Exemple #1
0
def test_lzma():
    '''
    Test: Open foobar.lzma, scan for signatures.
    Verify that only one LZMA signature was detected.
    '''
    expected_result = "LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: -1 bytes"

    input_vector_file = os.path.join(os.path.dirname(__file__),
                                     "input-vectors",
                                     "foobar.lzma")

    scan_result = binwalk.scan(input_vector_file,
                               signature=True,
                               quiet=True)

    # Test number of modules used
    eq_(len(scan_result), 1)

    # There should be only one result
    eq_(len(scan_result[0].results), 1)

    # That result should be at offset 0
    eq_(scan_result[0].results[0].offset, 0)

    # That result should be an LZMA file
    ok_(scan_result[0].results[0].description == expected_result)
    def _check_rootfs(self):
        """
        If this file contains a known filesystem type, extract it.
        """

        if not self.get_rootfs_status():
            for module in binwalk.scan(self.item, "-e", "-r", "-y",
                                       "filesystem", signature=True,
                                       quiet=True):
                for entry in module.results:
                    self.printf(">>>> %s" % entry.description)
                    break

                if module.extractor.directory:
                    unix = Extractor.io_find_rootfs(module.extractor.directory)

                    if not unix[0]:
                        self.printf(">>>> Extraction failed!")
                        return False

                    self.printf(">>>> Found Linux filesystem in %s!" % unix[1])
                    if self.output:
                        shutil.make_archive(self.output, "gztar",root_dir=unix[1])
                    else:
                        self.extractor.do_rootfs = False
                    return True
        return False
def test_firmware_squashfs():
    '''
    Test: Open hello-world.srec, scan for signatures
    verify that only one signature is returned
    verify that the only signature returned is Motorola S-rec data-signature
    '''
    expected_results = [
        [0, 'DLOB firmware header, boot partition: "dev=/dev/mtdblock/2"'],
        [112, 'LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3466208 bytes'],
        [1179760, 'PackImg section delimiter tag, little endian size: 11548416 bytes; big endian size: 3649536 bytes'],
        [1179792, 'Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 3647665 bytes, 1811 inodes, blocksize: 524288 bytes, created: 2013-09-17 06:43:22'],
    ]

    scan_result = binwalk.scan(
        dirname(__file__) + '/input-vectors/firmware.squashfs',
        signature=True,
        quiet=True,
        extract=True)  # Throws a warning for missing external extractor
    # Test number of modules used
    eq_(len(scan_result), 1)
    # Test number of results for that module
    eq_(len(scan_result[0].results), len(expected_results))
    # Test result-description
    for i in range(0, len(scan_result[0].results)):
        eq_(scan_result[0].results[i].offset, expected_results[i][0])
        eq_(scan_result[0].results[i].description, expected_results[i][1])
 def _check_kernel(self):
     """
     If this file contains a kernel version string, assume it is a kernel.
     Only Linux kernels are currently extracted.
     """
     if not self.get_kernel_status():
         for module in binwalk.scan(self.item, "-y", "kernel",
                                    signature=True, quiet=True):
             for entry in module.results:
                 if "kernel version" in entry.description:
                     self.update_database("kernel_version",
                                          entry.description)
                     if "Linux" in entry.description:
                         if self.get_kernel_path():
                             shutil.copy(self.item, self.get_kernel_path())
                         else:
                             self.extractor.do_kernel = False
                         self.printf(">>>> %s" % entry.description)
                         return True
                     # VxWorks, etc
                     else:
                         self.printf(">>>> Ignoring: %s" % entry.description)
                         return False
             return False
     return False
def test_firmware_cpio():
    '''
    Test: Open firmware.cpio, scan for signatures.
    Verify that at least one CPIO signature is detected.
    Verify that only CPIO signatures are detected.
    '''
    input_vector_file = os.path.join(os.path.dirname(__file__),
                                     "input-vectors",
                                     "firmware.cpio")

    scan_result = binwalk.scan(input_vector_file,
                               signature=True,
                               quiet=True)

    # Test number of modules used
    eq_(len(scan_result), 1)

    # Make sure we got some results
    ok_(len(scan_result[0].results) > 0)

    # First result should be at offset 0
    eq_(scan_result[0].results[0].offset, 0)

    # Make sure the only thing found were cpio archive entries
    for result in scan_result[0].results:
        ok_(result.description.startswith("ASCII cpio archive"))
def test_firmware_zip():
    '''
    Test: Open firmware.zip, scan for signatures
    verify that all (and only) expected signatures are detected
    '''
    expected_results = [
	[0, 'Zip archive data, at least v1.0 to extract, name: dir655_revB_FW_203NA/'],
	[51, 'Zip archive data, at least v2.0 to extract, compressed size: 6395868, uncompressed size: 6422554, name: dir655_revB_FW_203NA/DIR655B1_FW203NAB02.bin'],
	[6395993, 'Zip archive data, at least v2.0 to extract, compressed size: 14243, uncompressed size: 61440, name: dir655_revB_FW_203NA/dir655_revB_release_notes_203NA.doc'],
	[6410581, 'End of Zip archive, footer length: 22'],

    ]

    input_vector_file = os.path.join(os.path.dirname(__file__),
                                     "input-vectors",
                                     "firmware.zip")

    scan_result = binwalk.scan(input_vector_file,
                               signature=True,
                               quiet=True)

    # Test number of modules used
    eq_(len(scan_result), 1)

    # Test number of results for that module
    eq_(len(scan_result[0].results), len(expected_results))

    # Test result-description
    for i in range(0, len(scan_result[0].results)):
        eq_(scan_result[0].results[i].offset, expected_results[i][0])
        eq_(scan_result[0].results[i].description, expected_results[i][1])
def binwalk_scan(fi):
    """
    Scan selected region (the whole file if not selected) to find embedded files
    """
    if binwalk_not_installed:
        print "binwalk is not installed."
        print "Please get it from https://github.com/ReFirmLabs/binwalk"
        print "(pip cannot be used to install binwalk)."
        return

    length = fi.getSelectionLength()
    offset = fi.getSelectionOffset()

    offset_found = []
    if (length > 0):
        data = fi.getSelection()
        print "Scanned from offset %s to %s:" % (hex(offset), hex(offset + length))
    else:
        offset = 0
        data = fi.getDocument()
        length = fi.getLength()
        print "Scanned the whole file:"

    time_start = time.time()

    for module in binwalk.scan(data, signature=True, quiet=True, string=True):
        for result in module.results:
            print "Offset: 0x%x\t%s" % (offset + result.offset, result.description)
            offset_found.append(offset + result.offset)

    num_found = len(offset_found)
    if num_found == 0:
        print "No file has been detected."
    print "Elapsed time (scan): %f (sec)" % (time.time() - time_start)
    time_start = time.time()

    if num_found > 0:
        for i in range(0, num_found):
            if i + 1 == num_found:
                fi.setBookmark(offset_found[i], offset + length - offset_found[i], hex(offset_found[i]), "#c8ffff")
            else:
                fi.setBookmark(offset_found[i], offset_found[i + 1] - offset_found[i], hex(offset_found[i]), "#c8ffff")

