提交时间:2004-09-05
提交用户:fatb
工具分类:其它工具
运行平台:Linux
工具大小:6593 Bytes
文件MD5 :55dc5d38364a12f26e865ea2e5dadb26
工具来源:
http://www.thc.org
DATA MANIPULATION v1.2
(c) 1998-2004 by van Hauser / THC <
vh@thc.org>
http://www.thc.org
This piece of shit is very simple but comes handy sometimes ...
It comes with 4 tools:
Syntax of search_data: ./search_data [-i] [-d] blockdevice searchstring
-i - the only parameter which is optional. This does the
search case insensitive.
-d - dump the found occasions in hex
blockdevice - a blockdevice you want to search for data. It need
not to be a blockdevice, it can be anything, but normaly
you use it on these.
searchstring - a string you want to search for
The blockdevice is searched for the occurance of searchstring, which are
printed with location when found.
Example: ./search_data -i /dev/hda3 "connect from 10.0.0.1"
Output looks like:
found at 234600: connect from 10.0.0.1/unresolved (UNKNOWN)
Syntax of read_data: ./read_data blockdevice start_address no_of_bytes
blockdevice - a blockdevice you want to get your data from. It need
not to be a blockdevice, it can be anything, but normaly
you use it on these.
start_address - from which offset of the blockdevice you want to extract
data from
no_of_bytes - how many bytes of data starting at the start_address you
want to extract in a file.
The output filename is always START_ADDRESS.NO_OF_BYTES
Example: ./read_data /dev/hda3 234653 1024
writes 1024 bytes of data from /dev/hda3 starting from offset 234653 to
the file "234653.1024"
Syntax of write_data: ./write_data blockdevice filename
blockdevice - a blockdevice you want to write your data to. It need
not to be a blockdevice, it can be anything, but normaly
you use it on these.
filename - the data you want to write to the blockdevice. For error
protection, the location where it is put it gathered from
the filename - as you can see above from read_data.
If you modified the data extracted with read_data into the
file, it may not have a different size than defined in the
filename!
The data in filename is written to the blockdevice
Example: ./write_data /dev/hda3 234653.1024
writes 1024 bytes of data to /dev/hda3 starting at offset 234653 with the
data read from the file "234653.1024"
Syntax of replace_data: ./replace_data [-i] blockdevice searchstring replacestring
-i - the only parameter which is optional. This does the
search case insensitive.
blockdevice - a blockdevice you want to search for data. It need
not to be a blockdevice, it can be anything, but normaly
you use it on these.
searchstring - a string you want to search for
replacestring - the string you want to replace the found entries with
The blockdevice is searched for the occurance of searchstring, and is then
replaced.
Example: ./replace_data -i /dev/hda3 "connect from 1.0.0.1" "Remap table failure "
Output looks like:
found at 234600 - replaced
Q: What is it for?
A: Search data on a harddisk/partition/file, extract the part you are
interested in, and write it back after you (maybe) modified it.
Or do a global search and replace.
Q: What can I do with it?
A: several things.
Example 1: You want to remove some log entries from
/var/log/syslog without interrupting the syslogd writing.
You search for the data strings you want to remove from the file,
extract the data into a file, and replace the log entries with some
uninteresting looking ones (which should be normal on the system!).
Remember that you changes must result in the same size of the file.
Example 2: You want to be sure that you find all (unencrypted)
logfiles which could show your intrusion on the system.
you simply use search_data on all mounted harddisk devices and
search e.g. for your hostname and IP address. By this you can be
sure to find all normal logging (except crypted logs, syslog
forwardings, writing log data to seriel devices, etc.)
Important to note: by modifying the file contents by the raw mode
of the harddisk partition you don't change the access|modify|change
time of the file(s). This is for your advantage
Q: Hey this tool is cool, right?
A: no. anyone can code this, it's easy stuff, and most guys have already
coded this for themself, so there's no fame releasing this.
Q: Where can't I use this stuff?
A: on systems where the securelevel is set. This means that you can't open
the blockdevices in raw mode. Also on filesystems with their own
architecture this might not work (e.g. reiserfs).
You can email me at
vh@thc.org - my public pgp key:
Type Bits/KeyID Date User ID
pub 2048/CDD6A571 1998/04/27 van Hauser / THC <
vh@reptile.rug.ac.be>
>> 下载 <<
http://www.xfocus.net/tools/200409/810.html
