콘텐츠로 이동
1337skills 1337skills - 치트시트

Binwalk - 펌웨어 분석 도구

✅ 모든 binwalk 명령어가 클립보드에 복사되었습니다!

Binwalk는 펌웨어 이미지를 분석, 리버스 엔지니어링 및 추출하기 위해 설계된 강력한 펌웨어 분석 도구입니다. IoT 보안 연구, 임베디드 시스템 분석 및 디지털 포렌식에서 널리 사용되며, 파일 시그니처 식별, 임베디드 파일 추출 및 펌웨어 구조 분석에 활용됩니다.

기본 사용법

간단한 펌웨어 분석

# Basic signature scanning
binwalk firmware.bin
binwalk router_firmware.bin
binwalk iot_device.bin

# Analyze multiple files
binwalk *.bin
binwalk firmware1.bin firmware2.bin firmware3.bin

# Recursive directory scanning
binwalk -r /path/to/firmware/
binwalk -r ./firmware_samples/

상세 출력

# Verbose mode for detailed information
binwalk -v firmware.bin

# Quiet mode (minimal output)
binwalk -q firmware.bin

# Show only specific types
binwalk -B firmware.bin  # Show only file signatures
binwalk -E firmware.bin  # Show only entropy analysis

파일 시그니처 분석

시그니처 스캐닝

# Standard signature scanning
binwalk firmware.bin

# Detailed signature analysis
binwalk -B firmware.bin

# Show raw signature data
binwalk -R firmware.bin

# Architecture analysis
binwalk -A firmware.bin

# Compression analysis
binwalk -C firmware.bin

사용자 정의 시그니처

# Use custom signature file
binwalk -f custom_signatures.txt firmware.bin

# Use custom magic file
binwalk -m custom_magic firmware.bin

# Combine multiple signature sources
binwalk -f sig1.txt -f sig2.txt firmware.bin

파일 추출

기본 추출

# Extract all identified files
binwalk -e firmware.bin

# Extract with matryoshka (recursive extraction)
binwalk -Me firmware.bin

# Extract to specific directory
binwalk -e -C /tmp/extracted firmware.bin

# Preserve symbolic links during extraction
binwalk -e --preserve-symlinks firmware.bin

선택적 추출

# Extract specific file types
binwalk -D "jpeg image:jpg" firmware.bin
binwalk -D "zip archive:zip" firmware.bin
binwalk -D "gzip compressed:gz" firmware.bin