        print "\r\nAdded bookmarks to the detected files."
        print "Elapsed time (bookmark): %f (sec)" % (time.time() - time_start)
Exemple #8
0
def test_hello_world_simple_scan():
    '''
    Test: Open hello-world.srec, scan for signatures
    verify that only one signature is returned
    verify that the only signature returned is Motorola S-rec data-signature
    '''
    scan_result = binwalk.scan(
        dirname(__file__) + '/input-vectors/hello-world.srec',
        signature=True,
        quiet=True,
        extract=True)  # Throws a warning for missing external extractor
    # Test number of modules used
    eq_(len(scan_result), 1)
    # Test number of results for that module
    eq_(len(scan_result[0].results), 1)
    # Test result-description
    eq_(scan_result[0].results[0].description,
        'Motorola S-Record; binary data in text format, record type: data (32-bit)')
 def run(self):
     # check parameteres
     silent = positive(self.parameters['SILENT'].value)
     import binwalk
     #if not positive(self.parameters['BACKGROUND'].value) and not negative(self.parameters['BACKGROUND'].value):
     #    log.err('Bad %s value: %s.', 'BACKGROUND', self.parameters['BACKGROUND'].value)
     #    return None
     try:
         # Perform a signature scan against the files specified on the command line and suppress the usual binwalk output.
         path = io.get_fullpath(self.parameters['ACTIVEROOT'].value, self.parameters['BINFILE'].value)
         for module in binwalk.scan(path, signature=True, quiet=True):
             #log.writeline('%s Results:' % module.name)
             if not silent:
                 for result in module.results:
                     log.writeline('0x%.8X    %s [%s]' % (result.offset, result.description, str(result.valid)))
     except binwalk.ModuleException as e:
         log.err(str(e))
     
     return None
    def run(self):
        silent = positive(self.parameters["SILENT"].value)
        import binwalk

        try:
            path = io.get_fullpath(self.parameters["ACTIVEROOT"].value, self.parameters["BINFILE"].value)
            for module in binwalk.scan(
                path,
                **{
                    "signature": True,
                    "quiet": True,
                    "extract": True,
                    "directory": self.parameters["TMPDIR"].value,
                    "matryoshka": True,
                }
            ):
                pass
        except binwalk.ModuleException as e:
            log.err(str(e))

        return None
def test_firmware_gzip():
    '''
    Test: Open firmware.gzip, scan for signatures.
    Verify that only one gzip signature was detected.
    '''
    input_vector_file = os.path.join(os.path.dirname(__file__),
                                     "input-vectors",
                                     "firmware.gzip")

    scan_result = binwalk.scan(input_vector_file,
                               signature=True,
                               quiet=True)

    # Test number of modules used
    eq_(len(scan_result), 1)

    # There should be only one result
    eq_(len(scan_result[0].results), 1)

    # That result should be at offset 0
    eq_(scan_result[0].results[0].offset, 0)

    # That result should be a gzip file
    ok_(scan_result[0].results[0].description.startswith("gzip compressed data"))
def test_firmware_jffs2():
    '''
    Test: Open firmware.jffs2, scan for signatures.
    Verify that only JFFS2 signatures are detected.
    Verify that only the first one was displayed.
    '''
    input_vector_file = os.path.join(os.path.dirname(__file__),
                                     "input-vectors",
                                     "firmware.jffs2")

    scan_result = binwalk.scan(input_vector_file,
                               signature=True,
                               quiet=True)

    # Test number of modules used
    eq_(len(scan_result), 1)

    # Test number of results for that module, should be more than one
    ok_(len(scan_result[0].results) > 1)

    first_result = scan_result[0].results[0]

    # Check the offset of the first result
    eq_(first_result.offset, 0)

    # Make sure we found the jffs file system
    ok_(first_result.description.startswith("JFFS2 filesystem"))

    # Check to make sure the first result was displayed
    ok_(first_result.display == True)

    # Make sure we only found jffs2 file system entries
    # and that nothing but the first entry was displayed
    for result in scan_result[0].results[1:]:
        ok_(result.description.startswith("JFFS2 filesystem"))
        ok_(result.display == False)
Exemple #13
0
#!/usr/bin/env python

import sys
import binwalk

try:
    # Perform a signature scan against the files specified on the command line
    # and suppress the usual binwalk output.
    for module in binwalk.scan(*sys.argv[1:], signature=True, quiet=True):
        print("%s Results:" % module.name)
        for result in module.results:
            print("\t%s    0x%.8X    %s [%s]" %
                  (result.file.name, result.offset, result.description,
                   str(result.valid)))
except binwalk.ModuleException as e:
    pass
Exemple #14
0
    def _check_firmware(self):
        """
        If this file is of a known firmware type, directly attempt to extract the kernel and root filesystem.
        """
        for module in binwalk.scan(self.item,
                                   "-y",
                                   "header",
                                   signature=True,
                                   quiet=True):
            for entry in module.results:
                # uImage
                if "uImage header" in entry.description:
                    if not self.get_kernel_status(
                    ) and "OS Kernel Image" in entry.description:
                        kernel_offset = entry.offset + 64
                        kernel_size = 0

                        for stmt in entry.description.split(','):
                            if "image size:" in stmt:
                                kernel_size = int(
                                    ''.join(i for i in stmt if i.isdigit()),
                                    10)

                        if kernel_size != 0 and kernel_offset + kernel_size <= os.path.getsize(
                                self.item):
                            self.printf(">>>> %s" % entry.description)

                            tmp_fd, tmp_path = tempfile.mkstemp(dir=self.temp)
                            os.close(tmp_fd)
                            Extractor.io_dd(self.item, kernel_offset,
                                            kernel_size, tmp_path)
                            kernel = ExtractionItem(self.extractor, tmp_path,
                                                    self.depth)

                            return kernel.extract()
                    # elif "RAMDisk Image" in entry.description:
                    #     self.printf(">>>> %s" % entry.description)
                    #     self.printf(">>>> Skipping: RAMDisk / initrd")
                    #     self.terminate = True
                    #     return True

                # TP-Link or TRX
                elif not self.get_kernel_status() and not self.get_rootfs_status() and \
                            "rootfs offset: " in entry.description and "kernel offset: " in entry.description:
                    kernel_offset = 0
                    kernel_size = 0
                    rootfs_offset = 0
                    rootfs_size = 0

                    for stmt in entry.description.split(','):
                        if "kernel offset:" in stmt:
                            kernel_offset = int(stmt.split(':')[1], 16)
                        elif "kernel length:" in stmt:
                            kernel_size = int(stmt.split(':')[1], 16)
                        elif "rootfs offset:" in stmt:
                            rootfs_offset = int(stmt.split(':')[1], 16)
                        elif "rootfs length:" in stmt:
                            rootfs_size = int(stmt.split(':')[1], 16)

