Shulou(Shulou.com)06/01 Report--

Winhex script Command tutorial

Script commands are available in many environments. The comments in the script file begin with a double slash. A parameter of up to 255 characters supported by the script. Where there is doubt is the hexadecimal system, Wen

This string (or even a decimal value) can be used as a parameter, and you can use quotation marks to cast numeric parameters to text parameters. If there is a space in the text or variable name

Then quotation marks are required, and all characters in quotation marks are recognized as a parameter.

When using mathematical expressions in winhex, you can refer to mathematical expressions, but they must be enclosed in parentheses. There can be no spaces in mathematical expressions. You can also count

Learn to apply numeric variables to expressions. Supported operations are addition (+), subtraction (-), multiplication (*), integral division (/), modular division (%), logical operator AND (&)

OR (|), and XOR (^). The following are valid mathematical expressions: (5, 2, 1), (MyVar1/ (MyVar2+4)), or (- MyVar).

The following is a detailed description of the currently supported script commands and examples of use.

Create "D:\ My File.txt" 1000

Create a new file of 1000 bytes and overwrite the file with the same name if it already exists.

Open "D:\ My File.txt"

Open "D:*.txt"

Opens a file in the specified format, if the wildcard is "?" Then winhex lets the user select the file to open.

Open C:

Open D:

Opens the specified logical drive. If the wildcard is ":?" Then winhex will let the user choose the logical drive or disk to open.

Open 80h

Open 81h

Open 9Eh

Opens the specified physical media. The floppy disk is 00h, the hard disk and U disk is 80h, and the CD is 9Eh.

You can add a second parameter to set the editing mode of the file or media ("in-place" or "read-only")

CreateBackup

Create a WHX backup of the current state of the active file.

CreateBackupEx 0 100000 650 true "F:\ My backup.whx"

Back up the data from sector 0 to sector 100000 on the currently active disk. The backup file will be automatically split into 650m size. And the compression option is selected. The path to the output file and

The name is written as the last parameter.

If the backup file does not need to be split, the value of the third parameter should be 0. Change "true" to "false" if the compression function is not enabled. If automatic allocation is required

The last parameter of the file name and file path is ".

Goto 0x128

Goto MyVariable

Move the cursor position to the offset 0x128 position (hexadecimal representation). You can also use numeric variables (up to 8 bytes in length) to define where the cursor moves.

Move 100

Moves the current cursor position back 100 bytes (hexadecimal).

Write "Test"

Write 0x0D0A

Write MyVariable

Writes the ASCII character "Test" or the two-byte hexadecimal number "0D0A" at the current position of the cursor (in override mode). Values in numeric variables can also be written here.

At the same time, move the cursor behind the covered part. When the end of the file is reached, an empty byte is added at the end of the file to complete the operation. The next write command will not be at the end of the file

BA

Write2

Similar to the function of "Write", empty bytes are not added to the file when the end of the file is reached. So it is

Not safe to assume that Write2 always moves the current position forward by the number of bytes

Written.

Insert "Test"

The function is similar to "Write", but can only be applied to files in "insert" mode.

Read MyVariable 10

Read 10 bytes of data from the current location into the "MyVariable" variable. If the variable does not exist, it will create one. Winhex can support 48 different changes at the same time

Quantity. Another command to create a variable is "Assign".

ReadLn MyVariable

Read an entire row of data from the current position into the "MyVariable" variable until a newline character is encountered. If the variable already exists, the variable will be resized.

Close

Closes the currently active window without saving.

CloseAll

Close all windows without saving.

Save

Saves changes to files or disks that are open in the currently active window.

SaveAs "C:\ New Name.txt"

Saves the file opened in the currently active window as a file in the specified directory. If the wildcard is "?", winhex lets the user choose the saved path and file name.

SaveAll

Save all changes in the window.

Terminate

Interrupt the execution of the script.

Exit

Interrupts the execution of the script and closes winhex.

ExitIfNoFilesOpen

If there is no open file in winhex, the execution of the script file will be terminated.

Block 100 200

Block "My Variable 1"My Variable 2"

Define a selection block (decimal) with an offset from 100 to 200 in the currently active window. The next command indicates that the definition ranges from "My Variable 1" to "My Variable 2"

Block selection of (up to 8 bytes)

Block1 0x100

Define a byte selection block at the offset 0x100. Variables can also be used.

