This blog address: http://blog.csdn.net/qq1084283172/article/details/66971242
Introduction to the basic usage of binwalk tools
1. Get Help information
$ binwalk-h # or $ binwalk--help
2. Firmware Analysis Scan
$ binwalk firmware.bin # or $ binwalk firmware.bin | head
3. Extract File System
# Use the default predefined profile extract.conf $ binwalk-e firmware.bin # Use the specified custom profile my_extract.conf $ binwalk--extract=./ My_extract.conf Firmware.bin
4. Set filter options
5. Display full scan results
6. Comparison of firmware files
7. Log records
8. Instruction System Analysis
9. Entropy Analysis
10. Heuristic Analysis
11. Analyze scan firmware with specified plugin (removed)
$ binwalk--enable-plugin=zlib Firmware.bin
-D,--dd=<type[:ext[:cmd]]>
Extracts files identified during a--signature scan. Multiple--DD options May is specified. Type is a *lower case* string contained at signature description (regular expressions are supported) ext is the file E XTension to saving the "Data Disk" (default none) cmd is a optional command to execute after the data has been SAV Ed to disk
By default, the ' file name is ' the hexadecimal offset where the signature was found, unless a alternate file name is Specif IED in the signature itself.
The following example demonstrates specifying a extraction rule using the--DD option that would extract any signature tha T contains the string ' Zip archive ' with a file extension of ' Zip ', and subsequently execute the ' unzip ' command. Additionally, PNG images are extracted as-is with a ' png ' file extension.
Note the use of the '%e ' placeholder. This placeholder would be replaced with the relative path to the extracted file, the unzip command is executed:
$ Binwalk-d ' zip archive:zip:unzip%e '-d ' PNG image:png ' Firmware.bin
Plug-in capabilities for 13.binwalk tools
In the latest version of the Binwalk tool on the plug-in function has not been, the following figure is the original plug-in function.
Resources:
"Secret Home router 0day vulnerability Mining Technology"
"Binwalk: Back Door (firmware) analysis tool" Many mistakes, many features introduced in the latest version of the Binwalk has been removed.
Second, the use of Binwalk tools to help
Results of the help command:$ binwalk-h
Binwalk v2.1.2b Craig Heffner, http://www.binwalk.org usage:binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ... Disassembly Scan Options:-y,--disasm identify the CPU architecture of a file using the capstone Disa SSEMBLER-T,--minsn=<int> Minimum number of consecutive instructions to be considered valid (default : K,--continue Don ' t stop at the the ' the ' the ' Signature Scan Options:-B,--signature Scan target file (s) for common file signatures-r,--raw=<str> Scan target file (s) for the SP
Ecified sequence of bytes-a,--opcodes Scan target file (s) for common executable opcode -M,--magic=<file> specify a custom magic file to Use-b,--dumb Disable Smart Sign Ature keywords-i,--invalid Show results marked as invalid-x,--exclude=<str> excl
Ude results that match <str> -Y,--include=<str> only show results, match <str> extraction Options:-E,--extract Automatically extract known file types-d,--dd=<type:ext:cmd> extract <type> signatures, g Ive the files an extension of <ext>, and execute <cmd>-m,--matryoshka recursively scan extra CTED files-d,--depth=<int> Limit matryoshka recursion Depth (default:8 levels deep)-C,--dire Ctory=<str> Extract files/folders to a custom directory (default:current working directory)-j,--size=& Lt;int> Limit the size of each extracted file-n,--count=<int> Limit the number of ex Tracted files-r,--rm Delete carved files after extraction-z,--carve carve Data from files, but don ' t execute extraction Utilities Entropy analysis Options:-E,--entropy CALCU Late file Entropy-f,--fast use faster, but less detailed, entropy Analysis-j,--save save plot as a Png-q,--nlegend Omit the legend from Entropy plot, Graph-n does not Generate an entropy plot graph-h,--high=<float> Set the rising edge entropy trigger threshold (Defau lt:0.95-L,--low=<float> Set