Команды SFK


    1        2        3        4        5        6        7        8        9        10    

Раздел 5. Search and Compare - Поиск и сравнение
deplist | dupfind | extract | find | hexfind | md5 | md5check | md5gento | ofind | pathfind | reflist | xfind | xfindbin | xhexfind |

Help:   Рус   |   Eng        Refer:   Рус   |   Eng  

Команда: xhexfind
sfk xhexfind dirName "/searchtext/totext/"

   search in text and binary files using wildcards * and ?
   as well as SFK Simple Expressions in brackets [],
   creating a hexadecimal dump output.

   subdirectories are included by default
      the sfk default for most commands is to process the given directories,
      as well as all subdirs within them. specify -nosub to disable this.

   options
      -nosub        do not include files in subdirectories.
      -nobin[ary]   skip binary files.
      -case         case-sensitive text comparison. default is insensitive.
                    for details type: sfk help nocase
      -text         starts a list of search patterns of the form /src/ or
                    /src/totext/ where / is the separator char, src the text
                    to search for, and totext a mask to reformat output.
                    any separator char can be used which is not part of the
                    search text, i.e. /foo/ or _foo_ both search "foo".
                    -text is not required if a single filename is given.
      -pat          the same as -text, starting a pattern list.
      -bylist x.txt read search patterns from a file x.txt, supporting
                    multiple lines per pattern. (add -full for more.)
      -bylinelist x read /from/to/ or just /from/ patterns from a file x
                    with one pattern per line. (add -full for more.)
                    -by(line)list does not support sfk variables.
                    to use variables in patterns create an sfk script
                    with patterns as parameters. "sfk script" for more.
      -arc          XE: include content of .zip .jar .tar etc. archives
                        as deep as possible, including nested archives.
                    XD: demo will read first 1000 bytes of each entry.
      -qarc         quick read top level archives but not nested ones.
      -firsthit     show only first found pattern match per file.
      -tracesel     tell in detail which files are searched or ignored.
      -quiet        do not show progress infos.
      -names        list only names of files containing at least one hit.
      -notnames     list only names of files not containing any hit.
      -justrc       print no search results, just set return code on hits.
      -full         print full help text telling about -bylist pattern files,
                    special character case sensitivity and nested or repeated
                    replace behaviour.

   output options
      -wide         show 16 bytes per line in output.
      -lean         show  8 bytes per line in output.
      -context=n    show  n bytes of  context around results.
      -fullhead[er] print offset/length of hits both in decimal and hex.
      -maxdump=n    show up to n bytes only. n must be larger then context.
      -nodump       do not create a hexdump, list only matching files.
      -showle       highlight CR/LF line endings in hex dump output
      -nofile       do not insert :file header lines in output.
      -crlf, -lf    for file headers and default totext: force crlf or lf
                    line endings instead of system default
      -rawterm      on output to terminal do not strip codes below 32.
                    null bytes are always stripped.
      +tofile x     as last parameter (command chaining): write text as
                    displayed on terminal to a file x.
      -more[n]      pause output every 30 or n lines.

   return codes for batch files
      0 = no matches, 1 = matches found, >1 = major error occurred.
      see also "sfk help opt" on how to influence error processing.

   quoted multi line parameters are supported in scripts
      using full trim. type "sfk script" for details.

   wildcards and SFK expressions
      SFK Expressions are simple patterns containing literal text,
      wildcards * and ? and character classes in square brackets [].
      basically, the syntax provides extended wilcards but no
      further logic and is not related to regular expressions.

      search patterns are surrounded by a separator character which
      can be anything not contained in the search text, like / or _

      within a pattern /fromtext/totext/ the fromtext may contain:

        *                       - 0 to 4000 characters in the same
                                  text line or paragraph, i.e. all
                                  bytes not being CR, LF or NULL.
                                  4000 is just a default maximum
                                  that can be changed by:
        [0.100000 chars]        - 0 to 100000 characters in the same
                                  text line or paragraph, i.e. the
                                  same as * but with a larger range.
        ?                       - one character.
        ?????                   - same as [5.5 chars] or [5 chars]
        [bytes]                 - 0 to 4000 bytes (with CR,LF,NULL)
                                  i.e. it collects stream text
                                  across lines, even in binary data
        **                      - the same as [bytes].
        [0.100 bytes]           - 0 to 100 bytes
        [.100000 bytes]         - up to 100000 bytes
        [1.* bytes]             - 1 to default maximum bytes
        [2 chars]               - exactly 2 chars
        [30 bytes]              - exactly 30 bytes
        [byte of aeiou]         - one vocal (a OR A OR e OR ...),
                                  case insensitive by default.
                                  "aeiou" is a character list.
        [byte of \\\x2f]        - a backslash \ or forw. slash /
        [bytes of \r\n \t]      - whitespace incl. line ends
        [bytes of (\r\n \t)]    - the same, () are optional
        [bytes not \r\n\0]      - up to 4000 bytes as long as no
                                  CR, LF or NULL byte appears
        [chars]                 - the same as [bytes not \r\n\0],
                                  i.e. collect text in a line
        [char not ( \t)]        - same as [byte not ( \r\n\0\t)],
                                  everything not blanks and tabs
        [char not )( \t]        - not brackets, blanks and tabs,
                                  same as not (\(\) \t)
        [chars of a-z0-9]       - means a-zA-Z0-9 as search is
                                  case insensitive by default
        [chars of \x61-\x7A]    - search a-z but not A-Z, or use
                                  option -case for case search
        [eol]                   - end of line by characters:
                                  CRLF or LF or CR

        [white]     = chars of (\t )     - 0 or more whitespaces
        [xwhite]    = bytes of (\t \r\n) - same but across lines
        [1 white]   = byte  of (\t )     - 1 whitespace
        [digit]     = byte  of (0-9)     - 1 digit
        [digits]    = bytes of (0-9)     - 0 or more digits
        [hexdigit]  = byte  of (0-9a-f)  - 1 hexadecimal digit
        [hexdigits]  = bytes of (0-9a-f) - 0 or more hex digits

        special keywords that do not count as tokens:
        [skip]   - at the start of a pattern: skip such text
                   completely, do not count it as a search hit.
        [keep]   - search also the following text but keep it
                   in the input data, without consuming it.
        [ortext] - foo[ortext]bar searches word foo or bar.
                   [ortext] is allowed only between literals.

        anchors that have no length of their own:
        [start]  - start of file
        [end]    - end of file
        [lstart] - line start, i.e. start or CRLF or CR or LF
        [lend]   - logical line end, i.e. eol or end of file.
                   to replace line ends use [eol] instead.

        how to search or replace special characters:
        -  to search or replace text containing the literal characters
           * ? \ [ ] then these must be escaped like \* \? \\ \[ \]
        -  ( ) are escaped only within character lists, like \( \)
        -  to search or replace the forward slash '/' type \x2f or use
           another char around from/to text, e.g. _fromtext_totext_
        -  parameters with blanks and non trivial characters need double
           quotes "", see also "about Shell Command Characters" below.

        expansion priorities: (highest first)
        if two search parts are side by side, and the same input
        character matches both, then these priorities apply:

          5:  start, end, lstart, lend
          4:  literal text, eol
          3:  whitelist classes: byte of, bytes of
          2:  blacklist classes: chars not, bytes not
          1:  plain wildcards: ?, *, **, byte, bytes, chars

        this means in "/[bytes]foo/" the [bytes] will stop to collect
        characters as soon as "foo" is found, as "foo" is a literal.
        on same or higher priority the right side stops the left side.

      the totext may contain:

        [part 1]            use first text part of the fromtext.
                            e.g. the fromtext /*foo[.100 chars]bar*/
                            contains parts :   1 2         3    4 5
        [part1]             the same (blank is optional).
        [parts 1,2,3]       use parts 1, 2 and 3.
        [parts 1-10]        use parts 1 to 10.
        [strip(part1,\0)]   use part 1 but remove zero bytes.
                            only zero bytes "\0" can be removed.
        [file.name]         full input filename with path
        [file.relname]      input filename without path
        [file.path]         input file's path
        [file.base]         relname without last .extension
        [file.ext]          input filename extension
        [all]               use all parts from fromtext.

