Introduction
FsPlus is an implementation of an idea that allows you to access non disk files
as if they were disk files.
Hiew+ is a real life example of FsPlus where we take Hiew
(an excellent hex editor) and turn it into an excellent process editor.
Each process will be view as a file with a size as much as SYSTEM_INFO.lpMaximumApplicationAddress
returns.
In theory FsPlus should work with any hex editor to provide process memory editing,
but this release is just Hiew ready.
Usage
To use FsPlus with you, you need to inject FsPlus.dll into Hiew's process memory
so that the APIs are hooked. After APIs are hooked, FsPlus will recognize and
treat specially any file name that has the following form: "pid|1234"
where 1234 is a given PID.
To make the usage even simpler, we provided a small GUI (FsPlusGui) to allow you
launch Hiew conveniently.
In fact, Hiew+ can be considered as a nice addition to IDA Pro's debugger or any other debugger.
Here's a small screenshot when you run FsPlusGui:
You will need to double click on a process to have Hiew or the desired process
launched.
Make sure you specify the settings correctly in FsPlus.ini:
[settings]
title=Hiew+ (c) lallous <lallousz-x86@yahoo.com>
hookdll=.\fsPlus.dll
launch=c:\hiew\hiew32.exe
Features
After you run it successfully, you will be able to start editing processes as if you were editing files.
The catch is every process virtual address is now a physical offset in hiew.
Modules as IMAGE_SECTION_HEADERs
For your convenience we have created additional IMAGE_SECTION_HEADER structures
in the PE header of the main process, so that each loaded module is view as a
PE section:
Textual information about process' modules
In addition to view modules as PE sections, you will have an actual representation of all loaded modules just after the end of the PE header:
No Read Errors
To avoid reading errors and such, any unreadable memory page is filled with "BAD!" pattern.
Physical and Logical disk editing
This is not something added by FsPlus, rather it is a "less" documented feature of Hiew32 where you can run it with a disks device name and have it edit the disk.
Using the provided GUI you can easily do just that.
Conclusion
This tool has been tested with Windows Vista (32) and Windows XP SP2 and with Hiew 7.29.
Hope you find this tool useful as Hiew itself.
Feel free to contact me if you have any ideas or questions.
Oh btw, here's the download link.