Команды SFK


    1        2        3        4        5        6        7        8        9        10    

Раздел 5. Search and Compare - Поиск и сравнение
deplist | dupfind | extract | find | hexfind | md5 | md5check | md5gento | ofind | pathfind | reflist | xfind | xfindbin | xhexfind |


Help:   Рус   |   Eng        Refer:   Рус   |   Eng  

Команда: xhexfind

Search in binary files using wildcards on the command line


with the free Swiss File Knife for Windows, Mac OS X and Linux.
sfk xhexfind dirName "/searchtext/totext/"

search in text and binary files using wildcards * and ?
as well as SFK Simple Expressions in brackets [],
creating a hexadecimal dump output.

subdirectories are included by default
   the sfk default for most commands is to process the given folders,
   as well as all subdirs within them. specify -nosub to disable this.

options
   -nosub        do not include files in subdirectories.
   -nobin[ary]   skip binary files.
   -case         case-sensitive text comparison. default is insensitive.
                 for details type: sfk help nocase
   -text         starts a list of search patterns of the form /src/ or
                 /src/totext/ where / is the separator char, src the text
                 to search for, and totext a mask to reformat output.
                 any separator char can be used which is not part of the
                 search text, i.e. /foo/ or _foo_ both search "foo".
                 -text is not required if a single filename is given.
   -pat          the same as -text, starting a pattern list.
   -bylist x.txt read search patterns from a file x.txt, supporting
                 multiple lines per pattern. (add -full for more.)
   -bylinelist x read /from/to/ or just /from/ patterns from a file x
                 with one pattern per line. (add -full for more.)
                 -by(line)list does not support sfk variables.
                 to use variables in patterns create an sfk script
                 with patterns as parameters. "sfk script" for more.
   -arc          XE: include content of .zip .jar .tar etc. archives
                     as deep as possible, including nested archives.
                 XD: demo will read first 1000 bytes of each entry.
   -qarc         quick read top level archives but not nested ones.
   -firsthit     show only first found pattern match per file.
   -tracesel     tell in detail which files are searched or ignored.
   -quiet        do not show progress infos.
   -names        list only names of files containing at least one hit.
   -notnames     list only names of files not containing any hit.
   -justrc       print no search results, just set return code on hits.
   -full         print full help text telling about -bylist pat. files,
                 special character case sensitivity and nested or repeated
                 replace behaviour.

output options
   -wide         show 16 bytes per line in output.
   -lean         show  8 bytes per line in output.
   -context=n    show  n bytes of  context around results.
   -fullhead[er] print offset/length of hits both in decimal and hex.
   -maxdump=n    show up to n bytes only. n must be larger then context.
   -nodump       do not create a hexdump, list only matching files.
   -showle       highlight CR/LF line endings in hex dump output
   -nofile       do not insert :file header lines in output.
   -crlf, -lf    for file headers and default totext: force crlf or lf
                 line endings instead of system default
   -rawterm      on output to terminal do not strip codes below 32.
                 null bytes are always stripped.
   +tofile x     as last parameter (command chaining): write text as
                 displayed on terminal to a file x.
   -more[n]      pause output every 30 or n lines.

return codes for batch files
   0 = no matches, 1 = matches found, >1 = major error occurred.
   see also "sfk help opt" on how to influence error processing.

quoted multi line parameters are supported in scripts
   using full trim. type "sfk script" for details.

wildcards and SFK expressions
   SFK Expressions are simple patterns containing literal text,
   wildcards * and ? and character classes in square brackets [].
   basically, the syntax provides extended wilcards but no
   further logic and is not related to regular expressions.

   search patterns are surrounded by a separator character which
   can be anything not contained in the search text, like / or _

   within a pattern /fromtext/totext/ the fromtext may contain:

