search

Rafind2(查找)

Rafind2 is the command line fronted of the r_search library. Which allows you to search for strings, sequences of bytes with binary masks, etc

$ rafind2 -h
Usage: rafind2 [-mXnzZhqv] [-a align] [-b sz] [-f/t from/to] [-[e|s|S] str] [-x hex] file|dir ..
 -a [align] only accept aligned hits
 -b [size]  set block size
 -e [regex] search for regex matches (can be used multiple times)
 -f [from]  start searching from address 'from'
 -h         show this help
 -i         identify filetype (r2 -nqcpm file)
 -m         magic search, file-type carver
 -M [str]   set a binary mask to be applied on keywords
 -n         do not stop on read errors
 -r         print using radare commands
 -s [str]   search for a specific string (can be used multiple times)
 -S [str]   search for a specific wide string (can be used multiple times)
 -t [to]    stop search at address 'to'
 -q         quiet - do not show headings (filenames) above matching contents (default for searching a single file)
 -v         print version and exit
 -x [hex]   search for hexpair string (909090) (can be used multiple times)
 -X         show hexdump of search results
 -z         search for zero-terminated strings
 -Z         show string found on each search hit

That's how to use it, first we'll search for "lib" inside the /bin/ls binary.

Note that the output is pretty minimal, and shows the offsets where the string lib is found. We can then use this output to feed other tools.

Counting results:

Displaying results with context:

But rafind2 can be also used as a replacement of file to identify the mimetype of a file using the internal magic database of radare2.

Also works as a strings replacement, similar to what you do with rabin2 -z, but without caring about parsing headers and obeying binary sections.

上一页Rax2(数值转换)下一页Rarun2

最后更新于