ImHex: An Open Hex Editor For The Modern Hacker

It’s little surprise that most hackers have a favorite text editor, since we tend to spend quite a bit of time staring at the thing. From writing code to reading config files, the hacker’s world is filled with seemingly infinite lines of ASCII. Comparatively, while a hex editor is a critical tool to have in your arsenal, many of us don’t use one often enough to have a clear favorite.

But we think that might change once you’ve taken ImHex for a spin. Developer [WerWolv] bills it specifically as the hex editor of choice for reverse engineering, it’s released under the GPL v2, and runs on Windows, Linux, and macOS. Oh, and did we mention it defaults to a slick dark theme designed to be easy on the eyes during those late night hacking sessions — just like your favorite website?

ImHex is packed with all sorts of useful tools and functions, such as an entropy visualizer and an integrated front-end for the Capstone disassembler. But arguably its most powerful feature is the custom C++ and Rust inspired pattern language used to define structures and data types, which allows for automatic file parsing and annotation. The language is expansive enough to have its own documentation, and there’s a whole second GitHub repository that contains community-developed patterns for file types ranging from Microsoft’s USB Flashing Format (UF2) to DOOM WAD files.

The pattern language allows known elements of the file to be automatically identified and marked.

Admittedly, all this capability comes with a certain degree of heft — especially if you’re used to poking around in hexedit. The documentation says you’ll need at least 500 MB of RAM and hardware accelerated graphics just to get into the party, and it only goes up from there depending on the complexity of the analysis you’re doing. But while ImHex is a thoroughly modern piece of software in terms of scope and size (the source code alone weighs in at 30 MB), in our testing it always felt responsive — no sign of that “heavy” feel you sometimes get when running something like an Electron app.

Is it a far more complex program than you need to just flip a few bytes around? Absolutely. In fact, we’d wager the average user will never even use half of the capabilities offered up by ImHex, and could probably make do with something much simpler for day to day use. But for that one time you need to get your hands dirty and really dig into a file, you’ll be glad those capabilities are there — and that’s a good enough reason to keep it installed and at the ready in our book.

35 thoughts on “ImHex: An Open Hex Editor For The Modern Hacker

  1. Wow, that looks fantastically full-featured! I will definitely be trying it out soon. For some years I’ve been using xvi32 as a SendTo for it’s simplicity, and hexed.it due to it universal availability.
    I really appreciate the screenshots right up front of what it looks like.

    1. I been using xvi32 since I used to edit my .d2d save files to reset my skills, I really didn’t thought that I’ll see that name pop again in my life, but whenever I need a hex editor , it has been my choice through all of this years

  2. FWIW I have had good results using the online hex editor http://hexed.it
    Especially handy on locked-down work PCs where installing a new hex editor would be difficult.
    I imagine that the one discussed here also does this, but I found the fact that it parses the data from the selected byte in a number of ways, including the major date formats, particularly useful for reverse-engineering binary file formats.

  3. A bit of an off-topic rant.

    The system requirements state:
    “OS: Windows 7 or higher, macOS 10.15 (Catalina) or higher, “Modern” Linux (Ubuntu 22.04, Fedora Stable/Rawhide, and Arch Linux have official packages, other distributions can use the AppImage)”

    So, it can use either a ~10 year old Windows, ~3 year old MacOS, or Linux installed yesterday. When attempting to build on a (admiteddly, not-so-recent-but-still-supported) Linux Mint 19, it told me that the build requires GCC 12, which – according to the release page – is barely a few months old. Come on!

    Do other Linux user make a habit of reinstalling or upgrading their distribution every year-or-so?

    /rant off
    Thankfully the AppImage works on my ancient distro. The editor itself looks quite nice (after setting up a reasonable font) and surprisingly performant.

    1. I’ve noticed that a lot of OSS have a tendency to use almost bleeding edge dependencies (and some do). I can see the case of using up to date dependencies due to security reasons for known CVE’s, but it’s not very hard to use a stable version that is supported by most LTS distros instead of that version that dropped last week.

      What really grind my gears is when they have a bleeding edge dependency for a few functions at most making it impossible to build unless you run a nightly build distro. It’s just plain stupid and shows a lack of competence as a developer.

    2. Mint 19 was released in 2018 and this is its final year of long-term support, so I don’t think it’s too unreasonable to start seeing some cracks form after that kind of time. That being said, ImHex requiring a cutting-edge GCC did burn me when I tried to use it previously. Had to wait until binary releases started getting pushed out.

    3. Supporting older distributions is a considerable amount of work. Currently the project I work on supports back to Ubuntu 12.04 (end of life 2017) but the next release will be abandoning anything older than Debian Buster. The main reason for this is Python2 and Gtk2 but there are other issues too including features of asciidoc required to enable web-translation of the documents. We even self-backport a number of packages to earlier distributions through our own repository just so the older distributions can work.
      A measure of the complexity can be seen in the support matrix:
      http://wiki.linuxcnc.org/cgi-bin/wiki.pl?MinimumSoftwareVersions

    4. Ow, the minimum requirements are a bit too high for a special-purpose text editor. 😔

      None of my retro x86 systems meet those requirements. It’s Windows 98, XP, Windows 3.1+Win32s, DOS+HX Extender, OS/2 Warp+Odin etc.