     *                       - 0 to 4000 characters in the same
                               text line or paragraph, i.e. all
                               bytes not being CR, LF or NULL.
                               4000 is just a default maximum
                               that can be changed by:
     [0.100000 chars]        - 0 to 100000 characters in the same
                               text line or paragraph, i.e. the
                               same as * but with a larger range.
     ?                       - one character.
     ?????                   - same as [5.5 chars] or [5 chars]
     [bytes]                 - 0 to 4000 bytes (with CR,LF,NULL)
                               i.e. it collects stream text
                               across lines, even in binary data
     **                      - the same as [bytes].
     [0.100 bytes]           - 0 to 100 bytes
     [.100000 bytes]         - up to 100000 bytes
     [1.* bytes]             - 1 to default maximum bytes
     [2 chars]               - exactly 2 chars
     [30 bytes]              - exactly 30 bytes
     [byte of aeiou]         - one vocal (a OR A OR e OR ...),
                               case insensitive by default.
                               "aeiou" is a character list.
     [byte of \\\x2f]        - a backslash \ or forw. slash /
     [bytes of \r\n \t]      - whitespace incl. line ends
     [bytes of (\r\n \t)]    - the same, () are optional
     [bytes not \r\n\0]      - up to 4000 bytes as long as no
                               CR, LF or NULL byte appears
     [chars]                 - the same as [bytes not \r\n\0],
                               i.e. collect text in a line
     [char not ( \t)]        - same as [byte not ( \r\n\0\t)],
                               everything not blanks and tabs
     [char not )( \t]        - not brackets, blanks and tabs,
                               same as not (\(\) \t)
     [chars of a-z0-9]       - means a-zA-Z0-9 as search is
                               case insensitive by default
     [chars of \x61-\x7A]    - search a-z but not A-Z, or use
                               option -case for case search
     [eol]                   - end of line by characters:
                               CRLF or LF or CR

     [white]     = chars of (\t )     - 0 or more whitespaces
     [xwhite]    = bytes of (\t \r\n) - same but across lines
     [1 white]   = byte  of (\t )     - 1 whitespace
     [digit]     = byte  of (0-9)     - 1 digit
     [digits]    = bytes of (0-9)     - 0 or more digits
     [hexdigit]  = byte  of (0-9a-f)  - 1 hexadecimal digit
     [hexdigits]  = bytes of (0-9a-f) - 0 or more hex digits

     special keywords that do not count as tokens:
     [skip]   - at the start of a pattern: skip such text
                completely, do not count it as a search hit.
     [keep]   - search also the following text but keep it
                in the input data, without consuming it.
     [ortext] - foo[ortext]bar searches word foo or bar.
                [ortext] is allowed only between literals.

     anchors that have no length of their own:
     [start]  - start of file
     [end]    - end of file
     [lstart] - line start, i.e. start or CRLF or CR or LF
     [lend]   - logical line end, i.e. eol or end of file.
                to replace line ends use [eol] instead.

     how to search or replace special characters:
     -  to search or replace text containing the literal characters
        * ? \ [ ] then these must be escaped like \* \? \\ \[ \]
     -  ( ) are escaped only within character lists, like \( \)
     -  to search or replace the forward slash '/' type \x2f or use
        another char around from/to text, e.g. _fromtext_totext_
     -  parameters with blanks and non trivial characters need double
        quotes "", see also "about Shell Command Characters" below.

     expansion priorities: (highest first)
     if two search parts are side by side, and the same input
     character matches both, then these priorities apply:

       5:  start, end, lstart, lend
       4:  literal text, eol
       3:  whitelist classes: byte of, bytes of
       2:  blacklist classes: chars not, bytes not
       1:  plain wildcards: ?, *, **, byte, bytes, chars

     this means in "/[bytes]foo/" the [bytes] will stop to collect
     characters as soon as "foo" is found, as "foo" is a literal.
     on same or higher priority the right side stops the left side.

   the totext may contain:

     [part 1]            use first text part of the fromtext.
                         e.g. the fromtext /*foo[.100 chars]bar*/
                         contains parts :   1 2         3    4 5
     [part1]             the same (blank is optional).
     [parts 1,2,3]       use parts 1, 2 and 3.
     [parts 1-10]        use parts 1 to 10.
     [strip(part1,\0)]   use part 1 but remove zero bytes.
                         only zero bytes "\0" can be removed.
     [file.name]         full input filename with path
     [file.relname]      input filename without path
     [file.path]         input file's path
     [file.base]         relname without last .extension
     [file.ext]          input filename extension
     [all]               use all parts from fromtext.

