Save next 32 bytes in hex (after search)
Question
I am searching all files on my drive for a given hexadecimal value, after it is found I need to copy and save the next 32 bytes after the found occurrence (there may be many occurrences in one file).
Right now I'm searching for files like this:
ggrep -obaRUP "\x01\x02\x03\x04" . > outputfile.txt
But this script retuns only file path. Preferably I'd like to use only standard Linux / Mac tools.
2 answers
solution1
1 2021-07-28 16:26:06
With -P ( --perl-regexes ) you can use the \\K escape sequence to clear the matching buffer. Then match .{32} more chars(!):
LANG=C grep -obaRUP "\x01\x02\x03\x04\K.{32,32}" . > output.file
Note:
- I'm using
LANG=Cto enforce a locale which is using single byte encoding, not utf-8. This is to make sure.{32}would not accidentally match unicode chars(!), but bytes instead. - The
-Poption is only supported by GNU grep (along with a few others used in your example) - You may want to open the output.file in a hex editor to actually see characters. For example
hexdump,hdorxxdcould be used.
Note, the above command will additionally print the filename and the line number / byte offset of the match. This is implicitly caused by using grep -R (recursive) .
To get only the 32 bytes in the output, and nothing else, I suggest to use find :
find . -type f -exec grep -oaUP '\x01\x02\x03\x04\K.{32}' {} \;
solution2
1 2021-07-28 17:06:31
My test was a little simple, but this worked for me.
$: IFS=: read -r file offset data <<< "$(grep -obaRUP "\x01\x02\x03\x04.{32}" .)"
$: echo "$file @ $((offset+4)):[${data#????}]"
./x @ 10:[HERE ARE THE THIRTY-TWO BYTES !!]
Rather than do a complicated look-behind, I just gabbed the ^A^B^C^D and the next 32 bytes, and stripped off the leading 4 bytes from the field.
@hek2mgl's \\K makes all that unnecessary, though. Use -h to eliminate filenames.
$: grep -obahRUP "\x01\x02\x03\x04\K.{32}" .
10:HERE ARE THE THIRTY-TWO BYTES !!
Take out the -b if you don't want the offset.
$: grep -oahRUP "\x01\x02\x03\x04\K.{32}" .
HERE ARE THE THIRTY-TWO BYTES !!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.