# Extract everything with dd
binwalk --dd=".*" firmware.bin

# Extract with custom rules
binwalk -D "filesystem:fs" firmware.bin

고급 추출 옵션

# Extract with size limits
binwalk -e -M 10000000 firmware.bin  # Max 10MB files

# Extract with depth limits
binwalk -e -d 3 firmware.bin  # Max depth of 3

# Extract with specific tools
binwalk -e --run-as=root firmware.bin

엔트로피 분석

기본 엔트로피 분석

# Generate entropy graph
binwalk -E firmware.bin

# Save entropy data to file
binwalk -E -J firmware.bin

# Entropy analysis with custom block size
binwalk -E -K 1024 firmware.bin

# Fast entropy analysis
binwalk -E -F firmware.bin

엔트로피 시각화

# Generate entropy plot
binwalk -E -N firmware.bin

# High-resolution entropy analysis
binwalk -E -H firmware.bin

# Entropy analysis with markers
binwalk -E -B firmware.bin

엔트로피 해석

# Analyze encryption/compression patterns
binwalk -E -v firmware.bin

# Compare entropy across files
binwalk -E firmware1.bin firmware2.bin

# Entropy analysis with offset
binwalk -E -O 0x1000 firmware.bin

오프셋 및 길이 제어

오프셋 작업

# Start analysis at specific offset
binwalk -O 0x1000 firmware.bin
binwalk -O 4096 firmware.bin

# Analyze specific length
binwalk -L 0x10000 firmware.bin
binwalk -L 65536 firmware.bin

# Combine offset and length
binwalk -O 0x1000 -L 0x5000 firmware.bin

16진수 및 10진수 오프셋

# Hexadecimal offsets
binwalk -O 0x8000 firmware.bin

# Decimal offsets
binwalk -O 32768 firmware.bin

# Large file analysis
binwalk -O 0x100000 -L 0x200000 firmware.bin

비교 및 차이 분석

파일 비교

# Compare two firmware files
binwalk -W firmware1.bin firmware2.bin

# Show differences only
binwalk -K firmware1.bin firmware2.bin

# Detailed comparison
binwalk -W -v firmware1.bin firmware2.bin

버전 분석

# Compare firmware versions
binwalk -W old_firmware.bin new_firmware.bin

# Identify changes between versions
binwalk -K -B old_fw.bin new_fw.bin

고급 분석 기능

디스어셈블리 및 코드 분석

# Disassemble executable code
binwalk -I firmware.bin

# Architecture-specific analysis
binwalk -A -v firmware.bin

# Show instruction opcodes
binwalk -x firmware.bin

파일시스템 분석

# Identify filesystem types
binwalk -y filesystem firmware.bin

# Extract filesystem structures
binwalk -e -y filesystem firmware.bin

# Analyze filesystem metadata
binwalk -y filesystem -v firmware.bin

압축 분석

# Analyze compression algorithms
binwalk -z firmware.bin

# Detailed compression information
binwalk -C -v firmware.bin

# Extract compressed data
binwalk -e -C firmware.bin

플러그인 시스템

플러그인 관리

# List available plugins
binwalk --list-plugins

# Use specific plugins
binwalk -% firmware.bin

# Plugin-specific analysis
binwalk --plugin=entropy firmware.bin

사용자 정의 플러그인

Would you like me to continue with the remaining sections?```bash

Load custom plugin

binwalk —plugin-path=/path/to/plugins firmware.bin

Multiple plugins

binwalk —plugin=plugin1 —plugin=plugin2 firmware.bin


## Output and Logging

### Output Control
```bash
# Save output to file
binwalk firmware.bin > analysis.txt

# Specify output directory
binwalk -o /tmp/binwalk_output firmware.bin

# Log to specific file
binwalk --log=analysis.log firmware.bin

# CSV output format
binwalk --csv firmware.bin

Formatting Options

# JSON output
binwalk --json firmware.bin

# Detailed verbose output
binwalk -v -B -E firmware.bin

# Minimal output
binwalk -q -B firmware.bin

Practical Analysis Workflows

Router Firmware Analysis

# Complete router firmware analysis
binwalk -Me router_firmware.bin

# Extract filesystem
binwalk -e router_firmware.bin
cd _router_firmware.bin.extracted/

# Analyze extracted files
find . -name "*.bin" -exec binwalk \\\\{\\\\} \;

# Look for configuration files
find . -name "*.conf" -o -name "*.cfg"

IoT Device Analysis

# IoT firmware analysis workflow
binwalk -E iot_firmware.bin  # Check entropy
binwalk -B iot_firmware.bin  # Identify signatures
binwalk -Me iot_firmware.bin # Extract everything

# Analyze extracted content
cd _iot_firmware.bin.extracted/
ls -la
file *

# Look for interesting files
find . -name "*.key" -o -name "*.pem" -o -name "passwd"

Embedded System Analysis

# Embedded system firmware analysis
binwalk -A embedded_fw.bin  # Architecture analysis
binwalk -I embedded_fw.bin  # Instruction analysis
binwalk -e embedded_fw.bin  # Extract files

# Analyze bootloader
binwalk -O 0x0 -L 0x10000 embedded_fw.bin

# Analyze main firmware
binwalk -O 0x10000 embedded_fw.bin

Forensics and Security Analysis

Malware Analysis

# Analyze suspicious firmware
binwalk -E suspicious_firmware.bin  # Check for encryption
binwalk -B suspicious_firmware.bin  # Identify file types
binwalk -Me suspicious_firmware.bin # Extract all files

# Look for embedded executables
find _suspicious_firmware.bin.extracted/ -type f -executable

# Analyze entropy patterns
binwalk -E -N suspicious_firmware.bin

Backdoor Detection