The falling edge entropy trigger threshold (default:0.85) Raw Compr Ession Options:-X,--deflate Scan for raw deflate compression streams-z,--lzma Scan for Raw Lzma compression streams-p,--partial perform a superficial, but faster, scan-s,-- Stop stop after the Binary diffing Options:-W,--hexdump perform a hex Dump/diff of a file or Files-g,--green only show lines containing bytes that are the same among a ll Files-i,--red Only show lines containing bytes that are different among all files-u,--blue Onl Y show lines containing bytes this are different among some files-w,--terse Diff all files, but onl
Y display a hex dump of the The the the the the the the the the the the the the the the the the "-L,--length=<int> number of bytes to -O,--offset=<int> Start scan at this file offset-o,--base=<int> Add a base addr ESS to all printed offsets-k,--block=<int> Set file Block size-g,--swap=<int> Reverse every n bytes before scanning-f,--log=<file> log results to file-c,--csv
Log results to file in CSV format-t,--term format output to fit the terminal window -Q,--quiet suppress output to stdout-v,--verbose Enable verbose output-h,--h ELP Show help Output-a,--finclude=<str> only scan files whose the match this names, regex-p Str> don't scan files whose names match this regex-s,--status=<int> Enable the status SE RVer on the specified port
Third, the Binwalk tool official use help explanation
-B,--signature
This is performs a signature analysis of the specified files; If no other analysis options are specified, this is the default.
Use this option if you are wish to combine the signature analysis with additional analyzers such:
$ binwalk--signature firmware.bin DECIMAL HEX DESCRIPTION -------------------------------------- ----------------------------------------------------------------------------- 0 0x0 dlob firmware header, boot partition: "DEV=/DEV/MTDBLOCK/2" 112 0x70 Lzma compressed data, properties:0x5d, dictionary size:33554432 bytes, uncompressed size:3797616 bytes 1310832, 0x140070 packimg section delimiter tag, Little endian size:13644032 bytes; Big endian size:3264512 bytes 1310864 0x140090 squashfs filesystem, Little endian, version 4.0, Compression:lzma, size:3264162 bytes, 1866 inodes, blocksize:65536 bytes, created:tue Apr 3 04:12:22 2012
-R,--raw=<string>
This allows your to search the specified file (s) for a custom string. The search string can include escaped octal and/or hexadecimal values.
Use this option if you are need to search for a custom sequence of raw bytes:
$ binwalk-r "\x00\x01\x02\x03\x04" Firmware.bin DECIMAL HEX DESCRIPTION ------------------------- ------------------------------------------------------------------------------------------ 377654 0x5c336 Raw String signature
-A,--opcodes
This is instructs Binwalk to search the specified file (s) for executable opcodes common to a variety of CPU architectures. Note this some opcode signatures are short and thus are prone to producing false positive.
Use this is need to locate executable code in a file, or if you need to determine the architecture of a executable f Ile
$ binwalk-a firmware.bin DECIMAL HEX DESCRIPTION--------------------------------------------------- ----------------------------------------------------------------268 0x10c MIPS instructions, functi On Prologue 412 0x19c MIPS instructions, function prologue 636 0x27c MIPS Inst ructions, function prologue 812 0x32c MIPS instructions, function epilogue 920 MIPS instructions, function Epilogue 948 0x3b4 MIPS instructions, function prologue 1056 0x420 MIPS instructions, function Epilogue 1080 0x438 MIPS instructions, function PR Ologue 1356 0x54c MIPS instructions, function Epilogue 1392 0x570 MIPS INSTRUCTI ONS, function Prologue 1836 0x72c MIPS instructions, function epilogue 0X7DC MIPS instructions, funCtion Prologue 2260 0x8d4 MIPS instructions, function epilogue 2512 0x9d0 MIPS I Nstructions, function Prologue 2552 0x9f8 MIPS instructions, function epilogue
-M,--magic=<file>
Load an alternate magic signature file instead of the default.
