
			  DATA MANIPULATION v1.2

		(c) 1998-2004 by van Hauser / THC <vh@thc.org>
			     http://www.thc.org



This piece of shit is very simple but comes handy sometimes ...
It comes with 4 tools:

Syntax of search_data: ./search_data [-i] [-d] blockdevice searchstring

-i              - the only parameter which is optional. This does the
                  search case insensitive.
-d		- dump the found occasions in hex
blockdevice     - a blockdevice you want to search for data. It need
                  not to be a blockdevice, it can be anything, but normaly
                  you use it on these.
searchstring    - a string you want to search for

The blockdevice is searched for the occurance of searchstring, which are
printed with location when found.
Example: ./search_data -i /dev/hda3 "connect from 10.0.0.1"

Output looks like:
found at 234600: connect from 10.0.0.1/unresolved (UNKNOWN)


Syntax of read_data: ./read_data blockdevice start_address no_of_bytes

blockdevice	- a blockdevice you want to get your data from. It need
		  not to be a blockdevice, it can be anything, but normaly
		  you use it on these.

start_address	- from which offset of the blockdevice you want to extract
		  data from

no_of_bytes	- how many bytes of data starting at the start_address you
		  want to extract in a file.

The output filename is always START_ADDRESS.NO_OF_BYTES
Example: ./read_data /dev/hda3 234653 1024
writes 1024 bytes of data from /dev/hda3 starting from offset 234653 to
the file "234653.1024"


Syntax of write_data: ./write_data blockdevice filename

blockdevice     - a blockdevice you want to write your data to. It need
                  not to be a blockdevice, it can be anything, but normaly
                  you use it on these.
filename	- the data you want to write to the blockdevice. For error
		  protection, the location where it is put it gathered from
		  the filename - as you can see above from read_data.
		  If you modified the data extracted with read_data into the
		  file, it may not have a different size than defined in the
		  filename!
The data in filename is written to the blockdevice

Example: ./write_data /dev/hda3 234653.1024
writes 1024 bytes of data to /dev/hda3 starting at offset 234653 with the
data read from the file "234653.1024"


Syntax of replace_data: ./replace_data [-i] blockdevice searchstring replacestring

-i              - the only parameter which is optional. This does the
                  search case insensitive.
blockdevice     - a blockdevice you want to search for data. It need
                  not to be a blockdevice, it can be anything, but normaly
                  you use it on these.
searchstring    - a string you want to search for
replacestring   - the string you want to replace the found entries with

The blockdevice is searched for the occurance of searchstring, and is then
replaced.
Example: ./replace_data -i /dev/hda3 "connect from 1.0.0.1" "Remap table failure "

Output looks like:
found at 234600 - replaced


Q: What is it for?
A: Search data on a harddisk/partition/file, extract the part you are
   interested in, and write it back after you (maybe) modified it.
   Or do a global search and replace.

Q: What can I do with it?
A: several things.
	Example 1:	You want to remove some log entries from
	/var/log/syslog without interrupting the syslogd writing.
	You search for the data strings you want to remove from the file,
	extract the data into a file, and replace the log entries with some
	uninteresting looking ones (which should be normal on the system!).
	Remember that you changes must result in the same size of the file.

	Example 2:	You want to be sure that you find all (unencrypted)
	logfiles which could show your intrusion on the system.
	you simply use search_data on all mounted harddisk devices and
	search e.g. for your hostname and IP address. By this you can be
	sure to find all normal logging (except crypted logs, syslog
	forwardings, writing log data to seriel devices, etc.)

        Important to note: by modifying the file contents by the raw mode
	of the harddisk partition you don't change the access|modify|change
	time of the file(s). This is for your advantage

Q: Hey this tool is cool, right?
A: no. anyone can code this, it's easy stuff, and most guys have already
   coded this for themself, so there's no fame releasing this.

Q: Where can't I use this stuff?
A: on systems where the securelevel is set. This means that you can't open
   the blockdevices in raw mode. Also on filesystems with their own
   architecture this might not work (e.g. reiserfs).


You can email me at vh@thc.org - my public pgp key:

Type Bits/KeyID    Date       User ID
pub  2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----