# Look for hidden files
binwalk -R firmware.bin

# Entropy analysis for hidden data
binwalk -E -v firmware.bin

# Extract and analyze all components
binwalk -Me firmware.bin
grep -r "backdoor\|debug\|telnet" _firmware.bin.extracted/

Cryptographic Analysis

# Identify encrypted sections
binwalk -E firmware.bin

# Look for cryptographic signatures
binwalk -B firmware.bin|grep -i "crypt\|key\|cert"

# Extract potential key material
binwalk -D "private key:key" firmware.bin

Integration with Other Tools

Combining with Hexdump

# Analyze specific offsets found by binwalk
binwalk firmware.bin|grep "JFFS2"
hexdump -C -s 0x40000 -n 512 firmware.bin

Using with Strings

# Extract strings from identified sections
binwalk -e firmware.bin
strings _firmware.bin.extracted/*|grep -i "password\|key\|admin"

Integration with File Command

# Verify binwalk findings
binwalk -e firmware.bin
cd _firmware.bin.extracted/
for f in *; do echo "=== $f ==="; file "$f"; done

Automation and Scripting

Batch Analysis Script

#!/bin/bash
# Automated firmware analysis script

FIRMWARE_DIR="$1"
OUTPUT_DIR="analysis_results_$(date +%Y%m%d_%H%M%S)"

mkdir -p "$OUTPUT_DIR"

for firmware in "$FIRMWARE_DIR"/*.bin; do
    echo "Analyzing: $firmware"
    base_name=$(basename "$firmware" .bin)

    # Basic analysis
    binwalk "$firmware" > "$OUTPUT_DIR/$\\\\{base_name\\\\}_analysis.txt"

    # Entropy analysis
    binwalk -E "$firmware" > "$OUTPUT_DIR/$\\\\{base_name\\\\}_entropy.txt"

    # Extract files
    binwalk -Me "$firmware" -C "$OUTPUT_DIR"

    echo "Completed: $firmware"
done

echo "Analysis completed. Results in $OUTPUT_DIR"

Continuous Monitoring

#!/bin/bash
# Monitor directory for new firmware files

WATCH_DIR="/path/to/firmware/uploads"
ANALYSIS_DIR="/path/to/analysis/results"

inotifywait -m -e create "$WATCH_DIR" --format '%f'|while read filename; do
    if [[ "$filename" == *.bin ]]; then
        echo "New firmware detected: $filename"

        # Wait for file to be completely uploaded
        sleep 5

        # Analyze the firmware
        binwalk -Me "$WATCH_DIR/$filename" -C "$ANALYSIS_DIR"

        # Generate report
        binwalk "$WATCH_DIR/$filename" > "$ANALYSIS_DIR/$\\\\{filename\\\\}_report.txt"

        echo "Analysis completed for: $filename"
    fi
done

Performance Optimization

Large File Handling

# Analyze large firmware files efficiently
binwalk -q -B large_firmware.bin

# Use specific offsets for large files
binwalk -O 0x100000 -L 0x100000 large_firmware.bin

# Parallel analysis of multiple files
parallel binwalk \\\\{\\\\} ::: *.bin

Memory Management

# Limit memory usage for large extractions
binwalk -e -M 100000000 firmware.bin  # Limit to 100MB

# Process files in chunks
split -b 50M large_firmware.bin chunk_
for chunk in chunk_*; do binwalk "$chunk"; done

Troubleshooting Common Issues

Extraction Problems

# Debug extraction issues
binwalk -e -v firmware.bin

# Force extraction with dd
binwalk --dd=".*" firmware.bin

# Check extraction dependencies
binwalk --list-plugins

Signature Recognition Issues

# Update signature database
binwalk --update

# Use verbose mode for debugging
binwalk -v -B firmware.bin

# Try different signature files
binwalk -f /usr/share/binwalk/magic/* firmware.bin

Performance Issues

# Use faster analysis options
binwalk -q -B firmware.bin

# Skip entropy analysis for speed
binwalk -B firmware.bin

# Analyze specific sections only
binwalk -O 0x10000 -L 0x50000 firmware.bin

Security Considerations

Safe Analysis Environment

# Analyze in isolated environment
docker run -v $(pwd):/data -it binwalk_container binwalk /data/firmware.bin

# Use virtual machine for analysis
# Always analyze suspicious firmware in isolated environment

Handling Malicious Firmware

# Analyze without extraction (safer)
binwalk -B suspicious_firmware.bin

# Limited extraction
binwalk -e -d 1 suspicious_firmware.bin

# Monitor system during analysis
# Use process monitoring tools

고급 사용 사례

펌웨어 수정 탐지

# Compare original and modified firmware
binwalk -W original_firmware.bin modified_firmware.bin

# Identify injection points
binwalk -K original_firmware.bin modified_firmware.bin

# Analyze differences
binwalk -e original_firmware.bin
binwalk -e modified_firmware.bin
diff -r _original_firmware.bin.extracted/ _modified_firmware.bin.extracted/

공급망 분석

# Analyze firmware from different vendors
for vendor_fw in vendor_*.bin; do
    echo "=== Analyzing $vendor_fw ==="
    binwalk -B "$vendor_fw"
    echo
done

# Compare firmware versions
binwalk -W firmware_v1.bin firmware_v2.bin

연구 및 개발

# Extract and analyze bootloaders
binwalk -O 0x0 -L 0x10000 firmware.bin

# Analyze update mechanisms
binwalk -B firmware.bin|grep -i "update\|upgrade"

# Study compression algorithms
binwalk -C -v firmware.bin

모범 사례

분석 방법론