bash 使用 grep 在文件中搜索十六进制字符串
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6319878/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using grep to search for hex strings in a file
提问by user650649
I have been trying all day to get this to work. Does anyone know how to get grep, or something of the like, to retrieve offsets of hex strings in a file?
我一整天都在努力让它发挥作用。有谁知道如何获取 grep 或类似的东西来检索文件中十六进制字符串的偏移量?
I have a bunch of hexdumps that I need to check for strings and then run again and check if the value has changed.
我有一堆十六进制转储,我需要检查字符串,然后再次运行并检查值是否已更改。
I have tried hexdump and dd, but the problem is because it's a stream, I lose my offset for the files.
我尝试过 hexdump 和 dd,但问题是因为它是一个流,我丢失了文件的偏移量。
Someone must have had this problem and a workaround. What can I do?
一定有人遇到过这个问题和解决方法。我能做什么?
To clarify, I have a series of dumped memory regions from GDB.
为了澄清,我有一系列来自 GDB 的转储内存区域。
I am trying to narrow down a number by searching out all the places the number is stored, then doing it again and checking if the new value is stored at the same memory location.
我试图通过搜索存储数字的所有位置来缩小数字的范围,然后再次执行并检查新值是否存储在相同的内存位置。
I cannot get grep to do anything because I am looking for hex values so all the times I have tried (like a bazillion, roughly) it will not give me the correct output.
我无法让 grep 做任何事情,因为我正在寻找十六进制值,所以我一直尝试(如 bazillion,粗略地)它不会给我正确的输出。
The hex dumps are just complete binary files, the paterns are within float values at larges so 8? bytes?
十六进制转储只是完整的二进制文件,模式在最大的浮点值内,所以 8?字节?
The patterns are not wrapping the lines that I am aware of. I am aware of the what it changes to, and I can do the same process and compare the lists to see which match. The hex dumps normally end up (in total) 100 megs-ish.
这些图案没有包裹我所知道的线条。我知道它发生了什么变化,我可以执行相同的过程并比较列表以查看哪个匹配。十六进制转储通常最终(总共)100 兆字节。
Perl COULD be a option, but at this point, I would assume my lack of knowledge with bash and its tools is the main culprit.
Perl 可能是一种选择,但在这一点上,我认为我对 bash 及其工具缺乏了解是罪魁祸首。
Its a little hard to explain the output I am getting since I really am not getting any output..
解释我得到的输出有点困难,因为我真的没有得到任何输出..
I am anticipating (and expecting) something along the lines of:
我期待(并期待)以下方面的事情:
<offset>:<searched value>
Which is the pretty well standard output I would normally get with grep -URbFo <searchterm> . > <output>
这是我通常会得到的非常好的标准输出 grep -URbFo <searchterm> . > <output>
Problem is, when I try to search for hex values, I get the problem of if just not searching for the hex values, so if I search for 00 I should get like a million hits, because thats always the blankspace, but instead its searching for 00 as text, so in hex, 3030. Any idea's?
问题是,当我尝试搜索十六进制值时,如果只是不搜索十六进制值,我会遇到问题,所以如果我搜索 00 我应该得到一百万次点击,因为那总是空格,而是它的搜索00 作为文本,所以在十六进制中,3030。有什么想法吗?
I CAN force it through hexdump or something of the link but because its a stream it will not give me the offsets and filename that it found a match in.
我可以通过 hexdump 或某些链接强制它,但因为它是一个流,它不会给我它找到匹配项的偏移量和文件名。
Using grep -boption doesnt seem to work either, I did try all the flags that seemed useful to my situation, and nothing worked.
使用grep -b选项似乎也不起作用,我确实尝试了所有对我的情况似乎有用的标志,但没有任何效果。
Using xxd -u /usr/bin/xxdas an example I get a output that would be useful, but I cannot use that for searching..
使用xxd -u /usr/bin/xxd作为一个例子,我得到一个输出将是有益的,但我不能利用它来进行搜索..
0004760: 73CC 6446 161E 266A 3140 5E79 4D37 FDC6 s.dF..&j1@^yM7..
0004770: BF04 0E34 A44E 5BE7 229F 9EEF 5F4F DFFA ...4.N[."..._O..
0004780: FADE 0C01 0000 000C 0000 0000 0000 0000 ................
Nice output, just what I wana see, but it just doesnt work for me in this situation..
不错的输出,正是我想要看到的,但在这种情况下它对我不起作用..
This is some of the things i've tried since posting this:
这是我发布后尝试过的一些事情:
xxd -u /usr/bin/xxd | grep 'DF'
00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003 @.........S.....
root# grep -ibH "df" /usr/bin/xxd
Binary file /usr/bin/xxd matches
xxd -u /usr/bin/xxd | grep -H 'DF'
(standard input):00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003 @.........S.....
