kali工具箱

Binwalk Package Description

Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility. Binwalk also includes a custom magic signature file which contains improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc.

Binwalk Homepage | Kali Binwalk Repo

Author: Craig Heffner
License: MIT

Tools included in the binwalk package

binwalk – A firmware analysis tool

[email protected]:~# binwalk -h



Binwalk v1.2.2-1

Craig Heffner, http://www.devttys0.com



Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...



Signature Analysis:

    -B, --binwalk                 Perform a file signature scan (default)

    -R, --raw-bytes=<string>      Search for a custom signature

    -A, --opcodes                 Scan for executable code signatures

    -C, --cast                    Cast file contents as various data types

    -m, --magic=<file>            Specify an alternate magic file to use

    -x, --exclude=<filter>        Exclude matches that have <filter> in their description

    -y, --include=<filter>        Only search for matches that have <filter> in their description

    -I, --show-invalid            Show results marked as invalid

    -T, --ignore-time-skew        Do not show results that have timestamps more than 1 year in the future

    -k, --keep-going              Show all matching results at a given offset, not just the first one

    -b, --dumb                    Disable smart signature keywords



Strings Analysis:

    -S, --strings                 Scan for ASCII strings (may be combined with -B, -R, -A, or -E)

    -s, --strlen=<n>              Set the minimum string length to search for (default: 3)



Entropy Analysis:

    -E, --entropy                 Plot file entropy (may be combined with -B, -R, -A, or -S)

    -H, --heuristic               Identify unknown compression/encryption based on entropy heuristics (implies -E)

    -K, --block=<int>             Set the block size for entropy analysis (default: 1024)

    -a, --gzip                    Use gzip compression ratios to measure entropy

    -N, --no-plot                 Do not generate an entropy plot graph

    -F, --marker=<offset:name>    Add a marker to the entropy plot graph

    -Q, --no-legend               Omit the legend from the entropy plot graph

    -J, --save-plot               Save plot as an SVG (implied if multiple files are specified)



Binary Diffing:

    -W, --diff                    Hexdump / diff the specified files

    -K, --block=<int>             Number of bytes to display per line (default: 16)

    -G, --green                   Only show hex dump lines that contain bytes which were the same in all files

    -i, --red                     Only show hex dump lines that contain bytes which were different in all files

    -U, --blue                    Only show hex dump lines that contain bytes which were different in some files

    -w, --terse                   Diff all files, but only display a hex dump of the first file



Extraction Options:

    -D, --dd=<type:ext[:cmd]>     Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>

    -e, --extract=[file]          Automatically extract known file types; load rules from file, if specified

    -M, --matryoshka              Recursively scan extracted files, up to 8 levels deep

    -r, --rm                      Cleanup extracted files and zero-size files

    -d, --delay                   Delay file extraction for files with known footers



Plugin Options:

    -X, --disable-plugin=<name>   Disable a plugin by name

    -Y, --enable-plugin=<name>    Enable a plugin by name

    -p, --disable-plugins         Do not load any binwalk plugins

    -L, --list-plugins            List all user and system plugins by name



General Options:

    -o, --offset=<int>            Start scan at this file offset

    -l, --length=<int>            Number of bytes to scan

    -g, --grep=<text>             Grep results for the specified text

    -f, --file=<file>             Log results to file

    -c, --csv                     Log results to file in csv format

    -O, --skip-unopened           Ignore file open errors and process only the files that can be opened

    -t, --term                    Format output to fit the terminal window

    -q, --quiet                   Supress output to stdout

    -v, --verbose                 Be verbose (specify twice for very verbose)

    -u, --update                  Update magic signature files

    -?, --examples                Show example usage

    -h, --help                    Show help output

binwalk Usage Example

Run a file signature scan (-B) on the given firmware file (dd-wrt.v24-13064_VINT_mini.bin):

[email protected]:~# binwalk -B dd-wrt.v24-13064_VINT_mini.bin 



DECIMAL     HEX         DESCRIPTION

-------------------------------------------------------------------------------------------------------------------

0           0x0         TRX firmware header, little endian, header size: 28 bytes, image size: 2945024 bytes, CRC32: 0x4D27FDC4 flags: 0x0, version: 1

28          0x1C        gzip compressed data, from Unix, NULL date: Wed Dec 31 19:00:00 1969, max compression

2472        0x9A8       LZMA compressed data, properties: 0x6E, dictionary size: 2097152 bytes, uncompressed size: 2084864 bytes

622592      0x98000     Squashfs filesystem, little endian, DD-WRT signature, version 3.0, size: 2320835 bytes,  547 inodes, blocksize: 131072 bytes, created: Mon Nov  2 07:24:06 2009