Search in binary files using wildcards on the command line with the free Swiss File Knife for Windows, Mac OS X and Linux.
sfk xhexfind dirName "/searchtext/totext/"
search in text and binary files using wildcards * and ?
as well as SFK Simple Expressions in brackets [],
creating a hexadecimal dump output.
subdirectories are included by default
the sfk default for most commands is to process the given folders,
as well as all subdirs within them. specify -nosub to disable this.
options
-nosub do not include files in subdirectories.
-nobin[ary] skip binary files.
-case case-sensitive text comparison. default is insensitive.
for details type: sfk help nocase
-text starts a list of search patterns of the form /src/ or
/src/totext/ where / is the separator char, src the text
to search for, and totext a mask to reformat output.
any separator char can be used which is not part of the
search text, i.e. /foo/ or _foo_ both search "foo".
-text is not required if a single filename is given.
-pat the same as -text, starting a pattern list.
-bylist x.txt read search patterns from a file x.txt, supporting
multiple lines per pattern. (add -full for more.)
-bylinelist x read /from/to/ or just /from/ patterns from a file x
with one pattern per line. (add -full for more.)
-by(line)list does not support sfk variables.
to use variables in patterns create an sfk script
with patterns as parameters. "sfk script" for more.
-arc XE: include content of .zip .jar .tar etc. archives
as deep as possible, including nested archives.
XD: demo will read first 1000 bytes of each entry.
-qarc quick read top level archives but not nested ones.
-firsthit show only first found pattern match per file.
-tracesel tell in detail which files are searched or ignored.
-quiet do not show progress infos.
-names list only names of files containing at least one hit.
-notnames list only names of files not containing any hit.
-justrc print no search results, just set return code on hits.
-full print full help text telling about -bylist pat. files,
special character case sensitivity and nested or repeated
replace behaviour.
output options
-wide show 16 bytes per line in output.
-lean show 8 bytes per line in output.
-context=n show n bytes of context around results.
-fullhead[er] print offset/length of hits both in decimal and hex.
-maxdump=n show up to n bytes only. n must be larger then context.
-nodump do not create a hexdump, list only matching files.
-showle highlight CR/LF line endings in hex dump output
-nofile do not insert :file header lines in output.
-crlf, -lf for file headers and default totext: force crlf or lf
line endings instead of system default
-rawterm on output to terminal do not strip codes below 32.
null bytes are always stripped.
+tofile x as last parameter (command chaining): write text as
displayed on terminal to a file x.
-more[n] pause output every 30 or n lines.
return codes for batch files
0 = no matches, 1 = matches found, >1 = major error occurred.
see also "sfk help opt" on how to influence error processing.
quoted multi line parameters are supported in scripts
using full trim. type "sfk script" for details.
wildcards and SFK expressions
SFK Expressions are simple patterns containing literal text,
wildcards * and ? and character classes in square brackets [].
basically, the syntax provides extended wilcards but no
further logic and is not related to regular expressions.
search patterns are surrounded by a separator character which
can be anything not contained in the search text, like / or _
within a pattern /fromtext/totext/the fromtextmay contain:* - 0 to 4000 characters in the same
text line or paragraph, i.e. all
bytes not being CR, LF or NULL.
4000 is just a default maximum
that can be changed by:
[0.100000 chars] - 0 to 100000 characters in the same
text line or paragraph, i.e. the
same as * but with a larger range.
? - one character.
????? - same as [5.5 chars] or [5 chars][bytes] - 0 to 4000 bytes (with CR,LF,NULL)
i.e. it collects stream text
across lines, even in binary data
** - the same as [bytes].
[0.100 bytes] - 0 to 100 bytes
[.100000 bytes] - up to 100000 bytes
[1.* bytes] - 1 to default maximum bytes
[2 chars] - exactly 2 chars
[30 bytes] - exactly 30 bytes
[byte of aeiou] - one vocal (a OR A OR e OR ...),
case insensitive by default.
"aeiou" is a character list.
[byte of \\\x2f] - a backslash \ or forw. slash /
[bytes of \r\n \t] - whitespace incl. line ends
[bytes of (\r\n \t)] - the same, () are optional
[bytes not \r\n\0] - up to 4000 bytes as long as no
CR, LF or NULL byte appears
[chars] - the same as [bytes not \r\n\0],
i.e. collect text in a line
[char not ( \t)] - same as [byte not ( \r\n\0\t)],
everything not blanks and tabs
[char not )( \t] - not brackets, blanks and tabs,
same as not (\(\) \t)[chars of a-z0-9] - means a-zA-Z0-9 as search is
case insensitive by default
[chars of \x61-\x7A] - search a-z but not A-Z, or use
option -case for case search
[eol] - end of line by characters:
CRLF or LF or CR
[white] = chars of (\t ) - 0 or more whitespaces
[xwhite] = bytes of (\t \r\n) - same but across lines
[1 white] = byte of (\t ) - 1 whitespace
[digit] = byte of (0-9) - 1 digit
[digits] = bytes of (0-9) - 0 or more digits
[hexdigit] = byte of (0-9a-f) - 1 hexadecimal digit
[hexdigits] = bytes of (0-9a-f) - 0 or more hex digits
special keywords that do not count as tokens:
[skip] - at the start of a pattern: skip such text
completely, do not count it as a search hit.