                    # compute sizes if only offsets provided
                    if kernel_offset != rootfs_size and kernel_size == 0 and rootfs_size == 0:
                        kernel_size = rootfs_offset - kernel_offset
                        rootfs_size = os.path.getsize(
                            self.item) - rootfs_offset

                    # ensure that computed values are sensible
                    if (kernel_size > 0 and kernel_offset + kernel_size <= os.path.getsize(self.item)) and \
                                (rootfs_size != 0 and rootfs_offset + rootfs_size <= os.path.getsize(self.item)):
                        self.printf(">>>> %s" % entry.description)

                        tmp_fd, tmp_path = tempfile.mkstemp(dir=self.temp)
                        os.close(tmp_fd)
                        Extractor.io_dd(self.item, kernel_offset, kernel_size,
                                        tmp_path)
                        kernel = ExtractionItem(self.extractor, tmp_path,
                                                self.depth)
                        kernel.extract()

                        tmp_fd, tmp_path = tempfile.mkstemp(dir=self.temp)
                        os.close(tmp_fd)
                        Extractor.io_dd(self.item, rootfs_offset, rootfs_size,
                                        tmp_path)
                        rootfs = ExtractionItem(self.extractor, tmp_path,
                                                self.depth)
                        rootfs.extract()

                        return self.update_status()
        return False
Exemple #15
0
    def extract(self):
        """
        Perform the actual extraction of firmware updates, recursively. Returns
        True if extraction complete, otherwise False.
        """
        self.printf("\n" +
                    self.item.encode("utf-8", "replace").decode("utf-8"))

        # check if item is complete
        if self.get_status():
            self.printf(">> Skipping: completed!")
            return True

        # check if exceeding recursion depth
        if self.depth > ExtractionItem.RECURSION_DEPTH:
            self.printf(">> Skipping: recursion depth %d" % self.depth)
            return self.get_status()

        # check if checksum is in visited set
        self.printf(">> MD5: %s" % self.checksum)
        with Extractor.visited_lock:
            # Skip the same checksum only in the same status
            # asus_latest(FW_RT_N12VP_30043804057.zip) firmware
            if (self.checksum in self.extractor.visited
                    and self.extractor.visited[self.checksum] == self.status):
                self.printf(">> Skipping: %s..." % self.checksum)
                return self.get_status()
            else:
                self.extractor.visited[self.checksum] = self.status

        # check if filetype is blacklisted
        if self._check_blacklist():
            return self.get_status()

        # create working directory
        self.temp = tempfile.mkdtemp()

        # Move to temporary directory so binwalk does not write to input
        os.chdir(self.temp)

        try:
            self.printf(">> Tag: %s" % self.tag)
            self.printf(">> Temp: %s" % self.temp)
            self.printf(">> Status: Kernel: %s, Rootfs: %s, Do_Kernel: %s, \
                Do_Rootfs: %s" %
                        (self.get_kernel_status(), self.get_rootfs_status(),
                         self.extractor.do_kernel, self.extractor.do_rootfs))

            for module in binwalk.scan(self.item,
                                       "-e",
                                       "-r",
                                       "-C",
                                       self.temp,
                                       signature=True,
                                       quiet=True):
                prev_entry = None
                for entry in module.results:
                    desc = entry.description
                    dir_name = module.extractor.directory

                    if prev_entry and prev_entry.description == desc and \
                            'Zlib comparessed data' in desc:
                        continue
                    prev_entry = entry

                    self.printf('========== Depth: %d ===============' %
                                self.depth)
                    self.printf("Name: %s" % self.item)
                    self.printf("Desc: %s" % desc)
                    self.printf("Directory: %s" % dir_name)

                    self._check_firmware(module, entry)

                    if not self.get_rootfs_status():
                        self._check_rootfs(module, entry)

                    if not self.get_kernel_status():
                        self._check_kernel(module, entry)

                    if self.update_status():
                        self.printf(">> Skipping: completed!")
                        return True
                    else:
                        self._check_recursive(module, entry)

        except Exception:
            print("ERROR: ", self.item)
            traceback.print_exc()

        return False
Exemple #16
0
	
		print("Decrypted:",output_name)
		return output_name
	except Exception as e:
		print("Decrypting Failed: "+str(e))

		
os.chdir("./")
for file in glob.glob("*.rbi"):
	print("Decrypting %s..."%file)
	dec_filename=decrypt(file)
	if not dec_filename:
		continue
	print("Binwalking %s..."%dec_filename)
	path_to_push=''
	for module in binwalk.scan('--preserve-symlinks', dec_filename, signature=True, extract=True, quiet=True):
		for result in module.results:
			if result.file.path in module.extractor.output:
				if result.offset in module.extractor.output[result.file.path].extracted:
					if 'root' in module.extractor.output[result.file.path].extracted[result.offset].files[0]:
						path_to_push=module.extractor.output[result.file.path].extracted[result.offset].files[0]
						print("Found rootfs %s"%path_to_push)
					#print("Extracted %d files from offset 0x%X to '%s' using '%s'" % (len(module.extractor.output[result.file.path].extracted[result.offset].files),result.offset,module.extractor.output[result.file.path].extracted[result.offset].files[0],module.extractor.output[result.file.path].extracted[result.offset].command))
	if path_to_push != '':
		print("Pushing to github...")
		repo = Repo.init(path_to_push) #create repo object of the other repository
		repo.create_remote('origin', 'https://github.com/FrancYescO/tch_firmware_extracted')
		repo.remotes[0].fetch()
		branch_name=dec_filename[:(dec_filename.find(".bin"))]
		repo.git.checkout('-b', branch_name)
		repo.git.add('.') # same as git add file
Exemple #17
0
def binwalk_execution(binary_name, filename, output_format = None):
    path_fs = "/"

    if output_format == 'txt':
        fl = open(filename+output_format, 'w')
        fl.write("«««««««««««««««««««« Binwalk Report »»»»»»»»»»»»»»»»»»»»\n")
        for module in binwalk.scan(binary_name, signature=True, quiet=True ,extract=False):
            fl.write ("%s Results:\n" % module.name)
        for result in module.results:
            fl.write ("\t%s    0x%.8X    %s\n" % (result.file.path, result.offset, result.description))
        for module in binwalk.scan(binary_name, signature=True, quiet=True ,extract=True):
            for result in module.results:
                if result.file.path in module.extractor.output:
                    # These are files that binwalk carved out of the original firmware image, a la dd
                    if result.offset in module.extractor.output[result.file.path].carved:

                        first, *middle, last = str(module.extractor.output[result.file.path].carved[result.offset]).split('/')
                        fl.write("\nCarved data from offset 0x%X to %s\n" % (result.offset,module.extractor.output[result.file.path].carved[result.offset]))
                    # These are files/directories created by extraction utilities (gunzip, tar, unsquashfs, etc)
                    if result.offset in module.extractor.output[result.file.path].extracted:
                        first, *middle, last = str(module.extractor.output[result.file.path].extracted[result.offset].files[0]).split('/')
                        fl.write("Extracted %d files from offset 0x%X to '%s' using '%s'\n" % (len(module.extractor.output[result.file.path].extracted[result.offset].files),                                                                               result.offset,                                                                         module.extractor.output[result.file.path].extracted[result.offset].files[0],                                                                                      module.extractor.output[result.file.path].extracted[result.offset].command))
        fl.write("««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»\n\n")
        fl.close()

    elif output_format == 'pdf':
        aux = filename.split('.')
        fl = open(aux[0]+ '_binwalk.txt', 'w')

        for module in binwalk.scan(binary_name, signature=True, quiet=True ,extract=False):
            fl.write ("%s Results:\n" % module.name)
        for result in module.results:
            fl.write ("\t%s    0x%.8X    %s\n" % (result.file.path, result.offset, result.description))
        for module in binwalk.scan(binary_name, signature=True, quiet=True ,extract=True):
            for result in module.results:
                if result.file.path in module.extractor.output:
                    # These are files that binwalk carved out of the original firmware image, a la dd
                    if result.offset in module.extractor.output[result.file.path].carved:
                        first, *middle, last = str(module.extractor.output[result.file.path].carved[result.offset]).split('/')
                        fl.write("\nCarved data from offset 0x%X to %s\n" % (result.offset,module.extractor.output[result.file.path].carved[result.offset]))

                    # These are files/directories created by extraction utilities (gunzip, tar, unsquashfs, etc)
                    if result.offset in module.extractor.output[result.file.path].extracted:
                        first, *middle, last = str(module.extractor.output[result.file.path].extracted[result.offset].files[0]).split('/')
                        fl.write("Extracted %d files from offset 0x%X to '%s' using '%s'\n" % (len(module.extractor.output[result.file.path].extracted[result.offset].files),                                                                               result.offset,                                                                         module.extractor.output[result.file.path].extracted[result.offset].files[0],                                                                                      module.extractor.output[result.file.path].extracted[result.offset].command))
        fl.close()

    else:
        print("\n«««««««««««««««««««« Binwalk Report »»»»»»»»»»»»»»»»»»»»")
        for module in binwalk.scan(binary_name, signature=True, quiet=False, extract=True):
            for result in module.results:
                if result.file.path in module.extractor.output:
                    # These are files that binwalk carved out of the original firmware image, a la dd
                    if result.offset in module.extractor.output[result.file.path].carved:
                        first, *middle, last = str(module.extractor.output[result.file.path].carved[result.offset]).split('/')
                        print("Carved data from offset 0x%X to %s" % (result.offset,module.extractor.output[result.file.path].carved[result.offset]))
                    # These are files/directories created by extraction utilities (gunzip, tar, unsquashfs, etc)
                    if result.offset in module.extractor.output[result.file.path].extracted:
                        try:
                       	    first, *middle, last = str(module.extractor.output[result.file.path].extracted[result.offset].files[0]).split('/')
                       	except Exception as e:
                       	    print(e)
                       	    pass
                       	print(str(module.extractor.output[result.file.path].extracted[result.offset].files[0]).split('/'))
                        print("Extracted %d files from offset 0x%X to '%s' using '%s'" % (len(module.extractor.output[result.file.path].extracted[result.offset].files),                                                                               result.offset,                                                                         module.extractor.output[result.file.path].extracted[result.offset].files[0],                                                                                      module.extractor.output[result.file.path].extracted[result.offset].command))

        print("\n««««««««««««««««««««««««««««»»»»»»»»»»»»»»»»»»»»»»»»»»»»\n\n")

    for value in middle:
        path_fs += value + '/'

    return path_fs
    for i in range(0, len(scan_result[0].results)):
        eq_(scan_result[0].results[i].offset, expected_results[i][0])
        eq_(scan_result[0].results[i].description, expected_results[i][1])
"""

try:
    target_file = sys.argv[1]
except IndexError:
    sys.stderr.write("Usage: %s <input vector file>\n" % sys.argv[0])
    sys.exit(1)

target_file_basename = os.path.basename(target_file)
scan_function_name = target_file_basename.replace('.', '_').replace('-', '_')
expected_results = ""

signature = binwalk.scan(target_file, signature=True, term=True)[0]
for result in signature.results:
    expected_results += "\t[%d, '%s'],\n" % (result.offset, result.description)

test_script = test_script_template % (scan_function_name,
                                      target_file_basename,
                                      expected_results,
                                      target_file_basename)

test_script_path = os.path.join("tests", "test_%s.py" % scan_function_name)

with open(test_script_path, "w") as fp:
    fp.write(test_script)

sys.stdout.write("Generated test script for '%s' and saved it to '%s'\n" % (target_file, test_script_path))
sys.exit(0)
Exemple #19
0
        # Don't compare an image with the same image!
        if args.img not in image:
            combs.append((args.img, image))

    # Adding user supplied image to the list of images to be extracted.
    images.append(args.img)

else:
    print("[+] - Image passed does not exist! Try again...")
    sys.exit()

print("[+] ------------ Analyzing these images ------------")
pp.pprint(images)
print("")

module = binwalk.scan(*images, signature=True, quiet=True, extract=True)

count = 1
for img1, img2 in combs:

    print("[+] - Comparing the folowing images...")
    print("[+] -> img1 = " + img1)
    print("[+] -> img2 = " + img2)

    json_data['comp' + str(count)] = {}
    json_data['comp' + str(count)]['img1'] = img1
    json_data['comp' + str(count)]['img2'] = img2

    json_data['comp' + str(count)]['carv_data'] = diff_carvs(
        img1, img2, module[0])
    print("")
if not flag_format:
    print("Flag format not specified")
    exit()

if not os.path.exists(out_dir):
    os.mkdir(out_dir)
shutil.copyfile(filename, out_dir + '/' + filename)
os.chdir(os.path.abspath(out_dir))

flag_format = flag_format + '{'

print("Looking for flag with format:" + flag_format + '}')

print("BINWALK=======================================")

