Binwalk

24 августа 2018 в Forensics Tools

Описание пакета Binwalk

Binwalk - это инструмент для поиска заданного двоичного изображения для встроенных файлов и исполняемого кода. В частности, он предназначен для идентификации файлов и кода, встроенных внутри изображений прошивки. Binwalk использует библиотеку libmagic, поэтому она совместима с магическими сигнатурами, созданными для утилиты файлов Unix. Binwalk также включает в себя специальный файл сигнатурной сигнатуры, который содержит улучшенные подписи для файлов, которые обычно встречаются в изображениях прошивки, таких как сжатые / архивные файлы, заголовки микропрограммного обеспечения, ядра Linux, загрузчики, файловые системы и т. д.

Инструменты, включенные в пакет binwalk

binwalk - инструмент анализа прошивки

root@kali:~# binwalk -h
      
      Binwalk v1.2.2-1
      Craig Heffner, http://www.devttys0.com
      
      Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
      
      Signature Analysis:
          -B, --binwalk                 Perform a file signature scan (default)
          -R, --raw-bytes=      Search for a custom signature
          -A, --opcodes                 Scan for executable code signatures
          -C, --cast                    Cast file contents as various data types
          -m, --magic=            Specify an alternate magic file to use
          -x, --exclude=        Exclude matches that have  in their description
          -y, --include=        Only search for matches that have  in their description
          -I, --show-invalid            Show results marked as invalid
          -T, --ignore-time-skew        Do not show results that have timestamps more than 1 year in the future
          -k, --keep-going              Show all matching results at a given offset, not just the first one
          -b, --dumb                    Disable smart signature keywords
      
      Strings Analysis:
          -S, --strings                 Scan for ASCII strings (may be combined with -B, -R, -A, or -E)
          -s, --strlen=              Set the minimum string length to search for (default: 3)
      
      Entropy Analysis:
          -E, --entropy                 Plot file entropy (may be combined with -B, -R, -A, or -S)
          -H, --heuristic               Identify unknown compression/encryption based on entropy heuristics (implies -E)
          -K, --block=             Set the block size for entropy analysis (default: 1024)
          -a, --gzip                    Use gzip compression ratios to measure entropy
          -N, --no-plot                 Do not generate an entropy plot graph
          -F, --marker=    Add a marker to the entropy plot graph
          -Q, --no-legend               Omit the legend from the entropy plot graph
          -J, --save-plot               Save plot as an SVG (implied if multiple files are specified)
      
      Binary Diffing:
          -W, --diff                    Hexdump / diff the specified files
          -K, --block=             Number of bytes to display per line (default: 16)
          -G, --green                   Only show hex dump lines that contain bytes which were the same in all files
          -i, --red                     Only show hex dump lines that contain bytes which were different in all files
          -U, --blue                    Only show hex dump lines that contain bytes which were different in some files
          -w, --terse                   Diff all files, but only display a hex dump of the first file
      
      Extraction Options:
          -D, --dd=<type:ext[:cmd]>     Extract  signatures, give the files an extension of , and execute 
          -e, --extract=[file]          Automatically extract known file types; load rules from file, if specified
          -M, --matryoshka              Recursively scan extracted files, up to 8 levels deep
          -r, --rm                      Cleanup extracted files and zero-size files
          -d, --delay                   Delay file extraction for files with known footers
      
      Plugin Options:
          -X, --disable-plugin=   Disable a plugin by name
          -Y, --enable-plugin=    Enable a plugin by name
          -p, --disable-plugins         Do not load any binwalk plugins
          -L, --list-plugins            List all user and system plugins by name
      
      General Options:
          -o, --offset=            Start scan at this file offset
          -l, --length=            Number of bytes to scan
          -g, --grep=             Grep results for the specified text
          -f, --file=             Log results to file
          -c, --csv                     Log results to file in csv format
          -O, --skip-unopened           Ignore file open errors and process only the files that can be opened
          -t, --term                    Format output to fit the terminal window
          -q, --quiet                   Supress output to stdout
          -v, --verbose                 Be verbose (specify twice for very verbose)
          -u, --update                  Update magic signature files
          -?, --examples                Show example usage
          -h, --help                    Show help output

Пример использования binwalk

Запустите сканирование подписи файла (-B) в данном файле прошивки (dd-wrt.v24-13064_VINT_mini.bin):

root@kali:~# binwalk -B dd-wrt.v24-13064_VINT_mini.bin 
      
      DECIMAL     HEX         DESCRIPTION
      -------------------------------------------------------------------------------------------------------------------
      0           0x0         TRX firmware header, little endian, header size: 28 bytes, image size: 2945024 bytes, CRC32: 0x4D27FDC4 flags: 0x0, version: 1
      28          0x1C        gzip compressed data, from Unix, NULL date: Wed Dec 31 19:00:00 1969, max compression
      2472        0x9A8       LZMA compressed data, properties: 0x6E, dictionary size: 2097152 bytes, uncompressed size: 2084864 bytes
      622592      0x98000     Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 2320835 bytes,  547 inodes, blocksize: 131072 bytes, created: Mon Nov  2 07:24:06 2009