THC-ManipulateData 1.3 review

Download
by rbytes.net on

THC-ManipulateData can search data on a harddisk/partition/file, extract the part you are interested in, and write it back after you

License: GPL (GNU General Public License)
File size: 6K
Developer: The Hacker's Choice
0 stars award from rbytes.net

THC-ManipulateData can search data on a harddisk/partition/file, extract the part you are interested in, and write it back after you modified it.

Useful to find and modify really all unencrypted Logfiles on a system. Does everything in RAW mode, and hence does not tamper a/m/ctimes.

It comes with 4 tools:

Syntax of search_data: ./search_data [-i] [-d] blockdevice searchstring

-i - the only parameter which is optional. This does the
search case insensitive.
-d - dump the found occasions in hex
blockdevice - a blockdevice you want to search for data. It need
not to be a blockdevice, it can be anything, but normaly
you use it on these.
searchstring - a string you want to search for

The blockdevice is searched for the occurance of searchstring, which are printed with location when found.

Example: ./search_data -i /dev/hda3 "connect from 10.0.0.1"

Output looks like:

found at 234600: connect from 10.0.0.1/unresolved (UNKNOWN)

Syntax of read_data: ./read_data blockdevice start_address no_of_bytes

blockdevice - a blockdevice you want to get your data from. It need not to be a blockdevice, it can be anything, but normaly you use it on these.

start_address - from which offset of the blockdevice you want to extract data from

no_of_bytes - how many bytes of data starting at the start_address you want to extract in a file.

The output filename is always START_ADDRESS.NO_OF_BYTES

Example: ./read_data /dev/hda3 234653 1024

writes 1024 bytes of data from /dev/hda3 starting from offset 234653 to the file "234653.1024"

Syntax of write_data: ./write_data blockdevice filename

blockdevice - a blockdevice you want to write your data to. It need not to be a blockdevice, it can be anything, but normaly you use it on these.
filename - the data you want to write to the blockdevice. For error protection, the location where it is put it gathered from the filename - as you can see above from read_data. If you modified the data extracted with read_data into the file, it may not have a different size than defined in the filename! The data in filename is written to the blockdevice

Example: ./write_data /dev/hda3 234653.1024

writes 1024 bytes of data to /dev/hda3 starting at offset 234653 with the
data read from the file "234653.1024"

Syntax of replace_data: ./replace_data [-i] blockdevice searchstring replacestring

-i - the only parameter which is optional. This does the search case insensitive.
blockdevice - a blockdevice you want to search for data. It need not to be a blockdevice, it can be anything, but normaly you use it on these.
searchstring - a string you want to search for
replacestring - the string you want to replace the found entries with

The blockdevice is searched for the occurance of searchstring, and is then replaced.

Example: ./replace_data -i /dev/hda3 "connect from 1.0.0.1" "Remap table failure "

Output looks like:

found at 234600 - replaced

What's New in This Release:
fixed a bug in read/write_data, seeks over 2gb now succeed
added -d for hexdump display of occasions found in search_data

THC-ManipulateData 1.3 search tags