     [setvar name]...[endvar]   set variable "name" with data
                                between setvar and endvar.
     [getvar name]              fill in data from variable "name"

     although anchors like lstart, lend count as a separate part
     they need NOT be specified in the totext. this means that
     /[lstart]foo[lend]/bar/ just changes the word "foo".

supported slash patterns
   \t    = TAB
   \r    = CR
   \n    = LF
   \x00  = one byte with code 00 hexadecimal
   \0    = short form for \x00
   \q    = a double quote "
   \\    = the backslash character \ itself
   \[    = the bracket open character [
   \]    = the bracket close character ]
   \*    = the literal star character *
   \?    = the literal question mark  ?
   \-    = to use literal "-" in a command
   Within multi line -bylist files:
   \     = slash+blank is changed to a single blank
   Only within "char of" or "byte not" lists:
   \(    = to use literal character "("
   \)    = to use literal character ")"

SFK expression options
   -showpart(s)  print /from/ part numbers, range statistics
                 and expansion priority points per part.
                 done automatically if a required /to/ text
                 is not given with a command.
   -showbest     if a /from/ pattern finds nothing, use this to
                 see how many parts would match so far, and with
                 up to how many bytes per part. anchors like [lstart]
                 may show a non zero length when matching (CR)LF.
   -showlist     with -bylist, show the internal joined list if
                 commands are spread across multiple lines.
   -showall      show all of the above.
   -xmaxlen=n    set default maximum length for chars or bytes commands,
                 e.g. -xmaxlen=10000 means /foo*bar/ matches with up to
                 10000 characters between foo and bar. the default max
                 length without this option is 4000 characters.

performance notes
 - always use a string literal, or single byte or char, at the start
   of your search expressions, like in /foo*bar/ starting with 'f'.
   Do not use a wildcard like * at the start like in /*foobar/
   when searching huge input data, as your search will slow down by
   factor 256. Use /[lstart]*foobar/ instead.
 - the system may cache output file(s), writing to disk in background
   after sfk has finished. subsequent batch commands may execute slower.

chaining support
   sfk extract output can be sent only to +xed or +xex.
   other commands require an xed conversion step like
   sfk extract ... +xed +view

aliases
   sfk xhexfind is the same as xfind -hex
   to extract unmodified binary data you may use either
   sfk xfind -pure ... -tofile or sfk extract ... -tofile

office file support
   sfk ofind        search in .xml text file contents of
                    office files like .docx .xlsx .ods .odt.
   sfk help office  for more infos and options

see also
   --- open source commands ---
   sfk xfind     search  wildcard text in   plain text files
   sfk ofind     search  in office files    .docx .xlsx .ods
   sfk xfindbin  search  wildcard text in   text/binary files
   sfk xhexfind  search  in text/binary with hex dump output
   sfk extract   extract wildcard data from text/binary files
   sfk filter    filter  and edit text with simple wildcards
   sfk find      search  fixed    text in   text        files
   sfk findbin   search  fixed    text in   text/binary files
   sfk hexfind   search  fixed    text in        binary files
   sfk replace   replace fixed    text in   text/binary files
   --- freeware commands ---
   sfk view      GUI tool to search text as you type
   --- xe commercial commands ---
   sfk replace   replace fixed    text with high performance
   sfk xreplace  replace wildcard text in   text/binary files
   sfk help xe   about SFK XE and xreplace with SFK Expressions.

beware of Shell Command Characters.
   to find or replace text patterns containing spaces or special
   characters like <>|!&?* you must add quotes "" around parameters
   or the shell environment will destroy your command. for example,
   pattern /foo bar/other/ must be written like "/foo bar/other/"
   within a .bat or .cmd file the percent % must be escaped like %%
   even within quotes: sfk echo -spat "percent %% is a percent \x25"

web reference
   http://stahlworks.com/sfk-xhexfind

about example numbers with [brackets]
   if you see [1] type "sfk cmd 1" for whole command in one line.