采纳答案by shellter
We tried several things before arriving at an acceptable solution:
在得出可接受的解决方案之前,我们尝试了几件事:
xxd -u /usr/bin/xxd | grep 'DF'
00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003 @.........S.....
root# grep -ibH "df" /usr/bin/xxd
Binary file /usr/bin/xxd matches
xxd -u /usr/bin/xxd | grep -H 'DF'
(standard input):00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003 @.........S.....
Then found we could get usable results with
然后发现我们可以得到可用的结果
xxd -u /usr/bin/xxd > /tmp/xxd.hex ; grep -H 'DF' /tmp/xxd
Note that using a simple search target like 'DF' will incorrectly match characters that span across byte boundaries, i.e.
请注意,使用像“DF”这样的简单搜索目标将错误地匹配跨越字节边界的字符,即
xxd -u /usr/bin/xxd | grep 'DF'
00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003 @.........S.....
--------------------^^
So we use an ORed regexp to search for ' DF' OR 'DF ' (the searchTarget preceded or followed by a space char).
因此,我们使用 ORed regexp 来搜索“DF”或“DF”(searchTarget 前面或后面是一个空格字符)。
The final result seems to be
最后的结果似乎是
xxd -u -ps -c 10000000000 DumpFile > DumpFile.hex
egrep ' DF|DF ' Dumpfile.hex
0001020: 0089 0424 8D95 D8F5 FFFF 89F0 E8DF F6FF ...$............
-----------------------------------------^^
0001220: 0C24 E871 0B00 0083 F8FF 89C3 0F84 DF03 .$.q............
--------------------------------------------^^
回答by Fr0sT
This seems to work for me:
这似乎对我有用:
grep --only-matching --byte-offset --binary --text --perl-regexp "<\x-hex pattern>" <file>
short form:
简写:
grep -obUaP "<\x-hex pattern>" <file>
Example:
例子:
grep -obUaP "\x01\x02" /bin/grep
Output (cygwin binary):
输出(cygwin 二进制):
153: <\x01\x02>
33210: <\x01\x02>
53453: <\x01\x02>
So you can grep this again to extract offsets. But don't forget to use binary mode again.
因此,您可以再次使用 grep 来提取偏移量。但是不要忘记再次使用二进制模式。
回答by Pierz
There's also a pretty handy tool called binwalk, written in python, which provides for binary pattern matching (and quite a lot more besides). Here's how you would search for a binary string, which outputs the offset in decimal and hex (from the docs):
还有一个非常方便的工具叫做binwalk,它是用 python 编写的,它提供二进制模式匹配(以及更多其他功能)。以下是搜索二进制字符串的方法,该字符串以十进制和十六进制输出偏移量(来自docs):
$ binwalk -R "\x00\x01\x02\x03\x04" firmware.bin
DECIMAL HEX DESCRIPTION
--------------------------------------------------------------------------
377654 0x5C336 Raw string signature
回答by Pablo Saratxaga
grep has a -P switch allowing to use perl regexp syntax the perl regex allows to look at bytes, using \x.. syntax.
grep 有一个 -P 开关,允许使用 perl regexp 语法 perl regex 允许使用 \x.. 语法查看字节。
so you can look for a given hex string in a file with: grep -aP "\xdf"
所以你可以在文件中查找给定的十六进制字符串: grep -aP "\xdf"
but the outpt won't be very useful; indeed better do a regexp on the hexdump output;
但输出不会很有用;确实最好在 hexdump 输出上做一个正则表达式;
The grep -P can be useful however to just find files matrching a given binary pattern. Or to do a binary query of a pattern that actually happens in text (see for example How to regexp CJK ideographs (in utf-8))
但是,grep -P 可以用于查找与给定二进制模式匹配的文件。或者对文本中实际发生的模式进行二进制查询(例如参见How to regexp CJK ideographs (in utf-8))
回答by jm666
If you want search for printable strings, you can use:
如果要搜索可打印字符串,可以使用:
strings -ao filename | grep string
strings will output all printablestrings from a binary with offsets, and grep will search within.
字符串将从带有偏移量的二进制文件中输出所有可打印的字符串,并且 grep 将在其中进行搜索。
If you want search for any binary string, here is your friend:
如果你想搜索任何二进制字符串,这里是你的朋友:
回答by user3510073
I just used this:
我只是用这个:
grep -c $'\x0c' filename
To search for and count a page control character in the file..
搜索并计算文件中的页面控制字符。
So to include an offset in the output:
因此,要在输出中包含偏移量:
grep -b -o $'\x0c' filename | less
I am just piping the result to less because the character I am greping for does not print well and the less displays the results cleanly. Output example:
我只是将结果传递给 less,因为我要搜索的字符打印得不好,并且 less 干净地显示了结果。输出示例:
21:^L
23:^L
2005:^L