        [setvar name]...[endvar]   set variable "name" with data
                                   between setvar and endvar.
        [getvar name]              fill in data from variable "name"

        although anchors like lstart, lend count as a separate part
        they need NOT be specified in the totext. this means that
        /[lstart]foo[lend]/bar/ just changes the word "foo".

   supported slash patterns
      \t    = TAB
      \r    = CR
      \n    = LF
      \x00  = one byte with code 00 hexadecimal
      \0    = short form for \x00
      \q    = a double quote "
      \\    = the backslash character \ itself
      \[    = the bracket open character [
      \]    = the bracket close character ]
      \*    = the literal star character *
      \?    = the literal question mark  ?
      \-    = to use literal "-" in a command
      Within multi line -bylist files:
      \     = slash+blank is changed to a single blank
      Only within "char of" or "byte not" lists:
      \(    = to use literal character "("
      \)    = to use literal character ")"

   SFK expression options
      -showpart(s)  print /from/ part numbers, range statistics
                    and expansion priority points per part.
                    done automatically if a required /to/ text
                    is not given with a command.
      -showbest     if a /from/ pattern finds nothing, use this to
                    see how many parts would match so far, and with
                    up to how many bytes per part. anchors like [lstart]
                    may show a non zero length when matching (CR)LF.
      -showlist     with -bylist, show the internal joined list if
                    commands are spread across multiple lines.
      -showall      show all of the above.
      -xmaxlen=n    set default maximum length for chars or bytes commands,
                    e.g. -xmaxlen=10000 means /foo*bar/ matches with up to
                    10000 characters between foo and bar. the default max
                    length without this option is 4000 characters.

   performance notes
    - always use a string literal, or single byte or char, at the start
      of your search expressions, like in /foo*bar/ starting with 'f'.
      Do not use a wildcard like * at the start like in /*foobar/
      when searching huge input data, as your search will slow down by
      factor 256. Use /[lstart]*foobar/ instead.
    - the system may cache output file(s), writing to disk in background
      after sfk has finished. subsequent batch commands may execute slower.

   chaining support
      sfk extract output can be sent only to +xed or +xex.
      other commands require an xed conversion step like
      sfk extract ... +xed +view

   aliases
      sfk xhexfind is the same as xfind -hex
      to extract unmodified binary data you may use either
      sfk xfind -pure ... -tofile or sfk extract ... -tofile

   office file support
      sfk ofind        search in .xml text file contents of
                       office files like .docx .xlsx .ods .odt.
      sfk help office  for more infos and options

   see also
      --- open source commands ---
      sfk xfind     search  wildcard text in   plain text files
      sfk ofind     search  in office files    .docx .xlsx .ods
      sfk xfindbin  search  wildcard text in   text/binary files
      sfk xhexfind  search  in text/binary with hex dump output
      sfk extract   extract wildcard data from text/binary files
      sfk filter    filter  and edit text with simple wildcards
      sfk find      search  fixed    text in   text        files
      sfk findbin   search  fixed    text in   text/binary files
      sfk hexfind   search  fixed    text in        binary files
      sfk replace   replace fixed    text in   text/binary files
      --- freeware commands ---
      sfk view      GUI tool to search text as you type
      --- xe commercial commands ---
      sfk replace   replace fixed    text with high performance
      sfk xreplace  replace wildcard text in   text/binary files
      sfk help xe   about SFK XE and xreplace with SFK Expressions.

   beware of Shell Command Characters.
      to find or replace text patterns containing spaces or special
      characters like <>|!&?* you must add quotes "" around parameters
      or the shell environment will destroy your command. for example,
      pattern /foo bar/other/ must be written like "/foo bar/other/"
      within a .bat or .cmd file the percent % must be escaped like %%
      even within quotes: sfk echo -spat "percent %% is a percent \x25"

   web reference
      http://stahlworks.com/sfk-xhexfind

   about example numbers with [brackets]
      if you see [1] type "sfk cmd 1" for whole command in one line.

