Helium Hex Editor Documentation

Helium Hex Editor

Helium Hex Editor

   - Toolbar
   - Statusbar
   - Keyboard shortcuts
   - Open capabilities
   - Multiple views of same document
   - Command line support

Toolbar

First Row
	Create file or allocate memory (Ctrl+N)
	Open files, process memory, kernel memory, partition, drive, S-Record or Intel Hex (Ctrl+O) See Open menu
	Apply changes to the active document (Ctrl+S)
	Discard all changes for the active document
	Save all changes in all opened documents
	Save As / Export current document. Full or partial document saving or export.Export can be done in text, rtf, html, C array, Java array, Asm array, S-Record or Intel Hex
	Display current document properties. Properties dialog depends of current document type
	Delete current file
	Release allocated memory (process memory, kernel memory)
	Display bytes distribution for the active document
	Compute and display entropy for the active document (used to identify the different parts of a file)
	Display the compare dialog
	Compute and display entropy across multiple documents or multiple network packets (used to analyze files header or network protocols)
	Display the cryptography dialog
	Display the data identifier dialog
	Display the Portable Executable (PE) dialog
	Display the disassembly dialog
	Display the join dialog
	Display the split dialog
	Display the resize file dialog
	Display the change file date and time dialog
	Plugin menu. Depends of available plugins. Plugins folder location is "HeliumPlugins64" for 64 bits version, and "HeliumPlugins" for 32 bits version Plugin software development kit is available under directory "HexControlPluginsSDK"
	Show window list. Allow a quick navigation to an opened window or document
	Close multiple dialogs or search results

Second Row
	Address and size display mode (hexadecimal or integer)
	Select little endian (Intel) representation
	Select big endian (Motorola) representation
	Display / Hide ascii column
	Display / Hide unicode column
	Display the opened documents dialog. Allow a quick navigation to an opened document, or document closing
	Display the bookmarks dialog
	Display all basics type (int8, int16, int32, int64) in different format for the current document location
	Display the struct viewer dialog
	Display the Microsoft specific struct viewer dialog
	Display the options dialog
	Display Help / Help menu (about , register, check for update, bug report)

Third Row
	Refresh the content of the current document
	Undo the last operation on the current document
	Redo the last operation on the current document
	Display the set current selection dialog
	Cut
	Copy / Copy As
	Paste
	Display the insert dialog
	Display the fill selection with dialog
	Display the data operation dialog
	Navigate backward
	Navigate forward
	Display the goto dialog
	For memory containing valid and invalid blocks, this menu allows to quickly jump to begin and end of current block, or to go to previous or next valid memory block
	Display the search dialog
	Display the replace dialog
	Display the search strings dialog
	Display ASCII table
	Display the strings / hexa quick converter dialog

Statusbar

Status bar display the following information:
   - Mouse position for active document
   - Caret position for active document
   - Size of active document
   - OVR / INS : Overwrite or Insert mode for the active document
   - RW / RO : Read Write or Read Only mode for the active document

Keyboard shortcuts

Shortcut	Description
Ctrl + N	New
Ctrl + O	Open
Ctrl + S	Save
Ctrl + G	Goto
Ctrl + F	Find
Ctrl + H	Replace
Ctrl + A	Select All
Ctrl + C	Copy
Ctrl + X	Cut
Ctrl + V	Paste
Ctrl + Ins	Copy
Shift + Del	Cut
Shift + Ins	Paste
Ctrl + Z	Undo
Ctrl + Y	Redo
Ctrl + +	Zoom In
Ctrl + -	Zoom Out
Ctrl + Mouse Wheel	Zoom In / Out

Open capabilities

Open process memory

Notice: Helium Hex Editor must have been started with administrator rights to access some processes
On Win 10, to access OS protected processes, the driver ProtectedProcessesAccess64.sys must have been signed

To open process memory, first select the process in the process list (You can refresh the list if new processes were launched after the display of the current dialog)
Next you can choose to open the full process memory, or specific module or raw addresses range

Open Kernel memory

Notice: to allow access to kernel memory, your operating system must all unsigned driver, or you need to test sign the driver and allow test driver signing.
A reboot may be required the first time to enable OS changes to be taken into account.
Next Helium Hex Editor must be run with administrator rights, and driver (KernelMemoryAccess64_v3s.sys for 64 bit or KernelMemoryAccess_v3s.sys for 32 bit) must have been signed

To open kernel memory, first you need to specify which kind of memory you want to access:
- Virtual Memory : like kernel modules or virtual allocated kernel memory
- Physical Memory : direct access to devices IO or device memory

Kernel Module Selection

Computer Resource Selection

Open disk or partition

Notice: Helium Hex Editor must have been started with administrator account to allow access to drives and partitions

To open a disk or a partition, just select the disk or the partition and next click Open

Open S-Record / Intel Hex

S-Record and Intel Hex will be display as memory with potentially invalid area if any.

Saving document will directly generate the S-Record / Intel Hex

Header, start address, records types, memory block remapping, memory block addition or removal
can be done from the

properties dialog for the active document

Open Registry

To display the content of a Windows registry key value, fill the key name and value name, and next click the Ok button

Open OLE file

The open OLE file dialog allow multiple operations described in OLE file operations
Notice : New OLE files can be created through the New menu

Multiple views of same document

By right clicking the tab of a document, you can clone it (right or bottom)
This allows to get multiple views of the same document.
Document is opened only once and will be closed when all views will have been closed

Command line support

HeliumHexEditor64.exe FilePath [OptArgs] : opens specified file in Helium Hex Editor
  Optional arguments:
    ReadOnly open document in read only mode

    Goto= set caret at the specified offset
    SelSize= selection size from Goto

    Type=file/memory/disk/drive/srec/intelhex/ole/registry (file by default)

    ProcessId= specify the process id (only for memory Type)

    DiskId= specify the disk id (only for disk and drive if no drive letter)

    PartitionId= specify the partition id (only for drive if no drive letter)

    DriveLetter= specify the drive letter (only for drive if no DiskId and PartitionId)

    Stream= specify the ole stream name (only for ole). If Stream name is inside a substorage, name will be SubStore0\SubStore1\...\SubStoreN\StreamName

    Notice : In case of 'Type=registry' option, the syntax of 'FilePath' is 'KeyPath:ValueName' like HKEY_CURRENT_USER\Software\Microsoft\Calc:Window_Placement