Using Linux hexedit and xxd commands to view and modify binary files

Linux systems support a number of file editors – like vi, vim, neovim, ne, GNU Emacs etc. But you can also install an editor that allows you to view the contents of and make changes to binary files–hexedit.

With hexedit, you can edit images, executables and other binaries, though you have to know a lot about the format of the file you’re editing to make valid changes that don’t disrupt the file’s format. After all, you’ll be editing one byte at a time. This is not meant to imply that you can’t use this command for viewing or editing text files. There’s just little or no reason to do that.

Using hexedit

In spite of the comment above about text files, the example below is using hexedit to view/modify a text file, but only to illustrate how the content of a file is displayed by the command and suggest an easy way to get used to how hexedit works.

$ hexedit myfile.txt
00000000   54 68 69 73  20 69 73 20  61 20 74 65  78 74 20 66  This is a text f
00000010   69 6C 65 20  74 68 61 74  20 49 20 63  72 65 61 74  ile that I creat
00000020   65 64 20 75  73 69 6E 67  20 76 69 20  6F 6E 20 6D  ed using vi on m
00000030   79 20 4C 69  6E 75 78 20  73 79 73 74  65 6D 2E 0A  y Linux system..
00000040   49 74 20 63  6F 6E 74 61  69 6E 73 20  6F 6E 6C 79  It contains only
00000050   20 61 20 66  65 77 20 6C  69 6E 65 73  20 6F 66 20   a few lines of
00000060   74 65 78 74  2E 0A 54 68  65 20 45 6E  64 21 0A     text..The End!.

The display above shows that linefeeds (“0A” in the hex output) appear as periods in the text on the right. Each of the other 2-byte segments displayed between the line numbers on the left (in hex) and the text on the right represents a single character. For example, the four two-byte strings (54 68 69 73) on the left of the first line of text correspond to the word “This” as shown on the right. If you wanted to change this word to “That”, you could tap your right arrow key to reach the 9 and then type “1” and then tap to the right again to reach the 3 and type “4”. The text shown on the right will adjust accordingly.

You can use ^s to search for specific bytes. You’ll be prompted to enter what you are searching for. Use ^x to exit and respond with a “y” if you want to save the changes. Press and hold the down arrow key to slide down through the lines of data.

Moving around in binary files will work the same way, but you have to understand what portions of the file you can change without disrupting the file format.

Executable files will generally start with something like this:

00000000   7F 45 4C 46  02 01 01 00  00 00 00 00  00 00 00 00  .ELF............
00000010   03 00 3E 00  01 00 00 00  10 6B 00 00  00 00 00 00  ..>......k......
00000020   40 00 00 00  00 00 00 00  40 22 02 00  00 00 00 00  @.......@"......
00000030   00 00 00 00  40 00 38 00  0D 00 40 00  1F 00 1E 00  ....@.8...@.....
00000040   06 00 00 00  04 00 00 00  40 00 00 00  00 00 00 00  ........@.......
00000050   40 00 00 00  00 00 00 00  40 00 00 00  00 00 00 00  @.......@.......
00000060   D8 02 00 00  00 00 00 00  D8 02 00 00  00 00 00 00  ................
00000070   08 00 00 00  00 00 00 00  03 00 00 00  04 00 00 00  ................

The .ELF on the top line on the right identifies this file as an ELF file. ELF is a common standard for executable files, but the content is not going to be readable text; it will be compiled code. If you were to change anything in this file, there’s a good chance that it would no longer run properly and some likelihood it would cause a segmentation fault.

The hexedit command is sometimes used for cybercrime investigations because no content is hidden from the viewer, so it can help find embedded malware and such. It helps, however, to have some idea what you’re looking for and where that data is likely to be found. It’s always a good idea to back up whatever file you plan to edit so that you can easily revert to it if needed.

The man page for the hexedit command describes how to move around in the file, exit with/without saving your changes, conduct searches and do other things. Moving around within the files and making changes is surprisingly easy once you know what changes will be valid.

Using xxd

The xxd command allows you to create a hex dump from a file. In other words, you get basically the same output as with hexedit, but xxd only displays the output. It doesn’t provide any way to edit the file content. In the example below, we use xxd to display the hexadecimal content of the top of a jpg file along with the hex-to-character translations that are available. As you might notice, the image in question appears to have been created with Photoshop.

$ xxd micro.jpg | head
00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0048  ......JFIF.....H
00000010: 0048 0000 ffe1 004c 4578 6966 0000 4d4d  .H.....LExif..MM
00000020: 002a 0000 0008 0001 8769 0004 0000 0001  .*.......i......
00000030: 0000 001a 0000 0000 0003 a001 0003 0000  ................
00000040: 0001 0001 0000 a002 0004 0000 0001 0000  ................
00000050: 002a a003 0004 0000 0001 0000 0036 0000  .*...........6..
00000060: 0000 ffed 0038 5068 6f74 6f73 686f 7020  .....8Photoshop
00000070: 332e 3000 3842 494d 0404 0000 0000 0000  3.0.8BIM........
00000080: 3842 494d 0425 0000 0000 0010 d41d 8cd9  8BIM.%..........
00000090: 8f00 b204 e980 0998 ecf8 427e ffc0 0011  ..........B~....

You can also redirect the output of the xxd command into a file for later analysis.

$ xxd micro.jpg > micro.txt
$ head micro.txt
00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0048  ......JFIF.....H
00000010: 0048 0000 ffe1 004c 4578 6966 0000 4d4d  .H.....LExif..MM
00000020: 002a 0000 0008 0001 8769 0004 0000 0001  .*.......i......
00000030: 0000 001a 0000 0000 0003 a001 0003 0000  ................
00000040: 0001 0001 0000 a002 0004 0000 0001 0000  ................
00000050: 002a a003 0004 0000 0001 0000 0036 0000  .*...........6..
00000060: 0000 ffed 0038 5068 6f74 6f73 686f 7020  .....8Photoshop
00000070: 332e 3000 3842 494d 0404 0000 0000 0000  3.0.8BIM........
00000080: 3842 494d 0425 0000 0000 0010 d41d 8cd9  8BIM.%..........
00000090: 8f00 b204 e980 0998 ecf8 427e ffc0 0011  ..........B~....

Notice that hexedit uses capital letters in its hex characters while xxd uses lowercase letters and presents that values in four-byte chunks instead of two-byte chunks.

Wrap-Up

The hexedit command can be used to display the content of binary files (images, executables and such) and the xxd command can be used to display and save the content of these files for later analysis in the format displayed above.