5

新版本 binwalk 无法提取 ELF 文件 的 解决办法

 2 years ago
source link: https://xuanxuanblingbling.github.io/ctf/tools/2021/10/07/binwalk/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

新版本 binwalk 无法提取 ELF 文件 的 解决办法

发表于 2021-10-07

| 分类于 CTF/tools

最近发现自己的binwalk在提取一些直接包裹在其他数据中的ELF文件时失效,但是识别是有结果的,一顿折腾最新版本还是不行,但发现用老版本就可以正常提取。经过分析,最终找到了问题的根源,新版本的默认提取规则配置文件:extract.conf,把单个ELF提取的规则给注释了…

binwalk v2.3.3 提取失败:

$ binwalk

Binwalk v2.3.3+fa0c0bd
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk

$ binwalk -e ./bios.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
143472        0x23070         SHA256 hash constants, little endian
770064        0xBC010         ELF, 64-bit LSB executable, version 1 (SYSV)
792178        0xC1672         Unix path: /lib/libc/aarch64
792711        0xC1887         Unix path: /lib/libc/aarch64
794111        0xC1DFF         Unix path: /lib/libc/aarch64
796256        0xC2660         Unix path: /home/seanwu/hitcon-ctf-2018

$ ls
bios.bin

但binwalk v2.1.1 提取成功:

➜  binwalk  

Binwalk v2.1.1
Craig Heffner, http://www.binwalk.org


➜  binwalk -e ./bios.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
143472        0x23070         SHA256 hash constants, little endian
770064        0xBC010         ELF, 64-bit LSB executable, version 1 (SYSV)

➜  ls
bios.bin  _bios.bin.extracted

后来又尝试了v2.2.1、v2.2.0均失败。

在官方用法:https://github.com/ReFirmLabs/binwalk/wiki/Usage的字缝里看到了一个文件:extract.conf,推测应该存在一个默认的配置文件,但不容易找到,于是想到用strace跟踪binwalk进行寻找:

➜  strace binwalk -Me ./bios.bin 2>&1 | grep "extract.conf"
stat("/home/xuan/.binwalk/config/extract.conf", {st_mode=0644, st_size=0, ...}) = 0
stat("/usr/lib/python3/dist-packages/binwalk/config/extract.conf", {st_mode=0644, st_size=3419, ...}) = 0

果然找到,发老版本binwalk的extract.conf配置文件中有:

➜  tail /usr/lib/python3/dist-packages/binwalk/config/extract.conf
#^wdk file system:wdk:/opt/firmware-mod-kit/src/firmware-tools/unwdk.py '%e'

# Extract, but don't run anything
^elf,:elf
pe ,:pe
private key:key
certificate:crt
html document header
xml document:xml

但新版本这个配置文件中elf提取选项被注释了…

$ tail /usr/local/lib/python3.8/dist-packages/binwalk-2.3.3+fa0c0bd-py3.8.egg/binwalk/config/extract.conf
#^bff volume entry:bff:/opt/firmware-mod-kit/src/bff/bffxtractor.py '%e'
#^wdk file system:wdk:/opt/firmware-mod-kit/src/firmware-tools/unwdk.py '%e'

# Extract, but don't run anything
#^elf,:elf
#private key:key
#certificate:crt
#html document header
#xml document:xml

所以打开就好了…

另:MAC上没有strace,需要用dtruss,方法如下:

➜  sudo dtruss -W Python 2>&1 | grep "extract.conf"

另一个窗口:

➜  binwalk -Me ./bios.bin

可在dtruss窗口中看到:

/usr/local/lib/python2.7/site-packages/binwalk/config/extract.conf

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK