Hiew Documentation Project

This page is an easy-to-use list of Hiew documentation.

Help find that shortcut you've forgotten, or remind yourself how a feature works.

If you'ld like to help contribute corrections, demos or documents, click here.

If you have javascript enabled, clicking most shortcuts will load a demo image, showing how the feature works.

Key Description
*

Mark/unmark a block, this is like visual mode in Vim, it selects a contiguous region of bytes. Press * to start a block under cursor, then use the cursor keys to move to extend the block. Press * again to mark the end. Only one block can be active at a time.

You can use most navigation shortcuts while marking a block, here are some common examples:

  • Mark to the end of the file, use * then Ctrl End
  • Mark to the beginning of the file, use * then CtrlHome
  • Mark until search result, use * then F7, or CtrlEnter for next match
  • Mark from here until offset, use * then F5.
Press * again when the cursor is over the position you want the block to end.

See Alt* if you need to resize an existing block, you don't have to start again if you made a mistake!
ctrl*
Add the whole file to the current block, this is useful if you want to remove everything except the section you're working on. To do that, type Ctrl*, move to the new end, and type Alt *.
You can also use this to exclude a section from a search, by changing the search scope to block.
alt*
Resize block to current offset. Move the start of the current block to the current cursor position.
altm

Assign a color to the active block. You can change the colors asssigned to different fields to help differentiate them quickly, this is useful to mark header fields. Note that the color persists even if you start a new block.

To move around in the color selection dialog, use , , , and .

When you use colors, hiew will ask if you want to save them when you exit. Colors are saved to a .cmarkers file that is automatically reloaded when you start hiew.

I like to group similar fields together with the same color, but sometimes you just want to differentiate a field and don't care which color is used, use Shift AltM, which assigns a random color.
AltN jumps to the next marked block, which is very handy to skim through a file that was already colored by kiewtai for example (use Shift to jump to the previous marked block).
[
Move to the start of the current block.
]
Move to the end of the current block.
ins
Toggle insert/overwrite block mode, the current mode is displayed in the status indicator.
f2
Write block, save the current block to a file.
ctrlf2
Read block, insert or overwrite data with contents from a file. Use Ins to toggle insert or overwrite mode.
The block is inserted at the current cursor location, so position it at the start of the block with [ if necessary.
Include, Source, Incbin, Load, Insert
altf2
Fill block, fill the selected block with a repeating pattern. This is usually used with a single byte, e.g. nop, but you can insert a pattern of any length.
If you use this shortcut in code view without an active block, the current instruction will be nopped, this is handy if you want to eliminate an unwanted call.
Replace, Fill, Initialize, Pattern, Nop
shiftf2
Delete marked block, the block is removed and the file truncated.
shiftf5
Copy marked block, this duplicates the active block at the current cursor position. This operation can use insert or overwrite mode, use Ins to toggle it.
shiftf6
Move marked block, this is a copy and delete operation in one. This operation can use insert or overwrite mode, use Ins to toggle it.
+
Save the current location to the bookmarks stack. Bookmarks are quick and easy ways to jump around and explore, but only a limited number are available.
Hiew can only save 8 bookmarks. If you need more than that you should use comments instead with ;. You can add an unlimited number of comments, which are added to the Names window. You can also name a location with Shift F12.
Each view (hex, text, code) has it's own bookmark stack. Changing view will not discard bookmarks.
-
Restore the last bookmarks state. The last state is indicated by a diamond symbol in the bookmark indicator. See also BkSp and 0.
alt-
Delete current bookmark, the current bookmark is indicated by a diamond symbol in the bookmark indicator.
alt0
Clear all bookmarks.
bksp
Return to the previous location. For example, if you use F5 to jump to an offset and change your mind, use this to return quickly.
This is also useful if you want to follow a call or jmp in code view, then want to return. Following branches uses the number keys in code view, see e.g. 1, 2, etc.
For following offsets or references, see e.g. F6, ShiftF9, ShiftF10, ShiftF11, and others.
Alt1


