固件解包——binwalk的使用

固件解包——binwalk的使用

binwalk的介绍

  • binwalk是用于搜索给定二进制镜像文件以获取嵌入的文件和代码的工具
  • 常用参数:
    • -M:根据magic签名扫描结果进行递归提取
    • -e:使用默认的预定义配置文件extract.conf提取探测到的文件系统
    • -d:限制递归提取的深度,默认为8
    • -l:显示完整的扫描结果
    • -A:确定CPU的架构

binwalk基本解包方法介绍

微信截图_20231008174500

-e 分解出压缩包,可以将bin文件转化为文件

binwalk -e pcat.bin //要分解的文件名

微信截图_20231008174735

-D或者–dd 分解某种类型的文件

binwalk -D=jpeg/*文件类型*/  pcat.bin  //要分解的文件名

-M 递归分解扫描出来的文件

(得跟-e或者-D配合使用)。除了会得到文件夹之外还能得到分析(?)的信息(看不懂)

binwalk -eM  pcat.bin //要分解的文件名

微信截图_20231008174944

1
binwalk pcat.bin

微信截图_20231008175808

小端序,squashfs的文件系统

设置过滤选项-x -y

-x, --exclude=<str>          Exclude results that match <str>  排除与<str>匹配的结果
-y, --include=<str>          Only show results that match <str> 只显示与<str>匹配的结果

显示完整扫描结果-l

查看熵值(及有无加密)-E

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
root@node1:/home/binwalk# binwalk -h
Binwalk v2.2.1+e0f9bf7   # 版本号
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...
Disassembly Scan Options:
    -Y, --disasm                 Identify the CPU architecture of a file using the capstone disassembler
    -T, --minsn=<int>            Minimum number of consecutive instructions to be considered valid (default: 500)
    -k, --continue               Don't stop at the first match
Signature Scan Options:
    -B, --signature              Scan target file(s) for common file signatures 扫描目标文件以获取常见文件签名
    -R, --raw=<str>              Scan target file(s) for the specified sequence of bytes 扫描目标文件的指定字符序列
    -A, --opcodes                Scan target file(s) for common executable opcode signatures 扫描目标文件中常见可执行代码
    -m, --magic=<file>           Specify a custom magic file to use 指定要使用的自定义签名文件
    -b, --dumb                   Disable smart signature keywords  禁用智能签名关键字
    -I, --invalid                Show results marked as invalid 显示完整的扫描结果
    -x, --exclude=<str>          Exclude results that match <str>  排除与<str>匹配的结果
    -y, --include=<str>          Only show results that match <str> 只显示与<str>匹配的结果
Extraction Options:
    -e, --extract                Automatically extract known file types  自动提取已知的文件类型
    -D, --dd=<type[:ext[:cmd]]>  Extract <type> signatures (regular expression), give the files an extension of <ext>, and execute <cmd> 提取<type>签名,为文件扩展名为<ext>,然后执行<cmd>,比如:binwalk -D 'png image:png' firmware.bin
    -M, --matryoshka             Recursively scan extracted files 递归扫描提取的文件
    -d, --depth=<int>            Limit matryoshka recursion depth (default: 8 levels deep) 递归深度
    -C, --directory=<str>        Extract files/folders to a custom directory (default: current working directory) 将文件/文件夹提取到自定义目录(默认:当前工作目录)
    -j, --size=<int>             Limit the size of each extracted file 限制每个提取文件的大小
    -n, --count=<int>            Limit the number of extracted files 限制提取文件的数量
    -r, --rm                     Delete carved files after extraction 清理零大小文件和提取工具在提取期间无法处理的文件。仅当与--extract或--dd一起使用时有效。有助于清除提取期间从目标文件中复制的误报文件
    -z, --carve                  Carve data from files, but don't execute extraction utilities 从文件中读取数据,但不执行提取实用程序
    -V, --subdirs                Extract into sub-directories named by the offset

Entropy Options:
    -E, --entropy                Calculate file entropy 计算文件熵,熵分析可以帮助识别固件映像中有趣的数据部分
    -F, --fast                   Use faster, but less detailed, entropy analysis
    -J, --save                   Save plot as a PNG  自动将 --entropy 生成的熵图保存到 PNG 文件中,而不是显示它
    -Q, --nlegend                Omit the legend from the entropy plot graph 从熵图中省略图例
    -N, --nplot                  Do not generate an entropy plot graph  不生成熵图
    -H, --high=<float>           Set the rising edge entropy trigger threshold (default: 0.95)  设置上升沿熵触发阈值
    -L, --low=<float>            Set the falling edge entropy trigger threshold (default: 0.85)  设置下升沿熵触发阈值

Binary Diffing Options:
    -W, --hexdump                Perform a hexdump / diff of a file or files 比较文件
    -G, --green                  Only show lines containing bytes that are the same among all files
    -i, --red                    Only show lines containing bytes that are different among all files
    -U, --blue                   Only show lines containing bytes that are different among some files
    -u, --similar                Only display lines that are the same between all files
    -w, --terse                  Diff all files, but only display a hex dump of the first file
Raw Compression Options:
    -X, --deflate                Scan for raw deflate compression streams
    -Z, --lzma                   Scan for raw LZMA compression streams 通过暴力破解识别可能的原始 LZMA 压缩数据流
    -P, --partial                Perform a superficial, but faster, scan
    -S, --stop                   Stop after the first result
General Options:
    -l, --length=<int>           Number of bytes to scan
    -o, --offset=<int>           Start scan at this file offset
    -O, --base=<int>             Add a base address to all printed offsets
    -K, --block=<int>            Set file block size
    -g, --swap=<int>             Reverse every n bytes before scanning
    -f, --log=<file>             Log results to file  将结果记录到文件
    -c, --csv                    Log results to file in CSV format
    -t, --term                   Format output to fit the terminal window
    -q, --quiet                  Suppress output to stdout  禁止输出到标准输出
    -v, --verbose                Enable verbose output  详细输出
    -h, --help                   Show help output
    -a, --finclude=<str>         Only scan files whose names match this regex
    -p, --fexclude=<str>         Do not scan files whose names match this regex
    -s, --status=<int>           Enable the status server on the specified port 启用指定端口上的状态服务器
updatedupdated2023-10-082023-10-08