Use this if you have a custom magic signature file containing signatures your want to search for:
$ binwalk-m./FOOBAR.MGC firmware.bin DECIMAL HEX DESCRIPTION ----------------------------------- -------------------------------------------------------------------------------- 268 0x10c Foobar 412 0x19c Foobar 636 0x27c Foobar
-B,--dumb
Disables "smart" signature matching.
Useful when smart signature keywords at false positive signatures cause other valid signatures to be missed (e.g., via the Jump-to-offset keyword):
$ binwalk-b Firmware.bin
-I,--invalid
Displays all results, even those marked as invalid.
Useful if you are Binwalk is treating a valid file as invalid, but can produce a lot of garbage output:
$ binwalk-i Firmware.bin
-X,--exclude=<filter>
Excludes signatures that match the specified exclude filter. Filters are lower-case regular expressions; Multiple filters May is specified.
Magic signatures whose the matches of the specified filter to not is loaded at all; Thus, the use of this filter can help decrease signature scan times.
Useful for excluding unneeded or uninteresting results:
$ Binwalk-x ' mach-o ' x ' ^hp ' firmware.bin # exclude HP Calculator and OS X mach-o signatures
-Y,--include=<filter>
Includes only signatures that match the specified include filter. Filters are lower-case regular expressions; Multiple filters May is specified.
Only magic signatures whose the matches the specified filter would be loaded; Thus, the use of this filter can help decrease signature scan times.
Useful when searching a for specific signatures or types of signatures:
$ Binwalk-y ' filesystem ' Firmware.bin # only search for filesystem signatures
-Y,--disasm
Attempts to identify the CPU architecture of executable code contained in a file using the capstone disassembler.
Specifying--verbose with this scan to additionally print the disassembled instructions.
Generally more robust than of the simple signature analysis performed by--opcodes, but supports, fewer architectures:
$ binwalk--disasm firmware.bin DECIMAL hexadecimal DESCRIPTION --------------------------------- ----------------------------------------------- 428 0x1ac MIPS executable code, 32/64-bit, Little Endian, at least 750 valid instructions
-T,--MINSN
Set the minimum number of consecutive instructions for a--disasm the result to be considered valid. The default is instructions:
$ binwalk--minsn=1200-y firmware.bin DECIMAL hexadecimal DESCRIPTION -------------------------- ------------------------------------------------------ 428 0x1ac MIPS executable code, 32/64-bit, Little endian, at least 1250 valid instructions
-K,--continue
Instruct--disasm to Don't stop at the "
$ binwalk--continue-y firmware.bin DECIMAL hexadecimal DESCRIPTION ----------------------------- --------------------------------------------------- 428 0x1ac MIPS executable code, 32/64-bit, Little Endian, at least 1250 valid instructions 1048576 0x100000 MIPS executable code, 32/64-bit, little endian, at L East 1250 Valid instructions ...
-E,--entropy
Performs a entropy analysis on the input file (s), prints raw entropy data and generates entropy.
Entropy analysis can is combined with--signature,--raw, or--opcodes for a better understanding of the target file (s).
Useful for identifying sections of interesting data this a signature scan may have missed:
$ binwalk-e firmware.bin DECIMAL hexadecimal ENTROPY ------------------------------------------- ------------------------------------- 0 0x0 rising entropy Edge (0.983751) 1155072 0x11a000 Falling entropy Edge (0.000000) 1181696 0x120800 rising Edge (entropy) 3780608 0x39b000 Falling Entropy Edge (0.000000)
When combined with the--verbose option, the raw entropy calculated for each data block is printed:
$ binwalk-e--verbose firmware.bin DECIMAL HEX ENTROPY analysis ---------------------------------- ---------------------------------------------- 0 0x0 0.964914 1024 0x400 0.978591 2048 0x800 0.973048 3072 0xc00 0.976195 4096 0x1000 0.976072 5120 0x1400 0.976734 6144 0x1800 0.976861 7168 0x1c00 0.972385 8192 0x2000 0.972518 ...