Alt2


Alt3


Alt4


Alt5


Alt6


Alt7


Alt8
Restore a saved bookmark by number. Bookmarks are saved with +.
ctrl.
Start or stop recording a macro. An 'R' is displayed in the title bar, and all actions are recorded. Macros can be saved, loaded, organized, played and configured from the macro manager, Ctrl-.
ctrl0


ctrl1


ctrl2


ctrl3


ctrl4


ctrl5


ctrl6


ctrl7


ctrl8
Play a saved macro by number. Macros can be saved, loaded, organized, played and configured from the macro manager, Ctrl-.
Enter
Switch to Hex, Code, or Text mode. You can safely switch modes without losing any context. I'm used to quickly switching through modes if I'm not sure what the data I'm looking at is.
See also, F4.
CtrlEnd
Move the cursor to the end of the file.
See also, CtrlHome.
Here is an example workflow, I wanted to replace the last few bytes of a file with another file...

  1. First move to the end of the file, CtrlEnd.
  2. Start a new selection with *.
  3. Move backwards, or enter a relative number of bytes with F5.
    For example, to move backwards 123 bytes use F5 -123t Enter.
    The 't' suffix means decimal, the default input base is hex.
  4. End the slection with *.
  5. Make sure you're in overwrite mode, hit Insert to toggle.
  6. Press CtrlF2 to open the ReadBlk dialog, you will be prompted to enter the filename and other parameters.

What should you do if the section you're replacing and the new file are different sizes?

  • If you wanted to initialize the selection first because the new file is smaller, just use AltF2.
  • If you wanted to shrink or grow the selection, delete it with ShiftF2 and then switch to insert mode with Insert.
  • The default settings will simply truncate the new file and warn you. That means unused parts of the new file will be unread, and old bytes will be left as they were.

CtrlHome
Move the cursor to the start of the file.
See also, CtrlEnd.
Esc
In hex, code or text mode, Esc will exit hiew without updating the timestamp of the file. If you do want to update the timestamp, use F10.
The Esc key usually cancels or exits the current mode, it only exits Hiew if there is no other operation to cancel.
Tab
Open the next file from file history. From within Hiew, you can open a new file with F9, then quickly switch between open files with Tab. This is the equivalent of :tabnew then :tabnext in vim, or buffers in emacs.
Use the file history manager to manage open files, CtrlBkSp.
CtrlF11


CtrlF12
Open the previous/next file in command line arguments.
Also works when used with a wildcard parameter like *.exe.
Even more useful when opened with a specific opening parameter such as /oc=oep for example, which directly show disassembly at the entry point of every file in the command line.
altb
Enable or disable beeps.
altp
Save a (text) screenshot of the current screen for future reference. The screen can be saved to a file, or to the clipboard.
The Shift F4 Print Block command does the same with the currently selected block, which can be as small or as big as needed.
alt=
Start calculator. The calculator is a 64bit programming calculator, supports the standard C logical, bitwise, and comparison operators.
You can enter numbers using C notation, or masm-like suffixes (0fffh), octal, binary, decimal and hex are supported.
The most useful feature is reading data from the cursor to use in calculations, to do this use @ followed by a type code.
For example, to multiply the QWORD under the cursor by two, use @Q*2.
The calculator remembers it's state, so it's safe to close it and look around, then return to it when you need to.
The calculator is the best way to see what a value is in other bases, simply open the calculator and type @DEnter to see the DWORD under the cursor in binary, hex and decimal.
OperatorMeaning
+Sum
-Difference
*Product
/Quotient
%Remainder
~Bitwise Not
&Bitwise And
^Bitwise Xor
|Bitwise Or
!Logical Not
&&Logical And
||Logical Or
<Less than
>Greater than
>=Greater than or Equal
<=Less than or Equal
<<Shift Left
>>Shift Right
==Equal
!=Not Equal

Prefix / SuffixBase
0..octal
0x..hexadecimal
..ibinary
..ooctal
..tdecimal
..hhex