for module in binwalk.scan(filename, signature=True, quiet=True, extract=True):
    for result in module.results:
        print("\t%s    0x%.8X    %s" %
              (result.file.name, result.offset, result.description))
        if result.file.path in module.extractor.output:
            # These are files that binwalk carved out of the original firmware image, a la dd
            if result.offset in module.extractor.output[
                    result.file.path].carved:
                print("Carved data from offset 0x%X to %s" %
                      (result.offset, module.extractor.output[
                          result.file.path].carved[result.offset]))
            # These are files/directories created by extraction utilities (gunzip, tar, unsquashfs, etc)
            if result.offset in module.extractor.output[
                    result.file.path].extracted:
                print(
                    "Extracted %d files from offset 0x%X to '%s' using '%s'" %
Exemple #21
0
 def opcode_scan(self, arg):
     binwalk.scan(idc.GetIdbPath(), opcode=True)
Exemple #22
0
def request(flow: http.HTTPFlow):
    contentAPI = ''
    Source = ''
    for i in list(filter(None, flow.client_conn.address[0].split(":"))):
        if i.count(".") > 2:
            Source = i
    print("Source:", Source)
    if check_whitelist(Source, "./modules/Filters/whitelist_sources.txt") == 0:
        print("URL", flow.request.pretty_url)
        x = check_whitelist(flow.request.pretty_url,
                            "./modules/Filters/whitelist.txt")
        if x == 0:
            destinationAPI = flow.request.pretty_url
            sourceAPI = Source
            agentAPI = flow.request.headers['User-Agent']
            if check_whitelist_ua(flow.request.headers['User-Agent']) == 0:
                print("ALERTA HTTPS! User-Agent!")
                db = MySQLdb.connect(host="localhost",
                                     user="******",
                                     passwd="FlagFlag123.",
                                     db="licenta")
                cursor = db.cursor()
                cursor.execute(
                    "INSERT INTO alerte (Type,Message,Risk,Source,Destination,Payload,Timestamp) VALUES('HTTPS', 'User-Agent!','MEDIUM', '"
                    + Source + "', '-','" +
                    flow.request.headers['User-Agent'] + "','" +
                    str(datetime.now()) + "')")
                db.commit()
                db.close()
                print("HTTPS UserAgent COMMITED")
            print("PATH:", flow.request.path)
            GET = flow.request.path
            contentAPI = GET
            global signatures
            signatures = read_file('signatures')
            check_get(GET, flow.request.pretty_url, Source)
            try:
                cookies = flow.request.headers['Cookies']
            except:
                pass
            if flow.request.method == "POST" or flow.request.method == "PUT":
                content = flow.request.content
                contentAPI = content
                if 'paste' in flow.request.pretty_url:
                    check_paste(content, Source, flow.request.pretty_url)
                ctx.log.info("Sensitive pattern found")
                flow.intercept()
                f = open("/tmp/buffer", "wb")
                verify_content(content, flow.request.pretty_url, Source)
                f.write(content)
                f.close()
                for module in binwalk.scan("/tmp/buffer",
                                           signature=True,
                                           quiet=True,
                                           extract=False):
                    pass
                ok = 0
                for result in module.results:
                    if "LZMA" not in result.description and "Zlib" not in result.description:
                        print(result.description.split(',')[0])
                        ok = 1
                if ok == 0:
                    print(flow.request.text)
                print(flow.request.host_header)
                flow.resume()
                ctx.log.info("Trafic blocat")
Exemple #23
0
def binwalk_file_extractEx(request):
    # filename = req_get_param(request, 'filename')
    firmware_id = req_get_param(request, 'firmware_id')
    try:
        # 查询数据库 得到固件名
        fw = firmware_db.fetch(firmware_id)

        # todo check fw is NULL
        if fw['fw_info']['filepath'] is not None:
            filename = fw['fw_info']['filepath'] + fw['fw_info']['filename'][0]
        else:
            return sys_app_ok_p({'decode': 'Null', 'description': "解析文件名出错"})

        list_temp = []

        # filename=US_W331AV1.0BR_V1.0.0.12_cn&en_TD.bin 文件名带特殊符号无法进行抽取文件
        for module in binwalk.scan(filename,
                                   signature=True,
                                   quiet=True,
                                   extract=True):
            for result in module.results:
                if result.file.path in module.extractor.output:
                    # These are files that binwalk carved out of the original firmware image, a la dd
                    if result.offset in module.extractor.output[
                            result.file.path].carved:
                        print
                        "Carved data from offset 0x%X to %s" % (
                            result.offset, module.extractor.output[
                                result.file.path].carved[result.offset])

                        list_temp.append(module.extractor.output[
                            result.file.path].carved[result.offset])
                    # These are files/directories created by extraction utilities (gunzip, tar, unsquashfs, etc)
                    if result.offset in module.extractor.output[
                            result.file.path].extracted:
                        if len(module.extractor.output[result.file.path].
                               extracted[result.offset].files):
                            print
                            "Extracted %d files from offset 0x%X to '%s' using '%s'" % (
                                len(module.extractor.output[result.file.path].
                                    extracted[result.offset].files),
                                result.offset,
                                module.extractor.output[result.file.path].
                                extracted[result.offset].files[0],
                                module.extractor.output[result.file.path].
                                extracted[result.offset].command)

                            list_temp.append(
                                module.extractor.output[result.file.path].
                                extracted[result.offset].files)

        # 将抽取的文件信息存入mongodb firmware_info
        dic = {}
        item = {}
        index = 0
        for off_set in list_temp:
            index += 1
            filex = 'file' + str(index)
            dic[filex] = list_temp[index - 1]

        item['extract_info'] = dic
        firmware_db.update(firmware_id, item)

    except binwalk.ModuleException as e:
        print("Critical failure:", e)
        return sys_app_err('ERROR_INTERNAL_ERROR')
    return sys_app_ok_p({'extract': 'ok', 'filelist': list_temp})
Exemple #24
0
    def _check_recursive(self, fmt):
        """
        Unified implementation for checking both "archive" and "compressed" items.
        """
        desc = None
        # perform extraction
        for module in binwalk.scan(self.item,
                                   "-e",
                                   "-r",
                                   "-y",
                                   fmt,
                                   signature=True,
                                   quiet=True):
            for entry in module.results:
                # skip cpio/initrd files since they should be included with kernel
                # if "cpio archive" in entry.description:
                #     self.printf(">> Skipping: cpio: %s" % entry.description)
                #     self.terminate = True
                #     return True
                desc = entry.description
                self.printf(">>>> %s" % entry.description)
                break

            if module.extractor.directory:
                unix = Extractor.io_find_rootfs(module.extractor.directory)

                # check for extracted filesystem, otherwise update queue
                if unix[0]:
                    self.printf(">>>> Found Linux filesystem in %s!" % unix[1])
                    if self.output:
                        shutil.make_archive(self.output,
                                            "gztar",
                                            root_dir=unix[1])
                    else:
                        self.extractor.do_rootfs = False
                    return True
                else:
                    count = 0
                    self.printf(">> Recursing into %s ..." % fmt)
                    for root, _, files in os.walk(module.extractor.directory):
                        # sort both descending alphabetical and increasing length
                        files.sort()
                        files.sort(key=len)

                        # handle case where original file name is restored; put it to front of queue
                        if desc and "original file name:" in desc:
                            orig = None
                            for stmt in desc.split(","):
                                if "original file name:" in stmt:
                                    orig = stmt.split("\"")[1]
                            if orig and orig in files:
                                files.remove(orig)
                                files.insert(0, orig)

