使用 grep 在文件中搜索十六进制字符串 [英] Using grep to search for hex strings in a file

问题描述

我一整天都在努力让它发挥作用.有谁知道如何获取 grep 或类似的东西来检索文件中十六进制字符串的偏移量?

I have been trying all day to get this to work. Does anyone know how to get grep, or something of the like, to retrieve offsets of hex strings in a file?

我有一堆十六进制转储，我需要检查字符串，然后再次运行并检查值是否已更改.

I have a bunch of hexdumps that I need to check for strings and then run again and check if the value has changed.

我尝试过 hexdump 和 dd，但问题是因为它是一个流，我丢失了文件的偏移量.

I have tried hexdump and dd, but the problem is because it's a stream, I lose my offset for the files.

一定有人遇到过这个问题和解决方法.我能做什么?

Someone must have had this problem and a workaround. What can I do?

澄清一下，我有一系列来自 GDB 的转储内存区域.

To clarify, I have a series of dumped memory regions from GDB.

我试图通过搜索数字存储的所有位置来缩小数字的范围，然后再次执行并检查新值是否存储在相同的内存位置.

I am trying to narrow down a number by searching out all the places the number is stored, then doing it again and checking if the new value is stored at the same memory location.

我无法让 grep 做任何事情，因为我正在寻找十六进制值，所以我一直在尝试(就像一个 bazillion，粗略地)它不会给我正确的输出.

I cannot get grep to do anything because I am looking for hex values so all the times I have tried (like a bazillion, roughly) it will not give me the correct output.

十六进制转储只是完整的二进制文件，模式在最大的浮点值内，所以 8?字节?

The hex dumps are just complete binary files, the paterns are within float values at larges so 8? bytes?

这些图案没有包裹我所知道的线条.我知道它发生了什么变化，我可以执行相同的过程并比较列表以查看哪个匹配.十六进制转储通常以(总共)100 兆字节结束.

The patterns are not wrapping the lines that I am aware of. I am aware of the what it changes to, and I can do the same process and compare the lists to see which match. The hex dumps normally end up (in total) 100 megs-ish.

Perl 可能是一种选择，但在这一点上，我认为我对 bash 及其工具缺乏了解是罪魁祸首.

Perl COULD be a option, but at this point, I would assume my lack of knowledge with bash and its tools is the main culprit.

解释我得到的输出有点困难，因为我真的没有得到任何输出..

Its a little hard to explain the output I am getting since I really am not getting any output..

我期待(并期待)以下内容:

I am anticipating (and expecting) something along the lines of:

<offset>:<searched value>

这是我通常使用 grep -URbFo <searchterm> 得到的非常好的标准输出..><输出>

问题是，当我尝试搜索十六进制值时，我遇到的问题是如果不搜索十六进制值，所以如果我搜索 00 我应该得到一百万次点击，因为那总是空格，但是相反，它搜索 00 作为文本，所以在十六进制中，3030.有什么想法吗?

Problem is, when I try to search for hex values, I get the problem of if just not searching for the hex values, so if I search for 00 I should get like a million hits, because thats always the blankspace, but instead its searching for 00 as text, so in hex, 3030. Any idea's?

我可以通过 hexdump 或某些链接强制它，但因为它是一个流，它不会给我它找到匹配项的偏移量和文件名.

I CAN force it through hexdump or something of the link but because its a stream it will not give me the offsets and filename that it found a match in.

使用 grep -b 选项似乎也不起作用，我确实尝试了所有对我的情况似乎有用的标志，但没有任何效果.

Using grep -b option doesnt seem to work either, I did try all the flags that seemed useful to my situation, and nothing worked.

以 xxd -u/usr/bin/xxd 为例，我得到一个有用的输出，但我不能用它来搜索..

Using xxd -u /usr/bin/xxd as an example I get a output that would be useful, but I cannot use that for searching..

0004760: 73CC 6446 161E 266A 3140 5E79 4D37 FDC6  s.dF..&j1@^yM7..
0004770: BF04 0E34 A44E 5BE7 229F 9EEF 5F4F DFFA  ...4.N[."..._O..
0004780: FADE 0C01 0000 000C 0000 0000 0000 0000  ................

不错的输出，正是我想看到的，但在这种情况下它对我不起作用..

Nice output, just what I wana see, but it just doesnt work for me in this situation..

这是我发帖后尝试的一些方法:

This is some of the things i've tried since posting this:

xxd -u /usr/bin/xxd | grep 'DF'
00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003  @.........S.....

root# grep -ibH "df" /usr/bin/xxd
Binary file /usr/bin/xxd matches
xxd -u /usr/bin/xxd | grep -H 'DF'
(standard input):00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003  @.........S.....

推荐答案

在得出可接受的解决方案之前，我们尝试了几件事:

We tried several things before arriving at an acceptable solution:

xxd -u /usr/bin/xxd | grep 'DF'
00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003  @.........S.....


root# grep -ibH "df" /usr/bin/xxd
Binary file /usr/bin/xxd matches
xxd -u /usr/bin/xxd | grep -H 'DF'
(standard input):00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003  @.........S.....

然后发现我们可以用

xxd -u /usr/bin/xxd > /tmp/xxd.hex ; grep -H 'DF' /tmp/xxd

请注意，使用像DF"这样的简单搜索目标将错误地匹配跨越字节边界的字符，即

Note that using a simple search target like 'DF' will incorrectly match characters that span across byte boundaries, i.e.

xxd -u /usr/bin/xxd | grep 'DF'
00017b0: 4010 8D05 0DFF FF0A 0300 53E3 0610 A003  @.........S.....
--------------------^^

所以我们使用 ORed regexp 来搜索DF"或DF"(searchTarget 前面或后面跟一个空格字符).

So we use an ORed regexp to search for ' DF' OR 'DF ' (the searchTarget preceded or followed by a space char).

最后的结果好像是

xxd -u -ps -c 10000000000 DumpFile > DumpFile.hex
egrep ' DF|DF ' Dumpfile.hex

0001020: 0089 0424 8D95 D8F5 FFFF 89F0 E8DF F6FF  ...$............
-----------------------------------------^^
0001220: 0C24 E871 0B00 0083 F8FF 89C3 0F84 DF03  .$.q............
--------------------------------------------^^

这篇关于使用 grep 在文件中搜索十六进制字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！