[keep] - search also the following text but keep it
in the input data, without consuming it.
[ortext] - foo[ortext]bar searches word foo or bar.
[ortext] is allowed only between literals.
anchors that have no length of their own:
[start] - start of file
[end] - end of file
[lstart] - line start, i.e. start or CRLF or CR or LF
[lend] - logical line end, i.e. eol or end of file.
to replace line ends use [eol] instead.
how to search or replace special characters:
- to search or replace text containing the literal characters
* ? \ [ ] then these must be escaped like \* \? \\ \[ \]
- ( ) are escaped only within character lists, like \( \)
- to search or replace the forward slash '/' type \x2f or use
another char around from/to text, e.g. _fromtext_totext_
- parameters with blanks and non trivial characters need double
quotes "", see also "about Shell Command Characters" below.
expansion priorities: (highest first)
if two search parts are side by side, and the same input
character matches both, then these priorities apply:
5: start, end, lstart, lend
4: literal text, eol
3: whitelist classes: byte of, bytes of
2: blacklist classes: chars not, bytes not
1: plain wildcards: ?, *, **, byte, bytes, chars
this means in "/[bytes]foo/" the [bytes] will stop to collect
characters as soon as "foo" is found, as "foo" is a literal.
on same or higher priority the right side stops the left side.
avoid overlapping character groups. for example, [chars][white]
cannot work, as space and tab are part of chars. to fix this
extend chars by relevant exclusions: [chars not ( \t)][white]the totextmay contain:[part 1] use first text part of the fromtext.
e.g. the fromtext /*foo[.100 chars]bar*/
contains parts : 1 2 3 4 5[part1] the same (blank is optional).
[parts 1,2,3] use parts 1, 2 and 3.
[parts 1-10] use parts 1 to 10.
[strip(part1,\0)] use part 1 but remove zero bytes.
only zero bytes "\0" can be removed.
[file.name] full input filename with path
[file.relname] input filename without path
[file.path] input file's path
[file.base] relname without last .extension
[file.ext] input filename extension
[all] use all parts from fromtext.
[setvar name]...[endvar] set variable "name" with data
between setvar and endvar.
[getvar name] fill in data from variable "name"
although anchors like lstart, lend count as a separate part
they need NOT be specified in the totext. this means that
/[lstart]foo[lend]/bar/ just changes the word "foo".
supported slash patterns\t = TAB
\r = CR
\n = LF
\x00 = one byte with code 00 hexadecimal
\0 = short form for \x00
\q = a double quote "
\\ = the backslash character \ itself
\[ = the bracket open character [
\] = the bracket close character ]
\* = the literal star character *
\? = the literal question mark ?
\- = to use literal "-" in a command
Within multi line -bylist files:
\ = slash+blank is changed to a single blank
Only within "char of" or "byte not" lists:
\( = to use literal character "("
\) = to use literal character ")"
SFK expression options
-showpart(s) print /from/ part numbers, range statistics
and expansion priority points per part.
done automatically if a required /to/ text
is not given with a command.
-showbest if a /from/ pattern finds nothing, use this to
see how many parts would match so far, and with
up to how many bytes per part. anchors like [lstart]
may show a non zero length when matching (CR)LF.
-showlist with -bylist, show the internal joined list if
commands are spread across multiple lines.
-showall show all of the above.
-xmaxlen=n set default maximum length for chars or bytes commands,
e.g. -xmaxlen=10000 means /foo*bar/ matches with up to
10000 characters between foo and bar. the default max
length without this option is 4000 characters.
performance notes
- always use a string literal, or single byte or char, at the start
of your search expressions, like in /foo*bar/ starting with 'f'.Do not use a wildcard like * at the start like in /*foobar/
when searching huge input data, as your search will slow down byfactor 256. Use /[lstart]*foobar/ instead.
