How to use the command "binwalk" (with examples)

Binwalk is a firmware analysis tool that allows users to analyze binary files for embedded files and executable code. It supports multiple scanning techniques, signature detection, and extraction capabilities. This article will illustrate various use cases of the “binwalk” command.

Use case 1: Scan a binary file

Code:

binwalk path/to/binary

Motivation: By scanning a binary file, users can quickly analyze the file for embedded files or executable code. This can be useful when inspecting firmware files or reverse engineering software.

Explanation:

• binwalk - the command to invoke the Binwalk tool.
• path/to/binary - the path to the binary file to be scanned.

Example output:

DECIMAL       HEXADECIMAL     DESCRIPTION
----------------------------------------------------------------------------------------------
0             0x0             ELF 64-bit LSB shared object, x86-64, version 1 (SYSV)
3032          0xBC8           MySQL ISAM compressed data file Version 7
5645          0x1605          XML document, version: "1.0"

Use case 2: Extract files from a binary, specifying the output directory

Code:

binwalk --extract --directory output_directory path/to/binary

Motivation: Sometimes, it’s necessary to extract embedded files from a binary for further analysis. By specifying the output directory, users can easily organize extracted files.

Explanation:

• --extract - flag to enable file extraction.
• --directory output_directory - specifies the directory where extracted files will be saved.
• path/to/binary - the path to the binary file from which files will be extracted.

Example output:

output_directory/
├── file1.jpg
└── file2.png

Use case 3: Recursively extract files from a binary limiting the recursion depth to 2

Code:

binwalk --extract --matryoshka --depth 2 path/to/binary

Motivation: In some cases, binaries may contain embedded files within embedded files. By using the recursive extraction feature, users can extract all files within the binary up to a certain depth.

Explanation:

• --matryoshka - flag to enable recursive extraction.
• --depth 2 - limits the recursion depth to 2 levels.
• path/to/binary - the path to the binary file from which files will be recursively extracted.

Example output:

path/to/binary/
├── file1.jpg
└── file2.png

path/to/binary/file1.jpg/
├── file3.pdf
└── file4.txt

path/to/binary/file2.png/
└── file5.bmp

Use case 4: Extract files from a binary with the specified file signature

Code:

binwalk --dd 'png image:png' path/to/binary

Motivation: By specifying a file signature, users can extract only the files that have a particular signature. This allows for targeted extraction based on file types.

Explanation:

• --dd 'png image:png' - specifies the file signature to search for (png image) and the desired file extension (png).
• path/to/binary - the path to the binary file from which files will be extracted.

Example output:

0             0x0             PNG image, 800 x 600, 8-bit/color RGBA, non-interlaced

Use case 5: Analyze the entropy of a binary, saving the plot with the same name as the binary and .png extension appended

Code:

binwalk --entropy --save path/to/binary

Motivation: Analyzing the entropy of a binary file can provide insights into its structure and whether it contains encrypted or compressed data. Saving the entropy plot allows for further examination and documentation.

Explanation:

• --entropy - flag to enable entropy analysis.
• --save - flag to save the entropy plot.
• path/to/binary - the path to the binary file to be analyzed.

Example output:

Saved entropy plot as: path/to/binary.png

Use case 6: Combine entropy, signature, and opcodes analysis in a single command

Code:

binwalk --entropy --signature --opcodes path/to/binary

Motivation: Sometimes, a comprehensive analysis of a binary file is required. By combining entropy, signature, and opcode analysis, users can gather a wide range of information about the binary.

Explanation:

• --entropy - flag to enable entropy analysis.
• --signature - flag to enable signature detection.
• --opcodes - flag to enable opcode analysis.
• path/to/binary - the path to the binary file to be analyzed.

Example output:

DECIMAL       HEXADECIMAL     ENTROPY     DESCRIPTION
----------------------------------------------------------------------------------------------
0             0x0             7.99999    ELF 64-bit LSB shared object, x86-64, version 1 (SYSV)
3032          0xBC8           7.6455     MySQL ISAM compressed data file Version 7
5645          0x1605          5.74188    XML document, version: "1.0"

SIGNATURES:
DECIMAL       HEXADECIMAL     DESCRIPTION
----------------------------------------------------------------------------------------------
0             0x0             ELF 64-bit LSB shared object, x86-64, version 1 (SYSV)
3032          0xBC8           MySQL ISAM compressed data file Version 7
5645          0x1605          XML document, version: "1.0"

OPCODES:
DECIMAL       HEXADECIMAL     DESCRIPTION
----------------------------------------------------------------------------------------------
0             0x0             ELF 64-bit LSB shared object, x86-64, version 1 (SYSV)
3032          0xBC8           MySQL ISAM compressed data file Version 7
5645          0x1605          XML document, version: "1.0"

Conclusion:

The “binwalk” command offers a range of capabilities for analyzing binary files. By scanning, extracting, and analyzing various aspects of a binary, users can gain valuable insights into its contents and structure. Whether it’s extracting embedded files or examining the entropy, “binwalk” provides a powerful set of tools for firmware analysis.