   bad examples with corrections
      if input text contains:
         bool bClFoo;
         bool bClBar   ;
      sfk xfind in.txt "/bool[xwhite]bCl*[xwhite];/"
         does NOT match "bool bClFoo;" because * eats the
         whole input line including ";" so no input is left
         for "[xwhite];" and the whole expression fails.
      sfk xfind in.txt "/bool[xwhite]bCl[* not ;][xwhite];/"
         does both match "bool bClFoo;" and "bool bClBar   ;".
         this means whenever your search fails to work write
         in detail which characters (not) to collect where.
      sfk xex in.txt "/[lstart]foo/[lstart]goo/"
         there is no need to write an anchor like [lstart]
         within totext as it contains no data. use instead:
            sfk xex in.txt "/[lstart]foo/goo/"
      sfk xex in.txt "/foo[lend]bar/goo[part2]bar/"
         anchors like [lend] must be at start or end of fromtext
         and cannot be referenced within totext. use instead:
            sfk xex in.txt "/foo[eol]bar/goo[part2]bar/"

   working examples
      sfk xfind -text "/class [bytes]{[bytes]}/[all]\n\n/"
       -dir mydir -file .hpp +tofile out.txt
         collect class definitions from mydir and write output
         indirectly (via command chaining) to out.txt [13]
      sfk xhexfind in.txt -text "/foo*bar/"
         search in.txt for patterns starting with foo and ending
         with bar, in the same line, with up to 4000 characters inbetween.
      sfk xhexfind in.txt -text "/foo*bar/" +view
         same as above, but show the result in the depeche view
         text browser tool for easy reading.
      sfk xhex -text "/foo[0.100000 bytes]bar/" -dir mydir
         search all text and binary files of mydir for patterns of
         foo and bar with 0 to 100000 bytes (including NULL, CR
         and LF) inbetween and print output as hex dump.
      sfk xhexfind -text "/printf(**);/" -dir mydir -file .cpp
         find all printf statements in source code, including statements
         across multiple lines.
      sfk xfindbin in.dat "/foo[0.100 bytes of (a-z0-9_@ )]bar/"
         searches a single input file in.dat for all phrases
         starting foo and ending bar, with 0 to 100 characters
         inbetween being alphanumeric, @ or _ or space.
      sfk xfindbin -text "/foo*bar/[part2]\n" -dir mydir -file .txt
         find foo*bar in all .txt files of folder mydir
         but print only the text between foo and bar.
      sfk xfindbin -text "/\x66\x6f\x6f[0.100 bytes]\x62\x61\x72/"
       -dir mydir -file .exe +view
         find binary data starting with bytes 0x66, 0x6f, 0x6f,
         ending with 0x62, 0x61, 0x72 and up to 100 bytes inbetween
         in all .exe files of mydir and show result in dview. [14]
      sfk xfindbin -arc in.zip "/class*/"
         XE: find phrases starting with "class" in .zip contents
         XD: demo will search first 1000 bytes per .zip sub file
      sfk xfindbin -justrc result.txt "/error/"
      IF %ERRORLEVEL%==1 GOTO foundError
         in a batchfile: jump to label foundError if "error"
         is found in result.txt. with -justrc no output is printed.
      sfk xhexfind -text "/\x66\x6f\x6f[0.100 bytes]\x62\x61\x72/"
       -dir mydir -file .exe +view
         find binary data starting with bytes 0x66, 0x6f, 0x6f,
         ending with 0x62, 0x61, 0x72 and up to 100 bytes inbetween
         in all .exe files of mydir and show result in dview. [16]
      sfk xhexfind in.txt "/[char of \x01-\x09\x0b-\x0c\x0e-\x1f]/"
         find control characters in file except for CR/LF
      sfk xhexfind mydir "/[bytes of \x00-\x08]/"
         search binary code range 0x00 to 0x08 in mydir
      sfk hexfind mydir -bin /01020304/
      sfk xhexfind mydir "/\x01\x02\x03\x04/"
         search binary data 0x01020304 in mydir