一、binwalk工具的基本用法介紹

1.獲取幫助資訊


$ binwalk -h
# 或者
$ binwalk --help
2.韌體分析掃描


$ binwalk firmware.bin
# 或者
$ binwalk firmware.bin | head

3.提取檔案系統



# 使用預設的預定義配置檔案extract.conf
$ binwalk -e firmware.bin

# 使用指定自定義的配置檔案my_extract.conf
$ binwalk --extract=./my_extract.conf firmware.bin

4.設定過濾選項


5.顯示完整的掃描結果


6.韌體檔案的比較



7.日誌記錄


8.指令系統分析


9.熵分析


10.啟發式分析


11.使用指定外掛分析掃描韌體(已經去掉)


$ binwalk --enable-plugin=zlib firmware.bin  

12.手動提取檔案

-D, --dd=<type[:ext[:cmd]]>

Extracts files identified during a --signature scan. Multiple --dd options may be specified.

  • type is a *lower case* string contained in the signature description (regular expressions are supported)
  • ext is the file extension to use when saving the data disk (default none)
  • cmd is an optional command to execute after the data has been saved to disk

By default, the file name is the hexadecimal offset where the signature was found, unless an alternate file name is specified in the signature itself.

The following example demonstrates specifying an extraction rule using the --dd option that will extract any signature that contains the string 'zip archive' with a file extension of 'zip', and subsequently execute the 'unzip' command. Additionally, PNG images are extracted as-is with a 'png' file extension.

Note the use of the '%e' placeholder. This placeholder will be replaced with the relative path to the extracted file when the unzip command is executed:

$ binwalk -D 'zip archive:zip:unzip %e' -D 'png image:png' firmware.bin
.

13.binwalk工具的外掛功能

在最新版的binwalk工具中關於外掛的功能已經沒有了,下圖是原來有的外掛功能。


參考資料:

《揭祕家用路由器0day漏洞挖掘技術》

Binwalk:後門(韌體)分析利器》 錯誤不少,不少功能介紹在最新版的binwalk中已經去掉了。

二、binwalk工具的使用幫助

$ binwalk -h
幫助命令的結果:
Binwalk v2.1.2b
Craig Heffner, http://www.binwalk.org

Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

Disassembly Scan Options:
    -Y, --disasm                 Identify the CPU architecture of a file using the capstone disassembler
    -T, --minsn=<int>            Minimum number of consecutive instructions to be considered valid (default: 500)
    -k, --continue               Don't stop at the first match

Signature Scan Options:
    -B, --signature              Scan target file(s) for common file signatures
    -R, --raw=<str>              Scan target file(s) for the specified sequence of bytes
    -A, --opcodes                Scan target file(s) for common executable opcode signatures
    -m, --magic=<file>           Specify a custom magic file to use
    -b, --dumb                   Disable smart signature keywords
    -I, --invalid                Show results marked as invalid
    -x, --exclude=<str>          Exclude results that match <str>
    -y, --include=<str>          Only show results that match <str>

Extraction Options:
    -e, --extract                Automatically extract known file types
    -D, --dd=<type:ext:cmd>      Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
    -M, --matryoshka             Recursively scan extracted files
    -d, --depth=<int>            Limit matryoshka recursion depth (default: 8 levels deep)
    -C, --directory=<str>        Extract files/folders to a custom directory (default: current working directory)
    -j, --size=<int>             Limit the size of each extracted file
    -n, --count=<int>            Limit the number of extracted files
    -r, --rm                     Delete carved files after extraction
    -z, --carve                  Carve data from files, but don't execute extraction utilities

Entropy Analysis Options:
    -E, --entropy                Calculate file entropy
    -F, --fast                   Use faster, but less detailed, entropy analysis
    -J, --save                   Save plot as a PNG
    -Q, --nlegend                Omit the legend from the entropy plot graph
    -N, --nplot                  Do not generate an entropy plot graph
    -H, --high=<float>           Set the rising edge entropy trigger threshold (default: 0.95)
    -L, --low=<float>            Set the falling edge entropy trigger threshold (default: 0.85)

Raw Compression Options:
    -X, --deflate                Scan for raw deflate compression streams
    -Z, --lzma                   Scan for raw LZMA compression streams
    -P, --partial                Perform a superficial, but faster, scan
    -S, --stop                   Stop after the first result

