The binwalk of hidden writing tools

0x00binwalk Introduction

Binwalk is a tool for searching for a given binary image file to get embedded files and code. Specifically, it is designed to identify the files and code embedded within the firmware image. Binwalk uses the Libmagic library, so it is compatible with the magic number signatures created by the Unix file utility. Binwalk also includes a custom magic signature file that contains improved magic signature signatures for common files in firmware images such as compressed/archived files, firmware headers, Linux kernels, boot loaders, file systems, etc.

0x01 function

Scan Options :
-B,--Common file signatures for signature scan target files
-R,--Raw = <str> Scan the specified sequence of characters for the target file
-A,--opcodes scan the common executable code in the target file
-M,--Magic = <file> Specify the custom magic signature file to use
-B,--Dumb disable smart signature keywords
-I,--invalid display result marked as invalid
-X,--exclude = <str> excludes results from <str> matches
-y,--include = <str> Show only matching <str> results

extract options :  
-e,--extract automatically extracts known file types  
-D,--dd = <type: Ext:cmd> extract <type> sign, for file extension <ext>, and then execute <cmd> 
-M,--matryoshka recursive scan of extracted files  
-d,- -depth = <int> Limit matryoshka recursion Depth (default: Level 8 deep)  
-C,--directory = <str> extracts files/folders to a custom directory (default: current working directory)  
-j,--size = <int> restricts the sizes of each extracted file  
-n,--count = <int> limits the number of extracted files  
-R,--RM Extraction Delete burn files  
-Z,--carve reads data from a file, but does not perform the extraction utility  
entropy analysis option :  
-E,-- Entropy calculates file entropy  
-F,--fast calculates faster, but less detailed entropy analysis  
-j Save the Entropy map as a PNG image  ,--save;
-Q,--nlegend omit the legend from the entropy map  
-n,--nplot does not generate entropy  
-h,--high = <float> Sets the rising edge entropy trigger threshold (default: 0.95)  
-l,--low = <float> Sets the drop-along Entropy trigger threshold (default: 0.85)  

Raw compression Options :
-X,--deflate scan raw deflate compressed stream
-Z,--LZMA scan raw Lzma compressed stream
-P,--partial light scan, faster
-S,--stop stop scanning after finding the first result

Binary difference Options :
-W,--hexdump Execute file or file Hexdump/diff
-G,--Green displays only rows that contain the same bytes in all files
-I,--red shows only rows that contain different bytes in all files
-U,--Blue shows only rows with different bytes in some files
-W,--terse only displays the hexadecimal dump of the first file

General Options :
-L,--length = <int> number of bytes to scan
-O,--offset = <int> start scanning at this offset
-O,--base = <int> Adds a base address to all printed offsets
-K,--block = <int> Set File Block size
-G,--swap = <int> reverse every n bytes before scanning
-F,--log = <file> Log the results to a file
-C,--CSV records the results in a CSV-formatted file
-T,--term formatted output to fit the terminal window
-Q,--Quiet suppress output
-V,--verbose verbose output
-h,--Help display assistance
-a,--Finclude = <str> scans only files with names that match this regular expression
-P,--fexclude = <str> do not scan files with names that match this regular expression
-S,--status = <int> Enable state server on the specified port

The binwalk of hidden writing tools