{"id":17988747,"url":"https://github.com/taviso/kiewtai","last_synced_at":"2025-03-25T23:30:30.416Z","repository":{"id":48694916,"uuid":"265011806","full_name":"taviso/kiewtai","owner":"taviso","description":"A port of Kaitai to the Hiew hex editor","archived":false,"fork":false,"pushed_at":"2020-05-20T20:57:02.000Z","size":4051,"stargazers_count":148,"open_issues_count":7,"forks_count":13,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-20T22:03:56.338Z","etag":null,"topics":["binary-analysis","carving","dfir","hexeditor","reverse-engineering"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/taviso.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-05-18T17:27:52.000Z","updated_at":"2025-03-12T07:02:43.000Z","dependencies_parsed_at":"2022-09-16T19:23:13.699Z","dependency_job_id":null,"html_url":"https://github.com/taviso/kiewtai","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fkiewtai","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fkiewtai/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fkiewtai/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/taviso%2Fkiewtai/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/taviso","download_url":"https://codeload.github.com/taviso/kiewtai/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245560896,"owners_count":20635652,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-analysis","carving","dfir","hexeditor","reverse-engineering"],"created_at":"2024-10-29T19:12:41.040Z","updated_at":"2025-03-25T23:30:26.972Z","avatar_url":"https://github.com/taviso.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Introduction\n\nKiewtai is a HEM (aka plugin) for the [Hiew](http://www.hiew.ru/) hex editor\nthat makes all the binary parsers from the [Kaitai](https://kaitai.io/) project\navailable. This means you can get all the fields marked and decoded for dozens\nof popular file formats. You can also use the Kaitai format to write a new\ntemplate for a file format you're analyzing.\n\n\u003e Click [here](https://formats.kaitai.io/) to see a list of all the formats\n\u003e supported by Kaitai.\n\nWant to see it in action? See some [Screenshots](#screenshots)!\n\n\n# Installation\n\n\u003e If you don't want to build it yourself, check out the\n\u003e [releases](https://github.com/taviso/kiewtai/releases)  tab\n\n\nCopy `kiewtai.hem` to your `hem` folder, which should be where you installed\n`hiew`.\n\n# Usage\n\nPress `F11` and Select `Kiewtai: Kaitai Struct format parsers`.\n\nYou will be shown a list of all supported parsers, select the one you want.\n\nKiewtai will highlight the different fields, and add a comment describing the\nfield.\n\n![Kiewtai JPEG Demo](doc/kiewtai-jpg.gif)\n\n# Advanced Usage\n\n\u003e If you want Kiewtai to analyze a section of a larger file, for example you\n\u003e have a firmware blob or filesystem image, Simply\n\u003e [mark](https://taviso.github.io/hiewdocs/?query=mark%20a%20block) the section\n\u003e you want analyzed. If you work in DFIR, you probably call this \"carving\".\n\n - Press `F2` to toggle between Simple and Detailed parsing.\n\nThe default parsing mode is verbose, try this if you prefer.\n\n - Press `F3` to enable or disable comments.\n\nKiewtai will add comments to Hiew describing each field, these are displayed as\nyou navigate around. You can also browse and search them with `F12`.\n\n- Press `F4` to enable or disable markers.\n\nKiewtai will add color\n[markers](https://taviso.github.io/hiewdocs/?query=assign%20a%20color) by\ndefault so you can easily see where the different fields are. Press `F4` if you\ndon't like this.\n\n- Press `F5` to search for a parser.\n\nThe list of parsers is quite long, press `F5` and enter some search terms if\nyou  like.