Binary Diffing Options:
    -W, --hexdump                Perform a hexdump / diff of a file or files
    -G, --green                  Only show lines containing bytes that are the same among all files
    -i, --red                    Only show lines containing bytes that are different among all files
    -U, --blue                   Only show lines containing bytes that are different among some files
    -w, --terse                  Diff all files, but only display a hex dump of the first file

General Options:
    -l, --length=<int>           Number of bytes to scan
    -o, --offset=<int>           Start scan at this file offset
    -O, --base=<int>             Add a base address to all printed offsets
    -K, --block=<int>            Set file block size
    -g, --swap=<int>             Reverse every n bytes before scanning
    -f, --log=<file>             Log results to file
    -c, --csv                    Log results to file in CSV format
    -t, --term                   Format output to fit the terminal window
    -q, --quiet                  Suppress output to stdout
    -v, --verbose                Enable verbose output
    -h, --help                   Show help output
    -a, --finclude=<str>         Only scan files whose names match this regex
    -p, --fexclude=<str>         Do not scan files whose names match this regex
    -s, --status=<int>           Enable the status server on the specified port

三、binwalk工具官方的使用幫助說明

-B, --signature

This performs a signature analysis of the specified files; if no other analysis options are specified, this is the default.

Use this option when you wish to combine the signature analysis with additional analyzers, such as--entropy:

$ binwalk --signature firmware.bin

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
0           0x0         DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"
112         0x70        LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3797616 bytes
1310832     0x140070    PackImg section delimiter tag, little endian size: 13644032 bytes; big endian size: 3264512 bytes
1310864     0x140090    Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3264162 bytes,  1866 inodes, blocksize: 65536 bytes, created: Tue Apr  3 04:12:22 2012

-R, --raw=<string>

This allows you to search the specified file(s) for a custom string. The search string can include escaped octal and/or hexadecimal values.

Use this option when you need to search for a custom sequence of raw bytes:

$ binwalk -R "\x00\x01\x02\x03\x04" firmware.bin

DECIMAL     HEX         DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
377654      0x5C336     Raw string signature

-A, --opcodes

This instructs binwalk to search the specified file(s) for executable opcodes common to a variety of CPU architectures. Note that some opcode signatures are short and thus are prone to producing false positive results.

Use this when you need to locate executable code in a file, or if you need to determine the architecture of a executable file:

$ binwalk -A firmware.bin

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
268             0x10C           MIPS instructions, function prologue
412             0x19C           MIPS instructions, function prologue
636             0x27C           MIPS instructions, function prologue
812             0x32C           MIPS instructions, function epilogue
920             0x398           MIPS instructions, function epilogue
948             0x3B4           MIPS instructions, function prologue
1056            0x420           MIPS instructions, function epilogue
1080            0x438           MIPS instructions, function prologue
1356            0x54C           MIPS instructions, function epilogue
1392            0x570           MIPS instructions, function prologue
1836            0x72C           MIPS instructions, function epilogue
2012            0x7DC           MIPS instructions, function prologue
2260            0x8D4           MIPS instructions, function epilogue
2512            0x9D0           MIPS instructions, function prologue
2552            0x9F8           MIPS instructions, function epilogue

-m, --magic=<file>

Load an alternate magic signature file instead of the default.

Use this if you have a custom magic signature file containing signatures you want to search for:

$ binwalk -m ./foobar.mgc firmware.bin

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
268             0x10C           Foobar
412             0x19C           Foobar
636             0x27C           Foobar

-b, --dumb

Disables "smart" signature matching.

Useful when smart signature keywords in false positive signatures cause other valid signatures to be missed (e.g., via the jump-to-offset keyword):

$ binwalk -b firmware.bin

-I, --invalid

Displays all results, even those marked as invalid.

Useful if you think that binwalk is treating a valid file as invalid, but can produce a lot of garbage output:

$ binwalk -I firmware.bin

-x, --exclude=<filter>

Excludes signatures that match the specified exclude filter. Filters are lower-case regular expressions; multiple filters may be specified.

Magic signatures whose first line matches the specified filter will not be loaded at all; thus, the use of this filter can help decrease signature scan times.