                        for filename in files:
                            if count > ExtractionItem.RECURSION_BREADTH:
                                self.printf(
                                    ">> Skipping: recursion breadth %d" %
                                    ExtractionItem.RECURSION_BREADTH)
                                self.terminate = True
                                return True
                            else:
                                new_item = ExtractionItem(
                                    self.extractor,
                                    os.path.join(root,
                                                 filename), self.depth + 1)
                                if new_item.extract():
                                    # check that we are actually done before performing early termination. for example,
                                    # we might decide to skip on one subitem, but we still haven't finished
                                    if self.update_status():
                                        return True
                            count += 1
        return False
M.addVendor(vendor)

#---------------------------------------------------------------------------------------------------

import sys
import binwalk

M.commit()

for z in firmwares:
    path = z.split('/')[-1]
    dev = path.split('_')[0]
    print dev
    M.addDevice(dev, 1)
    M.commit()
        
    for module in binwalk.scan(z, matryoshka=True, signature=True, extract=True, quiet=True, directory='extracted'):
        for result in module.results:
            if module.extractor.output.has_key(result.file.path):
                if module.extractor.output[result.file.path].carved.has_key(result.offset):
                    pass
                if module.extractor.output[result.file.path].extracted.has_key(result.offset):
                    pass

    M.commit()
    print ("%s extracted" % z)

M.commit()
M.close()
 def scan(self):
     for module_object in binwalk.scan(self.firmware_path, quiet=True):
         print("%s Module Results:" % module_object.name)
         for result in module_object.results:
             print("0x%.8X    %s" % (result.offset, result.description))
Exemple #27
0
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
# IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

import sys

try:
    import binwalk
except ImportError:
    exit(-1)

filepath = sys.argv[1]
offset = int(sys.argv[2])
for module in binwalk.scan(sys.argv[1],
                           signature=True,
                           quiet=True,
                           string=False):
    for result in module.results:
        print("Offset: 0x%x\t%s" %
              (offset + result.offset, result.description))
Exemple #28
0
    def test_output(self, thing):
        """
            Args:
                thing (bytes): Renerally from the dump functions
                    ex: thing = b'\x01\x02\x03'

            Returns:
                Nothing. Move output into keep directory if it's worth-while    

            
            Test if output is worth keeping. If it is, move it into the results directory.
            Initially, this is using the Unix file command on the output and checking for non "Data" returns
            """

        assert type(
            thing
        ) == bytes, 'test_output got unexpected thing type of {}'.format(
            type(thing))

        # TODO: Test new logic...
        # TODO: Iterate through binary offset to find buried data

        #
        # File magic test
        #

        m = magic.from_buffer(thing, mime=True)

        # Generic Output
        if m != 'application/octet-stream':
            m = magic.from_buffer(thing, mime=False)
            print("Found something worth keeping!\n{0}".format(m))
            # Save it to disk
            # TODO: Minor race condition here if we end up multi-processing
            with open(os.path.join(self._keeper_directory, str(time.time())),
                      "wb") as f:
                f.write(thing)

        #
        # binwalk test
        #

        # TODO: Update this to in-memory scanning if binwalk updates their stuff: https://github.com/ReFirmLabs/binwalk/issues/389
        with tempfile.TemporaryDirectory() as tmpdirname:
            tmp_scan_file = os.path.join(tmpdirname, 'scanme')

            # Couldn't find a good 'output directory' option for binwalk. Changing dirs because of this.
            saved_dir = os.getcwd()
            os.chdir(tmpdirname)

            with open(tmp_scan_file, 'wb') as f:
                f.write(thing)

            table = PrettyTable(
                ['Offset', 'Carved/Extracted', 'Description', 'File Name'])
            table.align = 'l'
            keepers = []

            # Run the scan
            for module in binwalk.scan(tmp_scan_file,
                                       signature=True,
                                       quiet=True,
                                       extract=True):
                for result in module.results:
                    if result.file.path in module.extractor.output:
                        if result.offset in module.extractor.output[
                                result.file.path].carved:
                            table.add_row([
                                hex(result.offset), 'Carved',
                                result.description,
                                os.path.basename(module.extractor.output[
                                    result.file.path].carved[result.offset])
                            ])
                            keepers.append(module.extractor.output[
                                result.file.path].carved[result.offset])
                            #print("Carved data from offset 0x%X to %s" % (result.offset, module.extractor.output[result.file.path].carved[result.offset]))
                        if result.offset in module.extractor.output[
                                result.file.path].extracted:
                            table.add_row([
                                hex(result.offset), 'Extracted',
                                result.description,
                                os.path.basename(
                                    module.extractor.output[result.file.path].
                                    extracted[result.offset].files[0])
                            ])
                            keepers += module.extractor.output[
                                result.file.path].extracted[
                                    result.offset].files
                            #print("Extracted %d files from offset 0x%X to '%s' using '%s'" % (len(module.extractor.output[result.file.path].extracted[result.offset].files), result.offset, module.extractor.output[result.file.path].extracted[result.offset].files[0], module.extractor.output[result.file.path].extracted[result.offset].command))

            # If we found something
            if keepers != []:
                print(table)

                for keeper in keepers:
                    keeper_dst = os.path.join(self._keeper_directory,
                                              os.path.basename(keeper))

                    if os.path.exists(keeper_dst):
                        logger.warn('Keeper name already exists, modifying.')
                        keeper_dst += '_' + hashlib.md5(
                            str(random.random()).encode()).hexdigest()

                    shutil.move(keeper, keeper_dst)

            os.chdir(saved_dir)
# -*- coding:utf-8 -*-
# author: pcat
# http://pcat.cnblogs.com

import sys
import binwalk

if __name__ == "__main__":
    lst = sys.argv
    if len(lst) < 2:
        print("No files.")
        exit()
    try:
        if lst[1][0] == '-':
            binwalk.scan(*lst[2:], signature=lst[1])
        elif lst[1][0] != '-':
            binwalk.scan(*lst[1:], signature=True)
    except:
        pass
Exemple #30
0
 def signature_scan(self, arg):
     binwalk.scan(idc.GetIdbPath(), signature=True)
    def _check_recursive(self, fmt):
        """
        Unified implementation for checking both "archive" and "compressed"
        items.
        """
        desc = None
        # perform extraction
        for module in binwalk.scan(self.item, "-e", "-r", "-y", fmt,
                                   signature=True, quiet=True):
            for entry in module.results:
                # skip cpio/initrd files since they should be included with
                # kernel
                # if "cpio archive" in entry.description:
                #     self.printf(">> Skipping: cpio: %s" % entry.description)
                #     self.terminate = True
                #     return True
                desc = entry.description
                self.printf(">>>> %s" % entry.description)
                break

            if module.extractor.directory:
                unix = Extractor.io_find_rootfs(module.extractor.directory)

                # check for extracted filesystem, otherwise update queue
                if unix[0]:
                    self.printf(">>>> Found Linux filesystem in %s!" % unix[1])
                    if self.output:
                        shutil.make_archive(self.output, "gztar",
                                            root_dir=unix[1])
                    else:
                        self.extractor.do_rootfs = False
                    return True
                else:
                    count = 0
                    self.printf(">> Recursing into %s ..." % fmt)
                    for root, _, files in os.walk(module.extractor.directory):
                        # sort both descending alphabetical and increasing
                        # length
                        files.sort()
                        files.sort(key=len)