Block2 0x200

Define a selection block from the beginning to the offset 0x200 section. Variables can also be used.

Copy

Copies the current selection into the clipboard. If the selected block is not defined, its function is the same as the copy command in the edit menu.

Cut

Cuts the file in the currently selected block to the clipboard.

Remove

Removes the data in the currently selected block from the file.

CopyIntoNewFile "D:\ New File.dat"

CopyIntoNewFile "D:\ File + MyVariable+.dat"

Copies the data from the currently selected block to the specified new file, not to the clipboard. If the selected block is not defined, its function is the same as the copy command in the edit menu. The same can be done

Copy the data in the disk sector as a new file. The newly created file does not automatically open in the editing window of winhex. You can add variables, variable names, between "+"

Will be interpreted as an integer not greater than 2 ^ 24 (16m). It is usually useful in circular applications and file recovery.

Paste

Paste the data from the clipboard into the file without changing the current position of the cursor.

WriteClipboard

Writes the data in the clipboard to the current location of the file or disk fan, does not change the current position of the cursor, and overwrites the data after the current cursor location.

Convert Param1 Param2

Converts the data in the currently active file from one format to another. The valid parameter is ANSI,IBM,EBCDIC,Binary,HexASCII,IntelHex

MotorolaS, Base64, UUCode, LowerCase, and UpperCase have the same function as the convert menu command in the convert menu.

AESEncrypt "My Password"

Use AES to encrypt the currently active file or disk, or its selected block, using the specified key (up to 32 bits).

AESDecrypt "My Password"

Decrypt the currently active file or disk.

Find "John" [MatchCase MatchWord Down Up BlockOnly SaveAllPos Unicode Wildcards]

Find 0x1234 [Down Up BlockOnly SaveAllPos Wildcards]

Search for a string named "john" or the hexadecimal number 0x1234 in the current active window, respectively, and stop where the first search is found. Other parameters are optional.

The default winhex searches the entire file or disk. The other optional parameter functions are the same as the usual winhex search options.

ReplaceAll "Jon"Don" [MatchCase MatchWord Down Up BlockOnly Unicode Wildcards]

ReplaceAll 0x0A 0x0D0A [Down Up BlockOnly Wildcards]

Replace all places where the above string or hexadecimal value exists with other values in the currently active window. Can only be applied to disk in "in-place" mode.

IfFound

If a value is found, execute the following command.

IfEqual MyVariable "Hello World"

IfEqual 0x12345678 MyVariable

IfEqual MyVariable 1000

IfEqual MyVariable MyOtherVariable

IfEqual MyVariable (10*MyOtherVariable)

Compare two integer values (each of which can be a constant, integer variable, or mathematical expression) or two variables, ASCII strings, or hexadecimal values (binary mode)

. Compare the binary numeric lengths of the two objects, and return false if they are different. The following command is executed only if the return value is true. If condition is not

It can be used with inlay.

IfGreater MyVariable "Hello World"

IfGreater 0x12345678 MyVariable

IfGreater MyVariable 1000

IfGreater MyVariable MyOtherVariable

IfGreater MyVariable (10*MyOtherVariable)

Have the same parameters as IfEqual. The following command can only be executed if the first parameter is greater than the second parameter and the return value is true. If condition can not be used with insert.

Else

Apply after IfFound or IfEqual. If no objects are searched for or compared to a different target, the code that follows the else is executed.

EndIf

Ends the execution of if conditional commands (after IfFound or IfEqual).

{...

ExitLoop

...}

Exit the loop. Followed by a square bracket to define the number of loops, either a variable or the keyword "unlimited" (infinite loop). Loop in winhex script

You can only use the ExitLoop command to exit. Loops cannot be used with sleeves.

For example:

{Write "Loop"} [10] will output the "Loop" string 10 times.

Label ContinueHere

Create a tag and name it "ContinueHere"

JumpTo ContinueHere

The script jumps to the label to continue execution.

NextObj

Cycle through all windows to switch the active window. If three windows are open and window # 3 is active, the "NextObj" command will make the window

# 1 becomes the active window.

ForAllObjDo

Script code between ForAllObjDo and EndDo will be executed in all open files or disks.