bad examples with corrections
   if input text contains:
      bool bClFoo;
      bool bClBar   ;
   sfk xfind in.txt "/bool[xwhite]bCl*[xwhite];/"
      does NOT match "bool bClFoo;" because * eats the
      whole input line including ";" so no input is left
      for "[xwhite];" and the whole expression fails.
   sfk xfind in.txt "/bool[xwhite]bCl[* not ;][xwhite];/"
      does both match "bool bClFoo;" and "bool bClBar   ;".
      this means whenever your search fails to work write
      in detail which characters (not) to collect where.
   sfk xex in.txt "/[lstart]foo/[lstart]goo/"
      there is no need to write an anchor like [lstart]
      within totext as it contains no data. use instead:
         sfk xex in.txt "/[lstart]foo/goo/"
   sfk xex in.txt "/foo[lend]bar/goo[part2]bar/"
      anchors like [lend] must be at start or end of fromtext
      and cannot be referenced within totext. use instead:
         sfk xex in.txt "/foo[eol]bar/goo[part2]bar/"

working examples
   sfk xfind -text "/class [bytes]{[bytes]}/[all]\n\n/"
    -dir mydir -file .hpp +tofile out.txt
      collect class definitions from mydir and write output
      indirectly (via command chaining) to out.txt [13]
   sfk xhexfind in.txt -text "/foo*bar/"
      search in.txt for patterns starting with foo and ending
      with bar, in the same line, with up to 4000 characters inbetween.
   sfk xhexfind in.txt -text "/foo*bar/" +view
      same as above, but show the result in the depeche view
      text browser tool for easy reading.
   sfk xhex -text "/foo[0.100000 bytes]bar/" -dir mydir
      search all text and binary files of mydir for patterns of
      foo and bar with 0 to 100000 bytes (including NULL, CR
      and LF) inbetween and print output as hex dump.
   sfk xhexfind -text "/printf(**);/" -dir mydir -file .cpp
      find all printf statements in source code, including statements
      across multiple lines.
   sfk xfindbin in.dat "/foo[0.100 bytes of (a-z0-9_@ )]bar/"
      searches a single input file in.dat for all phrases
      starting foo and ending bar, with 0 to 100 characters
      inbetween being alphanumeric, @ or _ or space.
   sfk xfindbin -text "/foo*bar/[part2]\n" -dir mydir -file .txt
      find foo*bar in all .txt files of folder mydir
      but print only the text between foo and bar.
   sfk xfindbin -text "/\x66\x6f\x6f[0.100 bytes]\x62\x61\x72/"
    -dir mydir -file .exe +view
      find binary data starting with bytes 0x66, 0x6f, 0x6f,
      ending with 0x62, 0x61, 0x72 and up to 100 bytes inbetween
      in all .exe files of mydir and show result in dview. [14]
   sfk xfindbin -arc in.zip "/class*/"
      XE: find phrases starting with "class" in .zip contents
      XD: demo will search first 1000 bytes per .zip sub file
   sfk xfindbin -justrc result.txt "/error/"
   IF %ERRORLEVEL%==1 GOTO foundError
      in a batchfile: jump to label foundError if "error"
      is found in result.txt. with -justrc no output is printed.
   sfk xhexfind -text "/\x66\x6f\x6f[0.100 bytes]\x62\x61\x72/"
    -dir mydir -file .exe +view
      find binary data starting with bytes 0x66, 0x6f, 0x6f,
      ending with 0x62, 0x61, 0x72 and up to 100 bytes inbetween
      in all .exe files of mydir and show result in dview. [16]
   sfk xhexfind in.txt "/[char of \x01-\x09\x0b-\x0c\x0e-\x1f]/"
      find control characters in file except for CR/LF
   sfk xhexfind mydir "/[bytes of \x00-\x08]/"
      search binary code range 0x00 to 0x08 in mydir
   sfk hexfind mydir -bin /01020304/
   sfk xhexfind mydir "/\x01\x02\x03\x04/"
      search binary data 0x01020304 in mydir



Реклама от Adnitro