Upon opening a binary file, specifically
C:\Windows\System32\notepad.exe, I observed that various hex editors displayed different results for the same file. I tested this by examining the starting point of section headers and noted the starting address of the “
.text...” section which is represented by the hexadecimal values 2E 74 65 78 74 00 00 00.
Hex editors are programs that allow users to view and edit binary files. A binary file is a file format that stores data in a binary format, consisting of only two possible values, typically represented as 0 and 1. Hex editors display the binary data in hexadecimal format, making it easier for users to read and edit the file. However, upon opening a binary file, different hex editors may display different binary data for the same file. This blog post aims to explore the reasons why this may occur, with reference to the specific example of the notepad.exe file located in the C:WindowsSystem32 directory.
One possible reason why different hex editors may display different binary data for the same file is due to differences in the file format. Binary files can be stored in a variety of formats, including executable files, image files, and archive files. Each file format has a specific structure and organization of data that is stored within it. Different hex editors may interpret the file format differently, leading to differences in the displayed data.
In the case of the notepad.exe file, it is an executable file, which means that it contains instructions that can be executed by a computer. The file format for executable files is known as the Portable Executable (PE) format. The PE format consists of a header section, followed by a series of sections that contain the executable code, data, and resources. The header section contains information about the file, such as the size of the file, the entry point for the executable code, and the location of the sections within the file.
Another reason why different hex editors may display different binary data for the same file is due to differences in section alignment. Section alignment refers to the process of aligning the sections within the file to a specific memory boundary. This is done to improve the performance of the executable by ensuring that the sections are loaded into memory in an efficient manner.
Different hex editors may use different section alignment values, which can lead to differences in the displayed data. In the case of the notepad.exe file, the starting address of the “.text…” section is represented by the hexadecimal values 2E 74 65 78 74 00 00 00. Different hex editors may display this section at different memory addresses, depending on their section alignment values.
Endianness refers to the order in which bytes are stored in memory. There are two possible byte orders: big-endian and little-endian. In a big-endian system, the most significant byte is stored first, while in a little-endian system, the least significant byte is stored first.
Different hex editors may use different endianness values, which can lead to differences in the displayed data. In the case of the notepad.exe file, the endianness of the file is determined by the processor architecture for which it was compiled. This means that hex editors running on different processor architectures may display the binary data for the file differently.
Another reason why different hex editors may display different binary data for the same file is due to the presence of hidden data within the file. Hidden data refers to data that is not visible to the user, but is still present within the file. This can include metadata, encryption keys, or other information that is not relevant to the user.
Different hex editors may display hidden data differently, depending on their interpretation of the file format. In some cases, hidden data may be ignored by the hex editor, while in other cases, it may be displayed as part of the binary data.
Finally, file corruption can also cause different hex editors to display different binary data for the same file. File corruption can occur due to a variety of reasons, such as hardware failure, software bugs, or malware infections. When a file becomes corrupted, the data within the file may be altered or lost, leading to differences in the displayed binary data.
In the case of the notepad.exe file, file corruption is unlikely to be the cause of the differences in the displayed binary data, as it is a system file that is unlikely to become corrupted. However, in other cases, file corruption can cause significant differences in the displayed binary data.
In conclusion, different hex editors may display different binary data for the same file due to a variety of reasons, including differences in file format, section alignment, endianness, hidden data, and file corruption. While these differences may be minor and not affect the overall functionality of the file, it is important to be aware of them when working with binary files. By understanding the reasons behind these differences, users can make informed decisions when choosing a hex editor to use for their specific needs.
There are several reasons why different hex editors might display different binary for the same file.
- Different hex editors might use different algorithms for parsing and displaying the binary data. Some hex editors might display the data in a more visually appealing or easier to read format, while others might display the data more accurately.
- Different hex editors might have different options for how to display the data. For example, some hex editors might allow you to choose between displaying the data in ASCII, hexadecimal, or another representation, while others might not have this option.
- Different hex editors might handle certain types of data differently. For example, some hex editors might not correctly display data that has been compressed or encrypted, or data that is stored in a non-standard format.
- Different hex editors might have different levels of support for different file formats. Some hex editors might have better support for certain types of files, such as executables or multimedia files, while others might not support those types of files at all.
Overall, it is important to keep in mind that hex editors are tools for examining and editing binary data, and different hex editors might display the same data in different ways depending on their design and capabilities.
These are different files.
From When is System32 not System32? [emphasis mine]:
In 32-bit Windows there is just one
System32folder which contains many native binaries (or hard links), and there is no way to execute 64-bit code on 32-bit Windows.
With 64-bit Windows, however, we have “Windows On Windows 64” (WOW64) which allows 32-bit processes to run through a wrapper, and there are some things to take into account in this scenario:
- Only 32-bit DLLs can be loaded into 32-bit processes, and only 64-bit DLLs can be loaded into 64-bit processes.
- 32-bit processes expect to work seamlessly on 64-bit Windows, so because of (1) we need to have both 32-bit and 64-bit versions of some binaries.
- In order to facilitate (2) but not break native (x64) processes’ behaviour, 32-bit processes get certain I/O redirected without their knowledge.
For 32-bit processes running on x64 Windows:
%systemroot%\System32is redirected to
I believe that certain hex editors may be
32-bit and thus be redirected to
SysWOW64, while others may be
64-bit and access the “real”
System32 directory. This explains why different editors perceive different
System32 directories and therefore display different versions of
However, if you make a copy of notepad.exe to a directory that is not affected by this issue and analyze the copy, all hex editors should display the same content. The content that you will see depends on whether the tool used to copy the file is