CopyFile C:\ A.dat D:\ B.dat

Copy the contents of the C:\ A.dat file to D:\ B.dat.

MoveFile C:\ A.dat D:\ B.dat

Transfer the C:\ A.dat file to disk D and name it D:\ B.dat.

DeleteFile C:\ A.dat

Delete the C:\ A.dat file.

InitFreeSpace

InitSlackSpace

Using the current initialization settings to clean up all free or loose space in the current logical drive, InitSlackSpace temporarily converts the drive's mode to "in-place"

Mode to save unsaved changes.

InitMFTRecords

Use the current initialization settings to clean up unused MFT FILE records in the logical drive in the current NTFS format. Invalid for other file systems. The modification will be written to hard immediately

On the plate.

Assign MyVariable 12345

Assign MyVariable 0x0D0A

Assign MyVariable "I like WinHex"

Assign MyVariable MyOtherVariable

Save integers, binary values, ASCII text, or other variable contents to the "MyVariable" variable. If this variable does not exist, it will be created automatically. Other

The method of creating variables is Read,GetUserInput,InttoStr. 48 variables are allowed to exist at the same time.

Release MyVariable

Delete an existing variable, because only 48 variables are supported in the winhex script, so we can delete it to free up the variable space for those that have been used.

GetUserInput MyVariable "Please enter your name:"

Save the user-specified ASCII text or binary data (0x...) to the variable "MyVariable" while the script is running. The second parameter is given except for the user prompt. If

Variable does not exist, it will recreate one. Other ways to create variables: Assign,Read.

GetUserInputI MyIntegerVariable "Please enter your age:"

It has the same function as GetUserInput, but only integer variables are allowed.

Inc MyVariable

The variable is interpreted as an integer (no more than 8 bits) and is automatically incremented by 1 each time it is run. Useful in a loop.

Dec MyVariable

The variable is interpreted as an integer (no more than 8 bits) and is automatically subtracted by 1 each time it is run. Useful in a loop.

IntToStr MyStr MyInt

IntToStr MyStr 12345

Convert the ASCII text in the first variable to an integer and save it to the second variable.

StrToInt MyInt MyStr

Convert the integer in the first variable to ASCII text and save it to the second variable.

GetClusterAlloc MyStr

In a logical volume, retrieve the text description of which file is stored in the current cluster, and then save the description to the specified variable.

GetClusterAllocEx IntVar

In a logical volume, retrieving an integer value indicates whether the cluster is assigned, 1 or non-0, indicating that the cluster is assigned. And saves the description in the specified variable.

GetClusterSize IntVar

Returns the size of the cluster in the logical volume and saves the value to the specified variable.

InterpretImageAsDisk

Treat disk mirrors or evidence files as original physical disks or partitions. A specialist or forensic license is required.

CalcHash HashType MyVariable

CalcHashEx HashType MyVariable

It has the same function as the hash command in the tools menu and stores the variable in the specified variable (automatically created if the variable does not exist). The HashType parameter must be the following class

One of the types: CS8, CS16, CS32, CS64, CRC16, CRC32, MD5, SHA-1, SHA-256, PSCHF. The CalcHashEx command will be displayed in the windows window

Hash value.

MessageBox "Caution"

The information dialog box is displayed and two buttons, ok and cancel, are provided. Press cancel and press the notebook.

ExecuteScript "ScriptName"

Run another script where the script is currently running. Calling other external scripts can be used. When the called script is finished, the script continues to execute the following command

. This feature can help users clearly understand the structure of the script.

Turbo On

Turbo Off

Management channel mode switch.

Debug

You can use this command to determine whether each command in the script is valid.

UseLogFile

The error message is written to the log file "scripting.log" under the current folder. This information is not displayed in the information dialog box. Very useful, especially when running scripts

When the host cannot connect remotely.

CurrentPos

GetSize

Unlimited

The above three are keywords in winhex scripts that can be used where numeric parameters are applied. During script execution, CurrentPos represents the currently active file or magnetic

The offset address of the cursor in the disk window, and GetSize indicates its size. Unlimited actually represents the integer 2147483647.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.