                        # handle case where original file name is restored; put
                        # it to front of queue
                        if desc and "original file name:" in desc:
                            orig = None
                            for stmt in desc.split(","):
                                if "original file name:" in stmt:
                                    orig = stmt.split("\"")[1]
                            if orig and orig in files:
                                files.remove(orig)
                                files.insert(0, orig)

                        for filename in files:
                            if count > ExtractionItem.RECURSION_BREADTH:
                                self.printf(">> Skipping: recursion breadth %d"\
                                    % ExtractionItem.RECURSION_BREADTH)
                                self.terminate = True
                                return True
                            else:
                                new_item = ExtractionItem(self.extractor,
                                                          os.path.join(root,
                                                                       filename),
                                                          self.depth + 1,
                                                          self.tag)
                                if new_item.extract():
                                    # check that we are actually done before
                                    # performing early termination. for example,
                                    # we might decide to skip on one subitem,
                                    # but we still haven't finished
                                    if self.update_status():
                                        return True
                            count += 1
        return False
    def _check_firmware(self):
        """
        If this file is of a known firmware type, directly attempt to extract
        the kernel and root filesystem.
        """
        for module in binwalk.scan(self.item, "-y", "header", signature=True,
                                   quiet=True):
            for entry in module.results:
                # uImage
                if "uImage header" in entry.description:
                    if not self.get_kernel_status() and \
                        "OS Kernel Image" in entry.description:
                        kernel_offset = entry.offset + 64
                        kernel_size = 0

                        for stmt in entry.description.split(','):
                            if "image size:" in stmt:
                                kernel_size = int(''.join(
                                    i for i in stmt if i.isdigit()), 10)

                        if kernel_size != 0 and kernel_offset + kernel_size \
                            <= os.path.getsize(self.item):
                            self.printf(">>>> %s" % entry.description)

                            tmp_fd, tmp_path = tempfile.mkstemp(dir=self.temp)
                            os.close(tmp_fd)
                            Extractor.io_dd(self.item, kernel_offset,
                                            kernel_size, tmp_path)
                            kernel = ExtractionItem(self.extractor, tmp_path,
                                                    self.depth, self.tag)

                            return kernel.extract()
                    # elif "RAMDisk Image" in entry.description:
                    #     self.printf(">>>> %s" % entry.description)
                    #     self.printf(">>>> Skipping: RAMDisk / initrd")
                    #     self.terminate = True
                    #     return True

                # TP-Link or TRX
                elif not self.get_kernel_status() and \
                    not self.get_rootfs_status() and \
                    "rootfs offset: " in entry.description and \
                    "kernel offset: " in entry.description:
                    kernel_offset = 0
                    kernel_size = 0
                    rootfs_offset = 0
                    rootfs_size = 0

                    for stmt in entry.description.split(','):
                        if "kernel offset:" in stmt:
                            kernel_offset = int(stmt.split(':')[1], 16)
                        elif "kernel length:" in stmt:
                            kernel_size = int(stmt.split(':')[1], 16)
                        elif "rootfs offset:" in stmt:
                            rootfs_offset = int(stmt.split(':')[1], 16)
                        elif "rootfs length:" in stmt:
                            rootfs_size = int(stmt.split(':')[1], 16)

                    # compute sizes if only offsets provided
                    if kernel_offset != rootfs_size and kernel_size == 0 and \
                        rootfs_size == 0:
                        kernel_size = rootfs_offset - kernel_offset
                        rootfs_size = os.path.getsize(self.item) - rootfs_offset

                    # ensure that computed values are sensible
                    if (kernel_size > 0 and kernel_offset + kernel_size \
                        <= os.path.getsize(self.item)) and \
                        (rootfs_size != 0 and rootfs_offset + rootfs_size \
                            <= os.path.getsize(self.item)):
                        self.printf(">>>> %s" % entry.description)

                        tmp_fd, tmp_path = tempfile.mkstemp(dir=self.temp)
                        os.close(tmp_fd)
                        Extractor.io_dd(self.item, kernel_offset, kernel_size,
                                        tmp_path)
                        kernel = ExtractionItem(self.extractor, tmp_path,
                                                self.depth, self.tag)
                        kernel.extract()

                        tmp_fd, tmp_path = tempfile.mkstemp(dir=self.temp)
                        os.close(tmp_fd)
                        Extractor.io_dd(self.item, rootfs_offset, rootfs_size,
                                        tmp_path)
                        rootfs = ExtractionItem(self.extractor, tmp_path,
                                                self.depth, self.tag)
                        rootfs.extract()

                        return self.update_status()
        return False
        if len(result) >= min:  # catch result at EOF
            yield result


## main part

# TODO parse args
if len(sys.argv) < 2:
    print("Things are missing. Usage: " + str(sys.argv[0]) + " <file>")
    exit(-1)

file = sys.argv[1]

file_type = magic.from_file(
    file, mime=True)  # equivalent to the 'file' command on Linux
embedded = binwalk.scan(file)  # binwalk scan
#TODO extract files ?
file_strings = list(strings(file))

# TODO print the results of basic scans

# TODO si image :
# TODO lancer exiftool
# TODO lancer PIT
# TODO lancer un LSB
# TODO lancer PVD
# TODO lancer Stegsolve

# TODO si wav :
# TODO ouvrir analyseur de spectre
Exemple #34
0
def binExtract(cible):  # {{{
    pwn.info("Extraction en cours de {}".format(cible))
    binwalk.scan(cible, signature=True, extract=True)
Exemple #35
0
def lsh_json(data):
    filename = data[0]
    meta = []
    print(filename)
    if not data[1] or data[1] == None:
        pass
    else:
        stuff = [d for d in data[1] if d['filename'] == os.path.basename(filename)]
        if stuff:
            if len(stuff) >= 1:
                stuff = stuff[0]
            [meta.extend([k,v]) for k,v in stuff.items()]
            [meta.extend([k,v]) for k,v in meta[3].items()]
            del meta[3]
            [meta.extend([k,v]) for k,v in meta[-1].items()]
            del meta[-3]
            [meta.extend([k,v]) for k,v in meta[-4].items()]
            del meta[-6]

    if os.path.getsize(filename) < 256:
        raise ValueError("{} must be at least 256 bytes".format(filename))

    if tarfile.is_tarfile(filename):
        with tarfile.open(filename, 'r') as tar:
            for member in tar.getmembers():
                if not member or member.size < 256:
                    continue
                try:
                    meta.append(tlsh.hash(tar.extractfile(member).read()))
                    if use_binwalk:
                        for module in binwalk.scan(tar.extractfile(member).read(), signature=True, quiet=True):
                            for result in module.results:
                                meta.append(str(result.file.path))
                                meta.append(str(result.offset))
                                meta.append(str(result.description))
                except:
                    continue
    elif zipfile.is_zipfile(filename):
        try:
            with zipfile.ZipFile(filename) as z:
                for member in z.infolist():
                    if not member or member.file_size < 256:
                        continue
                    try:
                        with z.read(member) as zipdata:
                            meta.append(tlsh.hash(zipdata))
                            if use_binwalk:
                                for module in binwalk.scan(zipdata):
                                    for result in module.results:
                                        meta.append(str(result.file.path))
                                        meta.append(str(result.offset))
                                        meta.append(str(result.description))
                    except:
                        continue
        except:
            pass

