Grep binary files on Linux

hacker_compWe explored techniques to search a binary file using grep in an earlier article. However, we could only search ASCII strings using grep. In this article we will explore some powerful utilities which can perform ascii as well as hexadecimal string search on binary files.

bgrep

bgrep is as simple as it gets. It is written in C. It searches for a hex string and can show user-specified leading or trailing bytes (or both) from the occurrence of the match. bgrep accepts hex strings only.

Installation

$ git clone https://github.com/tmbinc/bgrep
$ cd bgrep
$ make
$ sudo make install

Usage

bgrep has 3 useful options to show matches:

-B n: show n bytes before match
-A n: show n bytes after match
-C n: show n bytes before and after match

Let’s run bgrep on the bgrep binary:

$ bgrep -C 20 “6c642d” bgrep
bgrep: 0000023f
\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00/lib64/ld-linux-x86-64.so.2
bgrep: 0000318d
BI-tag\x00.note.gnu.build-id\x00.gnu.hash\x00.dyn

bgrep2

bgrep2 follows brep but finds ascii strings as well. It’s also written in C (independently). The binary name remains bgrep.

You’ll find the output of bgrep2 similar to hexdump -C.

Installation

$ git clone https://github.com/udoprog/bgrep2
$ cd bgrep2
$ make
$ make install

Usage

$ bgrep
-s : Silent mode, only print locations
-r : Specify row size in bytes when printing
-g : Specify grouping in bytes when printing
-x : Specify pattern as hexadecimal notation i.e. 00ffde
-C : Include context around a match
-n : Do not print offset
-a : Do not print ascii
-h : Print usage and exit

To match a string:

$ bgrep ld- bgrep
==== 0x0000023f (0x00000230-0x00000250) ====
0x00000230: 01000000 00000000 2f6c6962 36342f6c    .... .... /lib 64/l
                                             
0x00000240: 642d6c69 6e75782d 7838362d 36342e73    d-li nux- x86- 64.s
====
==== 0x000032ad (0x000032a0-0x000032b0) ====
0x000032a0: 2e6e6f74 652e676e 752e6275 696c642d    .not e.gn u.bu ild-
                                         ^-  
====

To match a hex value:

$ bgrep -x 6c642d bgrep
==== 0x0000023f (0x00000230-0x00000250) ====
0x00000230: 01000000 00000000 2f6c6962 36342f6c    .... .... /lib 64/l
                                             
0x00000240: 642d6c69 6e75782d 7838362d 36342e73    d-li nux- x86- 64.s
====
==== 0x000032ad (0x000032a0-0x000032b0) ====
0x000032a0: 2e6e6f74 652e676e 752e6275 696c642d    .not e.gn u.bu ild-
                                         ^-  
====

SearchBin

SearchBin is written in python. In addition to searching ascii and hex strings, it can also find one binary in another. However, the most powerful feature of SearchBin is the ability to use a wildcard (?) for any byte. It can search in files of any size.

Installation

$ git clone https://github.com/Sepero/SearchBin

Usage

$ ./searchbin.py --help

Optional Arguments:
  -h, --help            show help message and exit
  -f FILE, --file FILE  file to read search pattern from
  -t PATTERN, --text PATTERN
                        a (non-unicode case-sensitive) text string to search
                        for
  -p PATTERN, --pattern PATTERN
                        a hexidecimal pattern to search for
  -b NUM, --buffer-size NUM
                        read buffer size (in bytes). default is 8388608 (8MB)
  -s NUM, --start NUM   starting position in file to begin searching
  -e NUM, --end NUM     end search at this position, measuring from beginning
                        of file
  -m NUM, --max-count NUM
                        maximum number of matches to find
  -l FILE, --log FILE   write matched offsets to FILE, instead of standard
                        output
  -v, --verbose         verbose, output the number of bytes searched after
                        each buffer read
  -V, --version         print version information

All size arguments (-b -s -e) are read in decimal format.

Examples

Search for the text string “Tom” in binfile:.

$ ./searchbin.py -t "Tom" binfile

Search for the text string “T?m” in binfile, where ? is a wildcard. This will match “Tom”, “Tim”, “Twm” and all other variations, including non-printing bytes.

$ ./searchbin.py -t "T?m" binfile

Search for the hexidecimal pattern “AABBCCDDEE” in binfil:

$ ./searchbin.py -p "AABBCCDDEE" binfile

Search for the hexadecimal pattern “AA??CC??EE” in binfile, where ?? can be any byte value.

$ ./searchbin.py -p “AA??CC??EE” binfile

Take the binary file pattern.bin, and searches for an exact match within binfile:

$ ./searchbin.py -f pattern.bin binfile

hexgrep

hexgrep is a powerful utility from the Arch community written in C. It can be compiled and used easily on any Linux platform. It can

  • search wildcard matches within specified ranges
  • search mix of ascii, decimal and hex values
  • search for matches without a prefix (negative match)
  • search big-ending multibyte values
  • show colour output

hexgrep is very useful in cheat code hacking through analysis of live game memory dumps.

Installation

To install on Ubuntu, download the source code. Run:

$ tar -xvf hexgrep-version.tar.xz
$ cd hexgrep-version
$ make
$ sudo make install

Usage

$ hexgrep -h
 Usage
 hexgrep [options] [search tokens]

Options
 -b: Convert values greater than >0xff to a big-endian sequence of bytes. The
 default is little-endian.
-c: Color output.
-d: Print debugging information. Pass multiple times to display more information.
-f: Search a file. The file will be mmap’d and match sequences may span the full
 file. Without this option, an input stream from STDIN will be searched.
-h: Display this help message and exit.
-l: The maximum length of a match sequence when reading a stream. The allocated
 buffer will be three times. The size is given in bytes as an integer
 optionally followed by k, M, G, T, P, E, Z, or Y. Yes, it really will try to
 allocate terabytes or more if you tell it to. Default: STREAM_MATCH_LENGTH bytes.
-p: Pad offsets with zeros up to this width. Default: 6.
-r: Limit the search range. See “Range Specifier” in the manual.

Examples

Find all occurrences of the string “pacman” in the pacman executable:

$ hexgrep /pacman -f /usr/bin/pacman

Using bytes:

$ hexgrep 0x70 0x61 0x63 0x6D 0x61 0x6E -f /usr/bin/pacman

Using mixed values:

$ hexgrep /pac 0x6D 97 0x6E -f /usr/bin/pacman

Find a single, multibyte hexadecimal integer (note the endianness flag):

$ /hexgrep 0x7061636d616e -b -f /usr/bin/pacman

Find all instances of “man” not prefixed with “pac”:

$ hexgrep ‘<>/pac’ /man -f /usr/bin/pacman

Find all occurences of “p” followed by at most 20 bytes before “man” in pacman binary:

$ hexgrep /p ‘#<=20’ /man -f /usr/bin/pacman

hexgrep comes with an extensive man page too.

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s