Useful for excluding unneeded or uninteresting results:

$ binwalk -x 'mach-o' -x '^hp' firmware.bin # exclude HP calculator and OSX mach-o signatures

-y, --include=<filter>

Includes only signatures that match the specified include filter. Filters are lower-case regular expressions; multiple filters may be specified.

Only magic signatures whose first line matches the specified filter will be loaded; thus, the use of this filter can help decrease signature scan times.

Useful when searching only for specific signatures or types of signatures:

$ binwalk -y 'filesystem' firmware.bin # only search for filesystem signatures

-Y, --disasm

Attempts to identify the CPU architecture of executable code contained in a file using the capstone disassembler.

Specifying --verbose with this scan will additionally print the disassembled instructions.

Generally more robust than the simple signature analysis performed by --opcodes, but supports fewer architectures:

$ binwalk --disasm firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 750 valid instructions

-T, --minsn

Set the minimum number of consecutive instructions for a --disasm result to be considered valid. The default is 500 instructions:

$ binwalk --minsn=1200 -Y firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions

-k, --continue

Instruct --disasm to not stop at the first result:

$ binwalk --continue -Y firmware.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
428           0x1AC           MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions
1048576       0x100000        MIPS executable code, 32/64-bit, little endian, at least 1250 valid instructions
...

-E, --entropy

Performs an entropy analysis on the input file(s), prints raw entropy data and generates entropy graphs.

Entropy analysis can be combined with --signature--raw, or --opcodes for a better understanding of the target file(s).

Useful for identifying sections of interesting data that a signature scan may have missed:

$ binwalk -E firmware.bin
DECIMAL       HEXADECIMAL     ENTROPY
--------------------------------------------------------------------------------
0             0x0             Rising entropy edge (0.983751)
1155072       0x11A000        Falling entropy edge (0.000000)
1181696       0x120800        Rising entropy edge (0.990546)
3780608       0x39B000        Falling entropy edge (0.000000)

When combined with the --verbose option, the raw entropy calculated for each data block is printed:

$ binwalk -E --verbose firmware.bin

DECIMAL         HEX             ENTROPY ANALYSIS
--------------------------------------------------------------------------------
0               0x0             0.964914
1024            0x400           0.978591
2048            0x800           0.973048
3072            0xC00           0.976195
4096            0x1000          0.976072
5120            0x1400          0.976734
6144            0x1800          0.976861
7168            0x1C00          0.972385
8192            0x2000          0.972518
...

PYTHON API WARNING: The graphing module used by binwalk (pyqtgraph) invokes os._exitupon completion; this is apparently necessary to handle various QT issues. When running binwalk from the command line, entropy analysis is always done last, causing little worry. However, if invoking entropy analysis via the API, be sure to disable graphing (--nplot) to prevent your script from exiting prematurely.

-J, --save

Automatically saves the entropy plot generated by --entropy to a PNG file instead of displaying it.

$ binwalk --save -E firmware.bin

-Q, --nlegend

Omits the legend from the entropy plot(s) generated by --entropy:

$ binwalk --entropy -Q firmware.bin

-N, --nplot

Disables graphical entropy plots for the --entropy scan.

$ binwalk --entropy -N firmware.bin

-H, --high=<float>

Sets the rising edge entropy trigger level. Only valid when used with --entropy. The specified value should be between 0 and 1:

$ binwalk --entropy -H .9 firmware.bin

-L, --low=<float>

Sets the falling edge entropy trigger level. Only valid when used with --entropy. The specified value should be between 0 and 1:

$ binwalk --entropy -L .3 firmware.bin

-W, --hexdump

Performs a hex dump of the input file(s) and color-codes bytes as follows:

  • Green - These bytes were the same in all files
  • Red - These bytes were different in all files
  • Blue - These bytes were only different in some files

Any arbitrary number of files may be diffed; additional useful options are --block--offset--lengthand --terse:

$ binwalk -W --block=8 --length=64 firmware1.bin firmware2.bin firmware3.bin

-G, --green

Only display lines that contain green bytes during a --hexdump:

$ binwalk -W --green firmware1.bin firmware2.bin firmware3.bin

-i, --red

Only display lines that contain red bytes during a --hexdump:

$ binwalk -W --red firmware1.bin firmware2.bin firmware3.bin

-U, --blue

Only display lines that contain blue bytes during a --hexdump:

$ binwalk -W --blue firmware1.bin firmware2.bin firmware3.bin

-w, --terse

When performing a --hexdump, only display a hex dump of the first file.