@codeMeaning
@bsigned char
@Bunsigned char
@wsigned short
@Wunsigned short
@dsigned long
@Dunsigned long
@qsigned long long
@Qunsigned long long
@olocal offset
@Oglobal offset
As far as I'm aware there is no way to use the @ syntax in anything other than little endian byte order. If you need big endian i.e. network byte order, then you will have to shift the bytes around with << and |. If you need that a lot, make a macro with Ctrl..
The default input base is hex, this won't be surprising if you've used windbg, but might be surprising if you're used to gdb. Append a t to decimal numbers.
Use the Up/Down keys to move the calculator around.
ctrlalt
Show some information about the current file, hiew, and the system. Includes full path, file size, free memory, the last error message displayed, and so on.
ctrlBkSp
Shows a list of all opened files, and allows you to switch between them, or close them.
ctrlenter
If a previous search exists, find the next match. If you don't have a previous search, hiew will prompt you for one. See also F7.
If you want to change the string encoding (e.g. unicode), see AltF8.
ShiftF7 does the same thing.
AltF7 changes the next search direction. It displays the direction in the status.
;

Enter a comment for the current instruction or location. Comments are displayed when the cursor is over the commented location. If you to search, browse or go to a previous comment, use the Names window, F12.

Comments can be saved and loaded between sessions, or imported from plain text files. The format for importing or exporting from text is simply offset *comment. Offset can be any hiew offset format, see F5. The * is required.

A location can have a name and a comment.
F3

Enter edit mode. The cursor changes to a caret and the bookmark indicator displays "EDITMODE".

To exit from editmode, press Esc to exit and discard your changes, or F9 to exit and save them.

In hex mode, use Tab to switch between hex and character input. In code mode, Tab switches between opcodes (hex) and assembler mode.

The default cursor is a block █, and the edit cursor is a caret |.
In hex mode, you can choose what character set to use, you don't have to manually enter NULs for UTF-16 strings! Use the translation table, which is AltF8.
F4
Switch directly to Hex, Code, or Text mode by selecting the mode you want from a menu. See also, Enter.
F5

Goto offset. You can enter a relative offset, absolute offset, or virtual address.

The default input base is hexadecimal. If you want decimal, use the t suffix, e.g. 189t. See the notes on the calculator for more number format information, Alt=.

  • To enter an offset relative to the current position, use +offset or -offset.
  • To enter an absolute offset, use offset.
  • To enter a virtual address, use .address.

If you're navigating around a file, you probably want something like ShiftF9 to follow the offset under the cursor, there are many variants of this operation.
Use PgDn to show the entry history.
F6

Find code references to this location, use CtrlF6 to find the next match and BkSp to go back.

This is similar to xrefs in IDA, it will find the next location that calls or jmps to the current address. Therefore, this is mostly useful when the cursor is on a function entry point.

This works well for quickly navigating, but use IDA if you need this to be reliable.
If you want to find all references to an import, select the import from the import view, F8F7, then choose one with Enter, then keep pressing CtrlEnter to cycle through them. You can also filter by DLL, ordinal, and so on.
f7

Search for a string, instruction, or sequence of bytes. To switch between string and hex entry, use Tab. Esc will cancel the search.
To repeat the last search, use CtrlEnter.

While in the search dialog, you can select:

  • F2Search direction (backwards/forwards).
  • F4Search scope (file, or active block).
  • F6Toggle UTF-16 Even/Odd offset.
  • F7Call assembler to search for an instruction.
You can't toggle between unicode/ascii searches from within the search dialog, do that first with AltF8.
If you type more than 3 non-Hex characters in the Hex entry (which is the default one), it will automagically switch to ASCII and remember what you typed so far.
You can type single-char wildcards in your search with Alt?.
f8

View and edit PE, ELF, Mach-o etc headers. Hiew supports most common EXE formats. When applicable, many tables can be browsed and edited with F3. Some of the common tables are, imports F7, exports F9, sections F6, and so on.

If you want to go to the entry point, the quickest way is F8F5.