- the system may cache output file(s), writing to disk in background
after sfk has finished. subsequent batch commands may execute slower.
chaining supportsfk extract output can be sent only to +xed or +xex.
other commands require an xed conversion step like
sfk extract ... +xed +viewaliasessfk xhexfind is the same as xfind -hex
to extract unmodified binary data you may use either
sfk xfind -pure ... -tofile or sfk extract ... -tofileoffice file supportsfk ofind search in .xml text file contents of
office files like .docx .xlsx .ods .odt.
sfk help office for more infos and options
see also--- open source commands ---sfk xfind search wildcard text in plain text files
sfk ofind search in office files .docx .xlsx .ods
sfk xfindbin search wildcard text in text/binary files
sfk xhexfind search in text/binary with hex dump output
sfk extract extract wildcard data from text/binary files
sfk filter filter and edit text with simple wildcards
sfk find search fixed text in text files
sfk findbin search fixed text in text/binary files
sfk hexfind search fixed text in binary files
sfk replace replace fixed text in text/binary files
--- freeware commands ---sfk view GUI tool to search text as you type
--- xe commercial commands ---sfk replace replace fixed text with high performance
sfk xreplace replace wildcard text in text/binary files
sfk help xe about SFK XE and xreplace with SFK Expressions.
beware of Shell Command Characters.
to find or replace text patterns containing spaces or special
characters like <>|!&?* you must add quotes "" around parameters
or the shell environment will destroy your command. for example,
pattern /foo bar/other/ must be written like "/foo bar/other/"
within a .bat or .cmd file the percent % must be escaped like %%
even within quotes: sfk echo -spat "percent %% is a percent \x25"web referencehttp://stahlworks.com/sfk-xhexfindabout example numbers with [brackets]
if you see [1] type "sfk cmd 1" for whole command in one line.
bad examples with correctionsif input text contains:
bool bClFoo;
bool bClBar ;
sfk xfind in.txt "/bool[xwhite]bCl*[xwhite];/"
does NOT match "bool bClFoo;" because * eats the
whole input line including ";" so no input is left
for "[xwhite];" and the whole expression fails.
sfk xfind in.txt "/bool[xwhite]bCl[* not ;][xwhite];/"
does both match "bool bClFoo;" and "bool bClBar ;".
this means whenever your search fails to work write
in detail which characters (not) to collect where.
sfk xex in.txt "/[lstart]foo/[lstart]goo/"
there is no need to write an anchor like [lstart]
within totext as it contains no data. use instead:
sfk xex in.txt "/[lstart]foo/goo/"
sfk xex in.txt "/foo[lend]bar/goo[part2]bar/"
anchors like [lend] must be at start or end of fromtext
and cannot be referenced within totext. use instead:
sfk xex in.txt "/foo[eol]bar/goo[part2]bar/"
working examplessfk xfind -text "/class [bytes]{[bytes]}/[all]\n\n/"-dir mydir -file .hpp +tofile out.txt
collect class definitions from mydir and write output
indirectly (via command chaining) to out.txt [13]
sfk xfind in.txt -text "/foo*bar/"
search in.txt for patterns starting with foo and ending
with bar, in the same line, with up to 4000 characters inbetween.
sfk xfind in.txt -text "/foo*bar/" +view
same as above, but show the result in the depeche view
text browser tool for easy reading.
sfk xhex -text "/foo[0.100000 bytes]bar/" -dir mydir
search all text and binary files of mydir for patterns of
foo and bar with 0 to 100000 bytes (including NULL, CR
and LF) inbetween and print output as hex dump.
sfk xfind -text "/printf(**);/" -dir mydir -file .cpp
find all printf statements in source code, including statements
across multiple lines.
sfk xfindbin in.dat "/foo[0.100 bytes of (a-z0-9_@ )]bar/"
searches a single input file in.dat for all phrases
starting foo and ending bar, with 0 to 100 characters
inbetween being alphanumeric, @ or _ or space.
sfk xfindbin -text "/foo*bar/[part2]\n" -dir mydir -file .txt
find foo*bar in all .txt files of folder mydir
but print only the text between foo and bar.
sfk xfindbin -text "/\x66\x6f\x6f[0.100 bytes]\x62\x61\x72/"-dir mydir -file .exe +view
find binary data starting with bytes 0x66, 0x6f, 0x6f,
ending with 0x62, 0x61, 0x72 and up to 100 bytes inbetween
in all .exe files of mydir and show result in dview. [14]
sfk xfindbin -arc in.zip "/class*/"
XE: find phrases starting with "class" in .zip contents
XD: demo will search first 1000 bytes per .zip sub file
sfk xfindbin -justrc result.txt "/error/"IF %ERRORLEVEL%==1 GOTO foundError
in a batchfile: jump to label foundError if "error"
is found in result.txt. with -justrc no output is printed.
sfk xhexfind -text "/\x66\x6f\x6f[0.100 bytes]\x62\x61\x72/"-dir mydir -file .exe +view
find binary data starting with bytes 0x66, 0x6f, 0x6f,
ending with 0x62, 0x61, 0x72 and up to 100 bytes inbetween
in all .exe files of mydir and show result in dview. [16]
sfk xhexfind in.txt "/[char of \x01-\x09\x0b-\x0c\x0e-\x1f]/"
find control characters in file except for CR/LF
sfk xhexfind mydir "/[bytes of \x00-\x08]/"
search binary code range 0x00 to 0x08 in mydir
sfk hexfind mydir -bin /01020304/sfk xhexfind mydir "/\x01\x02\x03\x04/"
search binary data 0x01020304 in mydir