Useful when diffing many files that don't all fit on the screen:

$ binwalk -W --terse firmware1.bin firmware2.bin firmware3.bin

-e, --extract

Loads common --dd extraction rules from a predefined file.

$ binwalk -e firmware.bin

-D, --dd=<type[:ext[:cmd]]>

Extracts files identified during a --signature scan. Multiple --dd options may be specified.

  • type is a *lower case* string contained in the signature description (regular expressions are supported)
  • ext is the file extension to use when saving the data disk (default none)
  • cmd is an optional command to execute after the data has been saved to disk

By default, the file name is the hexadecimal offset where the signature was found, unless an alternate file name is specified in the signature itself.

The following example demonstrates specifying an extraction rule using the --dd option that will extract any signature that contains the string 'zip archive' with a file extension of 'zip', and subsequently execute the 'unzip' command. Additionally, PNG images are extracted as-is with a 'png' file extension.

Note the use of the '%e' placeholder. This placeholder will be replaced with the relative path to the extracted file when the unzip command is executed:

$ binwalk -D 'zip archive:zip:unzip %e' -D 'png image:png' firmware.bin

-M, --matryoshka

This option will recursively scan extracted files during a --signature scan. Only valid when used with--extract or --dd.

$ binwalk -e -M firmware.bin

-C, --directory=<str>

Set the output directory for extracted data (default: current working directory).

Only applicable when used with the --extract or --dd options:

$ binwalk -e --directory=/tmp firmware.bin

-d, --depth=<int>

Limit the --matryoshka recursion depth. By default, the depth is set to 8.

Only applicable when used with the --matryoshka option:

$ binwalk -Me -d 5 firmware.bin

-j, --size=<int>

Limit the size of data carved out of the target file(s). By default, there is no size limit.

Only valid when used with --extract or --dd.

Note that this option does not limit the size of data extracted / decompressed by external extraction utilities.

Useful when carving or extracting data from large files with limited disk space:

$ binwalk -e --size=0x100000 firmware.bin

-r, --rm

Cleans up zero-size files and files that couldn't be processed by extraction utilities during extraction.

Only valid when used with --extract or --dd.

Useful for cleaning up false-positive files copied out of the target file(s) during extraction:

$ binwalk -e -r firmware.bin

-z, --carve

Performs data carving only, does not execute external extraction utilities.

Only valid when used with --extract or --dd.

Useful for when you want to simply carve data from the target file(s), but not automatically extract / decompress that data:

$ binwalk -e --carve firmware.bin

-X, --deflate

Identifies probable raw deflate compressed data streams by brute-force.

Useful for recovering data from files with corrupt/modified/missing headers. May be combined with --lzma.

This scan can be slow, so it is useful to limit the scanned area with --offset and/or --length:

$ binwalk --deflate -o 0x100 -l 10000 firmware.bin

-Z, --lzma

Identifies probable raw LZMA compressed data streams by brute-force.

Useful for recovering data from files with corrupt/modified/missing headers. May be combined with --deflate.

Due to the various number of LZMA compression options this scan can be very slow, so it is useful to limit the scanned area with --offset and/or --length:

$ binwalk --lzma -o 0x100 -l 10000 firmware.bin

-P, --partial

Only search for compression streams using common compression options. Can significantly improve the speed of --lzma scans:

$ binwalk --partial -Z -o 0x100 -l 10000 firmware.bin

-S, --stop

When used with the --lzma and/or --deflate options, this will stop the scan after the first result is displayed:

$ binwalk --stop -Z firmware.bin

-l, --length=<int>

Sets the number of bytes to analyze in a target file:

$ binwalk --length=0x100 firmware.bin

-o, --offset=<int>

Sets the starting offset at which to begin analyzing a target file. A negative offset (distance from End-Of-File) may also be specified:

$ binwalk --offset=0x100 firmware.bin

-O, --base=<int>

Sets the base address for all printed offsets. This value will be added to the raw file offset of all printed results:

$ binwalk --base=0x80001000 firmware.bin

相關文章