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is program canno
00000060   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
00000070   6D 6F 64 65 2E                                   mode.


Better yet, format-hex handles multiple encodings, so if you have a specific character encoding to work with, "-encoding" is your friend!  The default is UTF8BOM (for "byte order marker"), "unicode" encoding will give you UTF-16

The full "format-hex" docs are here (along with dozens of other places that google will find for you): https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/format-hex?view=powershell-6
(or "get-help format-hex")

More on the various encoding options here: https://docs.microsoft.com/en-us/dotnet/api/system.text.encoding.codepage?view=netcore-2.2

If you've seen a situation where you needed a different method to accomplish this task, please use our comment form to share!!

===============
Rob VandenBrink
Coherent Security

Keywords: formathex powershell
0 comment(s)

Comments

Login here to join the discussion.


Top of page
Diary Archives