xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
添加工具English Version

manipulate_data-1.3.tar.gz


提交时间:2004-09-05
提交用户:fatb
工具分类:其它工具
运行平台:Linux
工具大小:6593 Bytes
文件MD5 :55dc5d38364a12f26e865ea2e5dadb26
工具来源:http://www.thc.org

DATA MANIPULATION v1.2

        (c) 1998-2004 by van Hauser / THC <vh@thc.org>
                 http://www.thc.org



This piece of shit is very simple but comes handy sometimes ...
It comes with 4 tools:

Syntax of search_data: ./search_data [-i] [-d] blockdevice searchstring

-i              - the only parameter which is optional. This does the
                  search case insensitive.
-d        - dump the found occasions in hex
blockdevice     - a blockdevice you want to search for data. It need
                  not to be a blockdevice, it can be anything, but normaly
                  you use it on these.
searchstring    - a string you want to search for

The blockdevice is searched for the occurance of searchstring, which are
printed with location when found.
Example: ./search_data -i /dev/hda3 "connect from 10.0.0.1"

Output looks like:
found at 234600: connect from 10.0.0.1/unresolved (UNKNOWN)


Syntax of read_data: ./read_data blockdevice start_address no_of_bytes

blockdevice    - a blockdevice you want to get your data from. It need
          not to be a blockdevice, it can be anything, but normaly
          you use it on these.

start_address    - from which offset of the blockdevice you want to extract
          data from

no_of_bytes    - how many bytes of data starting at the start_address you
          want to extract in a file.

The output filename is always START_ADDRESS.NO_OF_BYTES
Example: ./read_data /dev/hda3 234653 1024
writes 1024 bytes of data from /dev/hda3 starting from offset 234653 to
the file "234653.1024"


Syntax of write_data: ./write_data blockdevice filename

blockdevice     - a blockdevice you want to write your data to. It need
                  not to be a blockdevice, it can be anything, but normaly
                  you use it on these.
filename    - the data you want to write to the blockdevice. For error
          protection, the location where it is put it gathered from
          the filename - as you can see above from read_data.
          If you modified the data extracted with read_data into the
          file, it may not have a different size than defined in the
          filename!
The data in filename is written to the blockdevice

Example: ./write_data /dev/hda3 234653.1024
writes 1024 bytes of data to /dev/hda3 starting at offset 234653 with the
data read from the file "234653.1024"


Syntax of replace_data: ./replace_data [-i] blockdevice searchstring replacestring

-i              - the only parameter which is optional. This does the
                  search case insensitive.
blockdevice     - a blockdevice you want to search for data. It need
                  not to be a blockdevice, it can be anything, but normaly
                  you use it on these.
searchstring    - a string you want to search for
replacestring   - the string you want to replace the found entries with

The blockdevice is searched for the occurance of searchstring, and is then
replaced.
Example: ./replace_data -i /dev/hda3 "connect from 1.0.0.1" "Remap table failure "

Output looks like:
found at 234600 - replaced


Q: What is it for?
A: Search data on a harddisk/partition/file, extract the part you are
   interested in, and write it back after you (maybe) modified it.
   Or do a global search and replace.

Q: What can I do with it?
A: several things.
    Example 1:    You want to remove some log entries from
    /var/log/syslog without interrupting the syslogd writing.
    You search for the data strings you want to remove from the file,
    extract the data into a file, and replace the log entries with some
    uninteresting looking ones (which should be normal on the system!).
    Remember that you changes must result in the same size of the file.

    Example 2:    You want to be sure that you find all (unencrypted)
    logfiles which could show your intrusion on the system.
    you simply use search_data on all mounted harddisk devices and
    search e.g. for your hostname and IP address. By this you can be
    sure to find all normal logging (except crypted logs, syslog
    forwardings, writing log data to seriel devices, etc.)

        Important to note: by modifying the file contents by the raw mode
    of the harddisk partition you don't change the access|modify|change
    time of the file(s). This is for your advantage

Q: Hey this tool is cool, right?
A: no. anyone can code this, it's easy stuff, and most guys have already
   coded this for themself, so there's no fame releasing this.

Q: Where can't I use this stuff?
A: on systems where the securelevel is set. This means that you can't open
   the blockdevices in raw mode. Also on filesystems with their own
   architecture this might not work (e.g. reiserfs).


You can email me at vh@thc.org - my public pgp key:

Type Bits/KeyID    Date       User ID
pub  2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>

>> 下载 <<