\n\n![Kiewtai EXE Demo](doc/kiewtai-exe.gif)\n\n# Notes\n\n\u003e If you're a Hiew user and want to help make better documentation, click \n\u003e [here](https://github.com/taviso/hiewdocs)!\n\nThis project uses the following third party libraries:\n\n- HEM SDK v0.53 [http://www.hiew.ru/](http://www.hiew.ru/)\n- Kaitai Struct  v0.9 [https://kaitai.io/](https://kaitai.io/)\n- Duktape v2.5.0 [https://duktape.org/](https://duktape.org/)\n- JSMin [http://crockford.com/javascript/](http://crockford.com/javascript/)\n\nPlease feel free to file an issue for any bugs, missing features or documentation!\n\nOh, and I prounounce Kiewtai \"cue-tie\". 🙂\n\n# Screenshots\n\nHere are some screenshots of different Kiewtai screens.\n\n## Browsing a GIF header\n\nYou can see the  magic, version, descriptors, dimensions are all identified.\n\nThe comment shows Kiewtai knows the cursor is on the `applicationId` field.\n\n\u003e The individual R/G/B bytes are hilighted, which makes the data look\n\u003e stripey. If that's *too* much verbosity, press `F2` on the parser\n\u003e list and Kiewtai will reduce the level of detail it generates.\n\n![Screenshot](doc/kiewtai.png)\n\n\n## Show the recognized fields in an EXE file.\n\nYou can load multiple Kaitai parsers at once, this screenshot shows the\n[DosMz](https://formats.kaitai.io/dos_mz/index.html) and\n[MicrosoftPE](https://formats.kaitai.io/microsoft_pe/index.html) parsers\nloaded simultaneously.\n\nIf you have an embedded file, simply\n[mark](https://taviso.github.io/hiewdocs/#mark) it and Kiewtai will only\nanalyze that block.\n\n![Kiewtai MZ/PE fields](doc/kiewtai-fields.png)\n\n## Browsing the chunks of a PNG image.\n\nThe field names display as comments as you navigate around a file.\n\n![Kiewtai PNG chunks](doc/kiewtai-png.png)\n\n## Browsing Formats available.\n\nKaitai has parsers for dozens of popular formats already made, you can  see the\nfull list online [here](https://formats.kaitai.io/). The list is long, you type\n`F5` to serach it.\n\n![Kiewtai Parser List](doc/kiewtai-formats.png)\n\n## Automatically handle common subformats.\n\nHere Kiewtai parsed a pcap file, and all the Tcp, Udp, Icmp, packets and\nEthernet frames inside the pcap are automatically recognized. This all happened\nautomatically when loading the Pcap parser!\n\n![Viewing the MAC address](doc/pcap-srcmac.png)\n\n\n![List all the PCAP fields](doc/pcap-listfield.png)\n\n# Building\n\n\u003e If you don't want to build it yourself, check out the\n\u003e [releases](https://github.com/taviso/kiewtai/releases) tab\n\nI used Visual Studio 2019 to develop Kiewtai.\n\nThis project uses submodules for some of the dependencies, be sure that you're\nusing a command like this to fetch all the required code.\n\n```\ngit submodule update --init --recursive\n\n```\n\n1. Download and Install the [Kaitai Struct compiler](https://kaitai.io).\n2. If you don't have them already, install Open JDK, GNU make, and GNU binutils.\n\nIf you use chocolatey, this command should be enough:\n\n```\n\u003e choco install make openjdk mingw\n```\n\n3. Open a Visual Studio Developer Command Prompt.\n4. Type `make.exe`\n\nIf everything worked, you should have a file called `kiewtai.hem`\n\n\u003e If you get `The system cannot find the file specified` errors, verify\n\u003e `objcopy.exe`, `make.exe` and `kaitai-struct-compiler.bat` are all in your\n\u003e `%PATH%`.\n\n## Testing\n\nThere are some simple tests in the `test` directory that verify some common\nformats are working as expected.\n\nSimply type `make` in the `test` directory to run them.\n\n# Author\n\nTavis Ormandy \u003ctaviso@gmail.com\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaviso%2Fkiewtai","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftaviso%2Fkiewtai","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftaviso%2Fkiewtai/lists"}