      When reading the article, I was almost starting dreaming of a Win32s port here, but this thing won’t be Windows 98SE compatible, even.

      I guess WinHex and XVI32 will stay a but longer then.

    5. > Do other Linux user make a habit of reinstalling or upgrading their distribution every year-or-so?

      Nope, other Linux users use modern rolling distros so they’re always up-to-date – there’s no need to upgrade/reinstall every year (I use Arch btw).

    1. I approve of your taste in gaming, fellow keyboard netbattler.

      And I do wish more programs would lean into the “movie hacker” aesthetic while keeping functionality… I shouldn’t have to have ascii-mode Dwarf Fortress open on another monitor taking up half my cpu just to make it look like my system is doing some Real Hacking™, and you can only leave nmap poking random IPs for so long before you get a knock at your door. Where’s our software equivalent of blinkenlights?

      1. and while you are at it; modify a few “choice” bytes.

        … every moveable item in DOOM has a weight,
        including (but not limited-to barrels, demons, and even you.
        there is also a respawn timer,
        and if an item does not respawn (a multiplayer-mode feature),
        just switch it on.

        so with more then one re-spawning barrel in a narrow hallway,
        you’ll be laughing so much you’ll have to remember to breathe XD
        (levels have been created to take advantage of this)

  4. Back in the days I always carried a floppy with HIEW with me. Nowadays I use Pascal Rigaux’ hexedit because it uses mmap to access the files and therefore isn’t limited to the amount of RAM.

  5. Brings a flashback of *cough* backward engineering dos games using a pencil and large sheets of paper using pc tools deluxe on dos. And either changing a few bytes to NOP’s or changing a “Jump if equal” instruction to “Jump if not equal”.

  6. Wow, the MacOS version is completely b0rked. For one it’s not signed/notarised so normal people won’t be able to open it but more importantly the scaling is way off: everything in the window is too tiny to read. This is on M1. That’s another thing: it’s an Intel app.

  7. Nice, kind of editor I need for my everyday work as the description language is nice way to avoid counting bytes.
    The only drawback is the non standard UI (your vintage kink is ok, but keep it for you), not available for linux VM unless you have a bleeding edge distro (which is never the case in corporate world). So it’s slow and crash a lot.

  8. > To compile ImHex on any platform, GCC (or Clang) is
    > required with a version that supports C++23 or higher.

    That sounds like a script kiddy toy. Almost the newest and shiny?? Get a live.

    Olaf

  9. hahah i don’t like it

    for hex editing…i know there’s an open source tool that does the same thing but i’ve been using this hack forever…i have a tool called ‘adump’ (a for ASCII, because i have another one for another charset) that takes a binary file and produces a text file, and ‘apick’ that is the inverse operation. so i edit the hex in nvi. for interpretting a single number, i use ‘dc’ (base conversion) or ‘fpnumdump’ (another private hack) that decodes FP numbers in the 3 different formats that i have to use. for interpretting a structured file, just like imhex, i use a language to describe it…that language is usually C. sometimes i use ‘strings’ or ‘objdump’.

    i mean, i don’t like color, and i don’t like bloat, and man, this is a lot of bloat compared to my use cases! i also don’t like one-offs that i don’t use for anything else. for example, i use ‘dc’ and ‘fpnumdump’ to decode hex numbers that i come across from a wide variety of sources, but this thing only does files? i live in a world where interactive debugger sessions get copy and pasted into emails. and i use C for everything.

    i don’t like massive hardware dependencies (hardware accelerated graphics?? what???) and i don’t like massive software dependencies. i’ll have my braindead tools long after the imhex community gives up breaking backwards compatibility every day (yes, in 10 years if it’s not abandoned, it will still rely on the zero-day linux dependencies).

    i use unix specifically because i don’t want to do things in brittle bloated novel monoliths.

    1. 100% agree.
      Its overly done for what it does. I think and I could be wrong, and its my opinion, the developer was more interested in bling and look what I can do using these tools than actually writing good software. Everything I saw testing it could be done with just plain old C and standard libs. Why on earth does this need accelerated graphics? As someone who digs into binaries all the time I pretty much hated it.

  10. Quick question, does lmhex support interleaving/de-interleaving binary images, as used by hardware using 27xxx series EPROMs?

    So far, WinHex was one of the few hex editors I foumd that had that feature. XVI32 didn’t have it, for example.

  11. I’ve installed it on a Win10 laptop and the frame was wider than my screen. I went into setting/display and tried different scalings. When I used the value 4.0, the screen went black. When I restarted the app, of course it was using the same param and the screen was still black. But when I disinstalled and reinstalled the app, it still was using scale 4.0 !!
    I looked for imhex in the registry and didn’t find anything about display-scalling. I finally uninstalled everything. ( At least I tried, cause I know now it doesn’t erase its traces entirely. )

    This program doesn’t follow the good practice in systems development so I would not recommend installing it on your machine.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.