If you are not editing an executable file, then this view will show some minimal com header.
shiftf3

Insert bytes at the current position. The file is extended and the number of bytes requested are inserted. The new bytes will all be nuls.

Once the bytes are created them, you can edit them by pressing F3.

If you want the new bytes to contain a value pattern, create the bytes and then use AltF2.
If you want to insert the contents of a file instead, see CtrlF2. You don't need to create the bytes first, simply switch to insert mode.
AltF6

Displays a strings search dialog.

While in the strings dialog, you can use:

  • -/+ change the minimum size of listed strings.
  • F6 cycles through strings type (ASCII, Odd and Even Unicode).
  • F2 displays the offsets in front of the strings.
  • F9 gives the option to filter strings.
1 2 3 4 5 6 7 8 9 A

Hiew automatically assigns a shortcut key to every branch in code view, so you can easily follow jmp, call, or other control flow instruction.

The assigned shortcut is displayed next to the instruction with an arrow indicating the direction of the branch, either ↑ or ↓.

If you change your mind, press BkSp to return to the previous location.
ctrlf1

Change the opcode size, cycle between 16bit, 32bit and 64bit instruction set. This is useful if you're trying to extract the shellcode from an exploit and hiew used the wrong instruction set to decode it.

The current mode is displayed next to the bookmark indicator.

If you want to change the architecture, not the size (e.g. ARM instead of x86_64), use ShiftF1.
altf3

Opens the Crypt dialog. It's an editor for a tiny subset of x86 to manipulate data. Choose the data size it's operating with F2.

The rules:

  • At the start of each loop iteration, AL/AX/EAX/RAX gets the data under the current pointer.
  • The code loops automatically at position 1 if it's not specified.
  • At the end of the loop, the current value in AL/AX/EAX/RAX gets written at the pointerbefore it's incremented.

For example, this code in Byte mode will fill the current block with 00 01 02 03 04...:

1 mov al, cl
2 add cl, 1

Explanation:

  1. CL's current value is copied to AL (CL is initially set to 0).
  2. CL value is incremented.
  3. The code is finished, so AL's value will be copied to the start of the block, the pointer will be incremented by one, and the crypt interpreter loops to 1, which will load the next data value to AL.

You can also use the output of the Crypt interpreter while editing with F7. When editing, you can open the Crypt dialog again with CtrlF7.
f11

Open the HEM menu, which allows you to load Hiew plugins. HEMs can extend Hiew to add additional functionality and features.

Press F6 to see information about each module.

A HEM exports what filetypes it supports. If you don't see a HEM you need, it might not be registered for this file type. If you are certain you still want to use it, you can unhide it with F5.
The • symbol indicates the module is loaded and available, you can unload it with F9.
f12

Open the Names window, which allows you to browse symbols and comments. You can name any location in a file by moving the cursor there and pressing ShiftF12.

Each location can have a name and a comment, to add comments see ;.

Comments are prefixed with a ; symbol.

Hiew uses a binary format for saving names by default. If you want to import names from another tool, use F12 instead. This can parse a simple text format, here is an example: 

.00000001`40000050  Symbol
Hiew can also produce this format for other tools, use ShiftF12.

You can use something like this to export names from an ELF file.
$ nm a.out | awk '{print "."$1,$3}' | sed 's/$/\r/'
Here is an example hiew workflow using names.

I was using an ELF binary that printed a deprecation warning everytime I used it, and I wanted to hide that warning.

  1. First, I exported the symbol names using nm.
  2. I imported those symbols using F12.
  3. I found the message I wanted to hide with F7
  4. I pressed F6 to find references to that string.
  5. Browsing the code around the reference, I found the call to printf.
  6. I entered edit mode with F3, then NOPped the call instruction with AltF2.
  7. Saved the file with F9.

/

Resynchronize disassembly from the current offset. If the disassembly was desynchronized because of mixed code and data, force it to resynchronize by moving the offset under the cursor to the top.

This is useful if you are analyzing some code embedded in a file, but hiew didn't know where the code starts. Move the cursor to the start of the first instruction, then press /.