README
1
2 DATA MANIPULATION v1.2
3
4 (c) 1998-2004 by van Hauser / THC <vh@thc.org>
5 http://www.thc.org
6
7
8
9This piece of shit is very simple but comes handy sometimes ...
10It comes with 4 tools:
11
12Syntax of search_data: ./search_data [-i] [-d] blockdevice searchstring
13
14-i - the only parameter which is optional. This does the
15 search case insensitive.
16-d - dump the found occasions in hex
17blockdevice - a blockdevice you want to search for data. It need
18 not to be a blockdevice, it can be anything, but normaly
19 you use it on these.
20searchstring - a string you want to search for
21
22The blockdevice is searched for the occurance of searchstring, which are
23printed with location when found.
24Example: ./search_data -i /dev/hda3 "connect from 10.0.0.1"
25
26Output looks like:
27found at 234600: connect from 10.0.0.1/unresolved (UNKNOWN)
28
29
30Syntax of read_data: ./read_data blockdevice start_address no_of_bytes
31
32blockdevice - a blockdevice you want to get your data from. It need
33 not to be a blockdevice, it can be anything, but normaly
34 you use it on these.
35
36start_address - from which offset of the blockdevice you want to extract
37 data from
38
39no_of_bytes - how many bytes of data starting at the start_address you
40 want to extract in a file.
41
42The output filename is always START_ADDRESS.NO_OF_BYTES
43Example: ./read_data /dev/hda3 234653 1024
44writes 1024 bytes of data from /dev/hda3 starting from offset 234653 to
45the file "234653.1024"
46
47
48Syntax of write_data: ./write_data blockdevice filename
49
50blockdevice - a blockdevice you want to write your data to. It need
51 not to be a blockdevice, it can be anything, but normaly
52 you use it on these.
53filename - the data you want to write to the blockdevice. For error
54 protection, the location where it is put it gathered from
55 the filename - as you can see above from read_data.
56 If you modified the data extracted with read_data into the
57 file, it may not have a different size than defined in the
58 filename!
59The data in filename is written to the blockdevice
60
61Example: ./write_data /dev/hda3 234653.1024
62writes 1024 bytes of data to /dev/hda3 starting at offset 234653 with the
63data read from the file "234653.1024"
64
65
66Syntax of replace_data: ./replace_data [-i] blockdevice searchstring replacestring
67
68-i - the only parameter which is optional. This does the
69 search case insensitive.
70blockdevice - a blockdevice you want to search for data. It need
71 not to be a blockdevice, it can be anything, but normaly
72 you use it on these.
73searchstring - a string you want to search for
74replacestring - the string you want to replace the found entries with
75
76The blockdevice is searched for the occurance of searchstring, and is then
77replaced.
78Example: ./replace_data -i /dev/hda3 "connect from 1.0.0.1" "Remap table failure "
79
80Output looks like:
81found at 234600 - replaced
82
83
84Q: What is it for?
85A: Search data on a harddisk/partition/file, extract the part you are
86 interested in, and write it back after you (maybe) modified it.
87 Or do a global search and replace.
88
89Q: What can I do with it?
90A: several things.
91 Example 1: You want to remove some log entries from
92 /var/log/syslog without interrupting the syslogd writing.
93 You search for the data strings you want to remove from the file,
94 extract the data into a file, and replace the log entries with some
95 uninteresting looking ones (which should be normal on the system!).
96 Remember that you changes must result in the same size of the file.
97
98 Example 2: You want to be sure that you find all (unencrypted)
99 logfiles which could show your intrusion on the system.
100 you simply use search_data on all mounted harddisk devices and
101 search e.g. for your hostname and IP address. By this you can be
102 sure to find all normal logging (except crypted logs, syslog
103 forwardings, writing log data to seriel devices, etc.)
104
105 Important to note: by modifying the file contents by the raw mode
106 of the harddisk partition you don't change the access|modify|change
107 time of the file(s). This is for your advantage
108
109Q: Hey this tool is cool, right?
110A: no. anyone can code this, it's easy stuff, and most guys have already
111 coded this for themself, so there's no fame releasing this.
112
113Q: Where can't I use this stuff?
114A: on systems where the securelevel is set. This means that you can't open
115 the blockdevices in raw mode. Also on filesystems with their own
116 architecture this might not work (e.g. reiserfs).
117
118
119You can email me at vh@thc.org - my public pgp key:
120
121Type Bits/KeyID Date User ID
122pub 2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>
123
124-----BEGIN PGP PUBLIC KEY BLOCK-----
125Version: 2.6.3i
126
127mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
128SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
129XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
130meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
131QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
132s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
133SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
134/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
135CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
136C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1371qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
138PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
1392/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
140lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
141Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
142o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
143=MdzX
144-----END PGP PUBLIC KEY BLOCK-----
145