PowerShell-based offset inspection utility for malware analysis, detection engineering, reverse engineering, and red team research.
OffsetInspect maps raw byte offsets back to meaningful source code and binary context, helping analysts quickly determine what exists at a reported detection location.
OffsetInspect is a lightweight PowerShell-based hex-context inspection utility designed for red team operators, malware analysts, detection engineers, and security researchers who require precise insight into file offsets.
It functions as a terminal-native, HxD-inspired viewer that:
- Highlights the byte located at a specified offset
- Displays surrounding context bytes
- Maps raw offsets back to file line numbers
- Shows aligned ASCII representations
- Positions a caret indicating the approximate character location within a source line
- Provides configurable context window sizes
- Supports inspection across multiple files
OffsetInspect is intended for fast, accurate validation of static indicators during offensive security operations, malware analysis, and detection research.
During red team operations and detection engineering, analysts frequently encounter detections that reference raw byte offsets rather than readable source context.
GUI hex editors provide visibility, but they often lack:
- Scriptability
- Repeatability
- Terminal-first workflows
- Fast offset-to-line correlation
OffsetInspect bridges this gap by enabling operators to quickly answer a critical question:
What is actually at this offset?
The tool is deliberately scoped to inspection and validation, allowing analysts to correlate byte-level indicators back to meaningful source constructs without abstraction or side effects.
OffsetInspect is commonly used when:
- Microsoft Defender reports a byte offset
- A YARA rule triggers on a binary
- A static AV detection references a specific location
- An obfuscation change shifts offsets
- A payload requires validation after modification
- Detection engineers need to understand exactly what triggered an alert
Instead of manually opening a hex editor and searching for a location, OffsetInspect provides terminal-native inspection and source correlation.
- Exact byte highlighting at user-specified offsets
- Mapping of raw offsets to file line numbers
- Multi-file inspection support
- Configurable byte window size
- Structured hex + ASCII output
- Color-coded terminal rendering
- Read-only operation
- No external dependencies
- Windows PowerShell 5.1 support
- PowerShell 7.x support
git clone https://github.com/warpedatom/OffsetInspect.git
cd OffsetInspectDownload the latest version here:
All releases include an automatically generated checksum file.
Verify a downloaded release using:
Get-FileHash -Algorithm SHA256 .\OffsetInspect.ps1Basic example:
.\OffsetInspect.ps1 C:\AD\PowerView.ps1 0xE1AB1Decimal offset example:
.\OffsetInspect.ps1 payload.bin 1024Adjust byte window size:
.\OffsetInspect.ps1 file.bin 0x200 -ByteWindow 64Inspect multiple files:
.\OffsetInspect.ps1 `
-FilePaths file1.bin,file2.bin `
-OffsetInputs 0x100Import the module:
Import-Module ./module/OffsetInspect.psm1Run inspection through the module:
Invoke-OffsetInspect `
-FilePaths C:\AD\PowerView.ps1 `
-OffsetInputs 0xE1AB1File: C:\AD\PowerView.ps1
Offset (input): 0xE1AB1
Offset (decimal): 924337
File Size: 924339 bytes
Line Number: 24810
Displays:
- File metadata
- Normalized offset values
- Decimal conversion
- File size
- Source line correlation
Line 24810: Set-Alias Get-DomainPolicy Get-DomainPolicyData
^
Displays:
- The source line containing the target byte
- Approximate byte-to-character position
- Immediate source context
Note: Offsets are byte-based while source lines are character-based. The caret represents a best-effort positional mapping.
000E1A91 6F 6D 61 69 6E 50 6F 6C 69 63 79 20 47 65 74 2D omainPolicy Get-
000E1AA1 44 6F 6D 61 69 6E 50 6F 6C 69 63 79 44 61 74 61 DomainPolicyData
000E1AB1 0D 0A ..
Displays:
- Contextual hex dump centered on the target offset
- Eight-digit hexadecimal addresses
- Highlighted target byte
- ASCII representation
- Aligned terminal output
OffsetInspect supports workflows where precision matters more than automation.
Common scenarios include:
- Investigating static detections referencing byte offsets
- Validating offset drift after obfuscation or packing
- Identifying which semantic construct triggers detection
- Performing targeted modifications instead of blind mutation
- Comparing detection behavior across payload revisions
This enables operators to preserve functionality while testing detection resilience.
For a complete static detection and obfuscation workflow:
PowerView Static Detection & Obfuscation Workflow
OffsetInspect is intentionally:
- Terminal-native
- Read-only
- Dependency-free
- Lightweight
- Scriptable
- Focused on accuracy over abstraction
It is designed to complement existing tooling such as:
- YARA
- Static AV/EDR detections
- Obfuscators
- Packers
- Reverse engineering workflows
Planned enhancements under consideration:
- JSON output mode
- CSV export support
- Improved Unicode handling
- Binary diff support
- Offset range analysis
- Pipeline-friendly structured output
- PowerShell Gallery publication
Run the Pester test suite from the repository root:
Invoke-Pester ./tests/OffsetInspect.Tests.ps1OffsetInspect is actively maintained and intended for authorized security research, malware analysis, detection engineering, and red team operations.
Community feedback, bug reports, and pull requests are welcome.
This tool is intended for authorized security testing, research, and educational purposes only.
The author assumes no responsibility for misuse, unauthorized activity, or policy violations.
OffsetInspect is released under the MIT License.
Attribution is appreciated but not required.
© 2026 Velkris — Educational Red Team Research | MIT Licensed
All testing conducted in isolated lab environments for research and training purposes only.