Commands.page Logo

How to Search for Binary Patterns in Ubuntu Linux Files

This guide details the process of scanning files for specific binary sequences on Ubuntu. It covers using standard command-line utilities to identify hex codes or raw data within directories. By following these instructions, you can quickly locate specific data signatures without manual inspection.

Using Grep with Perl Regex

The most efficient method involves using grep with Perl-compatible regular expressions. This allows you to search for specific hexadecimal byte sequences directly. Open your terminal and use the following command structure:

grep -r --binary-files=text -P '\xHH\xHH\xHH' /path/to/search

Replace \xHH\xHH\xHH with your target hex bytes. For example, to find the pattern DE AD BE EF, you would write \xDE\xAD\xBE\xEF. The -r flag enables recursive searching through subdirectories, while --binary-files=text ensures grep processes binary data instead of skipping it.

Searching for ASCII Strings in Binary Files

If you are looking for readable text embedded within binary files, you do not need hex codes. You can use the standard grep command with the -a flag, which treats binary files as text. Run the following command:

grep -ra "search_term" /path/to/search

This command scans all files in the specified directory for the string “search_term”. The -a option is crucial here, as it prevents grep from ignoring binary files that might contain the text string you are targeting.

Combining Find and Grep

For more control over which files are scanned, you can combine find with grep. This is useful if you want to limit the search to specific file extensions or sizes. Use this command structure:

find /path/to/search -type f -exec grep -l --binary-files=text -P '\xDE\xAD\xBE\xEF' {} \;

This command locates all files (-type f) and executes grep on each one. The -l flag tells grep to only print the names of files containing the match. This reduces output clutter and helps you identify exactly which files contain the binary pattern.

Verifying Matches

Once you have identified potential files, you should verify the content to ensure it is not a false positive. Use the xxd tool to dump the file content in hexadecimal format. Run the following command on a matched file:

xxd -g 1 filename | grep "de ad be ef"

This displays the hex dump with one byte per group, making it easy to visually confirm the presence of your binary pattern within the file structure.