PYTHON API warning:the graphing module used by Binwalk (pyqtgraph) invokes Os._exitupon; This is apparently necessary to handle various QT issues. When running Binwalk to the command line, entropy analysis is always do last, causing little, worry. However, if invoking entropy analysis via the API, being sure to disable graphing (--nplot) to prevent your script from Exiti ng prematurely.
-j,--save
Automatically saves the entropy plot generated by--entropy to a PNG file instead of displaying it.
$ binwalk--save-e Firmware.bin
-Q,--nlegend
Omits the legend from the entropy plot (s) generated by--entropy:
$ binwalk--entropy-q Firmware.bin
-N,--nplot
Disables graphical entropy plots for the--entropy scan.
$ binwalk--entropy-n Firmware.bin
-H,--high=<float>
Sets the rising edge entropy trigger level. Only valid when used with--entropy. The specified value should be between 0 and 1:
$ binwalk--entropy-h. 9 Firmware.bin
-L,--low=<float>
Sets The falling edge entropy trigger level. Only valid when used with--entropy. The specified value should be between 0 and 1:
$ binwalk--entropy-l. 3 Firmware.bin
-W,--hexdump
Performs a hex dump of the input file (s) and color-codes bytes as Follows:green-these bytes were the same in all files Red-these bytes were different in all files Blue-these bytes were only different in some files
Any arbitrary number of the files may be diffed; Additional useful options are--block,--offset,--lengthand--terse:
$ binwalk-w--block=8--length=64 firmware1.bin firmware2.bin firmware3.bin
-G,--green
Only display lines that contain green bytes during a--hexdump:
$ binwalk-w--green firmware1.bin firmware2.bin firmware3.bin
-I,--red
Only display lines that contain red bytes during a--hexdump:
$ binwalk-w--red firmware1.bin firmware2.bin firmware3.bin
-U,--blue
Only display lines that contain blue bytes during a--hexdump:
$ binwalk-w--blue firmware1.bin firmware2.bin firmware3.bin
-W,--terse
When performing a is--hexdump, only display a hex dump of the The "the".
Useful when diffing many files, don ' t all fit on the screen:
$ binwalk-w--terse firmware1.bin firmware2.bin firmware3.bin
-E,--extract
Loads common--DD extraction rules from a predefined file.
$ binwalk-e Firmware.bin
-D,--dd=<type[:ext[:cmd]]>
Extracts files identified during a--signature scan. Multiple--DD options May is specified. Type is a *lower case* string contained at signature description (regular expressions are supported) ext is the file E XTension to saving the "Data Disk" (default none) cmd is a optional command to execute after the data has been SAV Ed to disk
By default, the ' file name is ' the hexadecimal offset where the signature was found, unless a alternate file name is Specif IED in the signature itself.
The following example demonstrates specifying a extraction rule using the--DD option that would extract any signature tha T contains the string ' Zip archive ' with a file extension of ' Zip ', and subsequently execute the ' unzip ' command. Additionally, PNG images are extracted as-is with a ' png ' file extension.
Note the use of the '%e ' placeholder. This placeholder would be replaced with the relative path to the extracted file, the unzip command is executed:
$ Binwalk-d ' zip archive:zip:unzip%e '-d ' PNG image:png ' Firmware.bin
-M,--matryoshka
This option would recursively scan extracted files during a--signature scan. Only valid when used With--extract or--DD.
$ binwalk-e-M Firmware.bin
-C,--directory=<str>
Set the output directory for extracted data (default:current working directory).
Only applicable when used with the--extract or--DD options:
$ binwalk-e--directory=/tmp Firmware.bin
-D,--depth=<int>
Limit the--matryoshka recursion depth. By default, the depth are set to 8.
Only applicable when used
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
