//kalinux.info
Forensics Tools 987 просмотров

Binwalk

Описание пакета Binwalk

Binwalk - это инструмент для поиска заданного двоичного изображения для встроенных файлов и исполняемого кода. В частности, он предназначен для идентификации файлов и кода, встроенных внутри изображений прошивки. Binwalk использует библиотеку libmagic, поэтому она совместима с магическими сигнатурами, созданными для утилиты файлов Unix. Binwalk также включает в себя специальный файл сигнатурной сигнатуры, который содержит улучшенные подписи для файлов, которые обычно встречаются в изображениях прошивки, таких как сжатые / архивные файлы, заголовки микропрограммного обеспечения, ядра Linux, загрузчики, файловые системы и т. д.

Инструменты, включенные в пакет binwalk

binwalk - инструмент анализа прошивки

root@kali:~# binwalk -h

Binwalk v1.2.2-1
Craig Heffner, http://www.devttys0.com

Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

Signature Analysis:
    -B, --binwalk                 Perform a file signature scan (default)
    -R, --raw-bytes=      Search for a custom signature
    -A, --opcodes                 Scan for executable code signatures
    -C, --cast                    Cast file contents as various data types
    -m, --magic=            Specify an alternate magic file to use
    -x, --exclude=        Exclude matches that have  in their description
    -y, --include=        Only search for matches that have  in their description
    -I, --show-invalid            Show results marked as invalid
    -T, --ignore-time-skew        Do not show results that have timestamps more than 1 year in the future
    -k, --keep-going              Show all matching results at a given offset, not just the first one
    -b, --dumb                    Disable smart signature keywords

Strings Analysis:
    -S, --strings                 Scan for ASCII strings (may be combined with -B, -R, -A, or -E)
    -s, --strlen=              Set the minimum string length to search for (default: 3)

Entropy Analysis:
    -E, --entropy                 Plot file entropy (may be combined with -B, -R, -A, or -S)
    -H, --heuristic               Identify unknown compression/encryption based on entropy heuristics (implies -E)
    -K, --block=             Set the block size for entropy analysis (default: 1024)
    -a, --gzip                    Use gzip compression ratios to measure entropy
    -N, --no-plot                 Do not generate an entropy plot graph
    -F, --marker=    Add a marker to the entropy plot graph
    -Q, --no-legend               Omit the legend from the entropy plot graph
    -J, --save-plot               Save plot as an SVG (implied if multiple files are specified)

Binary Diffing:
    -W, --diff                    Hexdump / diff the specified files
    -K, --block=             Number of bytes to display per line (default: 16)
    -G, --green                   Only show hex dump lines that contain bytes which were the same in all files
    -i, --red                     Only show hex dump lines that contain bytes which were different in all files
    -U, --blue                    Only show hex dump lines that contain bytes which were different in some files
    -w, --terse                   Diff all files, but only display a hex dump of the first file

Extraction Options:
    -D, --dd=<type:ext[:cmd]>     Extract  signatures, give the files an extension of , and execute 
    -e, --extract=[file]          Automatically extract known file types; load rules from file, if specified
    -M, --matryoshka              Recursively scan extracted files, up to 8 levels deep
    -r, --rm                      Cleanup extracted files and zero-size files
    -d, --delay                   Delay file extraction for files with known footers

Plugin Options:
    -X, --disable-plugin=   Disable a plugin by name
    -Y, --enable-plugin=    Enable a plugin by name
    -p, --disable-plugins         Do not load any binwalk plugins
    -L, --list-plugins            List all user and system plugins by name

General Options:
    -o, --offset=            Start scan at this file offset
    -l, --length=            Number of bytes to scan
    -g, --grep=             Grep results for the specified text
    -f, --file=             Log results to file
    -c, --csv                     Log results to file in csv format
    -O, --skip-unopened           Ignore file open errors and process only the files that can be opened
    -t, --term                    Format output to fit the terminal window
    -q, --quiet                   Supress output to stdout
    -v, --verbose                 Be verbose (specify twice for very verbose)
    -u, --update                  Update magic signature files
    -?, --examples                Show example usage
    -h, --help                    Show help output

Пример использования binwalk

Запустите сканирование подписи файла (-B) в данном файле прошивки (dd-wrt.v24-13064_VINT_mini.bin):

root@kali:~# binwalk -B dd-wrt.v24-13064_VINT_mini.bin 

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0           0x0         TRX firmware header, little endian, header size: 28 bytes, image size: 2945024 bytes, CRC32: 0x4D27FDC4 flags: 0x0, version: 1
28          0x1C        gzip compressed data, from Unix, NULL date: Wed Dec 31 19:00:00 1969, max compression
2472        0x9A8       LZMA compressed data, properties: 0x6E, dictionary size: 2097152 bytes, uncompressed size: 2084864 bytes
622592      0x98000     Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 2320835 bytes,  547 inodes, blocksize: 131072 bytes, created: Mon Nov  2 07:24:06 2009