    if use_binwalk:
        for module in binwalk.scan(filename, signature=True, quiet=True):
            for result in module.results:
                meta.append(str(result.file.path))
                meta.append(str(result.offset))
                meta.append(str(result.description))

    file_hash = tlsh.hash(open(filename, 'rb').read())

    if not meta:
        return file_hash
    else:
        return tlsh.hash(str.encode(file_hash + ''.join(map(str, meta))))
Exemple #36
0
def binScan(cible):  # {{{
    pwn.info("Scan en cours de {}".format(cible))
    binwalk.scan(cible, signature=True, extract=False)
Exemple #37
0
    "#76C4FF",  # pastel darker blue
    "#76FF9F",  # pastel turquoise
    "#daff76",  # pastel green
    "#ffff76",  # pastel yellow
    "#ffcc76",  # pastel orange
    "#76FFFA",  # pastel blue
    "#EBA0FF",  # pastel purple
    "#ff7f76"
]  # pastel red

colours_len = len(note_colour)

# requires capstone, will probably hang or fail if it's not installed properly
if args.do_disasm:
    print("Using --disasm against the file")
    for disasms in binwalk.scan('--disasm', file):
        for result in disasms.results:
            if result.valid:
                if result.size == 0:
                    end_offset = result.offset + 4
                    size_note = "(binwalk api didn't return a size, defaulted to 4)"
                else:
                    end_offset = result.offset + result.size
                    size_note = "(binwalk api returned a size of " + str(
                        result.size) + ")"
                all_tags += single_tag_template.substitute(
                    tag_id=this_id,
                    tag_start_offset=result.offset,
                    tag_end_offset=end_offset,
                    tag_text=escape(
                        hex(result.offset) + ": " + result.description + " " +
#!/usr/bin/env python

import sys
import binwalk

try:
    # Perform a signature scan against the files specified on the command line
    # and suppress the usual binwalk output.
    for module in binwalk.scan(*sys.argv[1:], signature=True, quiet=True):
        print ("%s Results:" % module.name)

        for result in module.results:
            print ("\t%s    0x%.8X    %s [%s]" % (result.file.name,
                                                  result.offset,
                                                  result.description,
                                                  str(result.valid)))
except binwalk.ModuleException as e:
    pass
    def test_output(self, thing):
        """
        Args:
            thing (bytes): Renerally from the dump functions
                ex: thing = b'\x01\x02\x03'

        Returns:
            Nothing. Move output into keep directory if it's worth-while


        Test if output is worth keeping. If it is, move it into the results directory.
        Initially, this is using the Unix file command on the output and checking for non "Data" returns
        """

        assert type(
            thing
        ) == bytes, 'test_output got unexpected thing type of {}'.format(
            type(thing))

        # TODO: Test new logic...
        # TODO: Iterate through binary offset to find buried data

        #
        # File magic test
        #

        m = magic.from_buffer(thing, mime=True)

        # Generic Output
        if m != 'application/octet-stream':
            m = magic.from_buffer(thing, mime=False)
            print("Found something worth keeping!\n{0}".format(m))
            # Save it to disk
            with open(
                    os.path.join(self._keeper_directory,
                                 str(time.time()) + "-" + generate_nonce()),
                    "wb") as f:
                f.write(thing)

        #
        # binwalk test
        #

        # TODO: Update this to in-memory scanning if binwalk updates their stuff: https://github.com/ReFirmLabs/binwalk/issues/389
        with tempfile.TemporaryDirectory() as tmpdirname:
            tmp_scan_file = os.path.join(tmpdirname, 'scanme')

            # Couldn't find a good 'output directory' option for binwalk. Changing dirs because of this.
            saved_dir = os.getcwd()
            os.chdir(tmpdirname)

            with open(tmp_scan_file, 'wb') as f:
                f.write(thing)

            table = PrettyTable(
                ['Offset', 'Carved/Extracted', 'Description', 'File Name'])
            table.align = 'l'
            keepers = []

            # Run the scan
            for module in binwalk.scan(tmp_scan_file,
                                       signature=True,
                                       quiet=True,
                                       extract=True):
                for result in module.results:
                    if result.file.path in module.extractor.output:
                        if result.offset in module.extractor.output[
                                result.file.path].carved:
                            table.add_row([
                                hex(result.offset), 'Carved',
                                result.description,
                                os.path.basename(module.extractor.output[
                                    result.file.path].carved[result.offset])
                            ])
                            keepers.append(module.extractor.output[
                                result.file.path].carved[result.offset])
                            # print("Carved data from offset 0x%X to %s" % (result.offset, module.extractor.output[result.file.path].carved[result.offset]))
                        if result.offset in module.extractor.output[
                                result.file.path].extracted:
                            # print(result.offset, module.extractor.output[result.file.path].extracted)
                            table.add_row([
                                hex(result.offset), 'Extracted',
                                result.description,
                                os.path.basename(
                                    module.extractor.output[result.file.path].
                                    extracted[result.offset].files[0])
                            ])
                            keepers += module.extractor.output[
                                result.file.path].extracted[
                                    result.offset].files
                            # print("Extracted %d files from offset 0x%X to '%s' using '%s'" % (len(module.extractor.output[result.file.path].extracted[result.offset].files), result.offset, module.extractor.output[result.file.path].extracted[result.offset].files[0], module.extractor.output[result.file.path].extracted[result.offset].command))

            # If we found something
            if keepers != []:
                print(table)

                for keeper in keepers:
                    keeper_dst = os.path.join(self._keeper_directory,
                                              os.path.basename(keeper))

                    if os.path.exists(keeper_dst):
                        logger.warn('Keeper name already exists, modifying.')
                        keeper_dst += '_' + generate_nonce()

                    # When binwalk hits a gzip (and likely bz2/xz/etc), with the extract flag it will actually
                    # run the uncompressor on it, thus removing the original compressed file.
                    # This is a simple heuristic for this situation
                    if not os.path.isfile(keeper):

                        # If there is another file, just with the extention removed, let's assume this is the uncompressed version
                        keeper_minus_extension = ".".join(
                            keeper.split(".")[:-1])
                        if keeper_minus_extension in keepers:
                            # This is fine. We may be missing info unfortunately.
                            logger.warn(
                                "Looks like binwalk removed this file during extraction %s",
                                keeper)
                            continue

                        logger.warn("Couldn't find extracted file named %s",
                                    keeper)
                        continue

                    shutil.move(keeper, keeper_dst)

            os.chdir(saved_dir)