Added gzip validation plugin

61f12a77 · devttys0 · ecb7b7d6 · 61f12a77 · 61f12a77 · 61f12a77
Commit 61f12a77 authored Oct 24, 2014 by devttys0
Show whitespace changes
Inline Side-by-side

Showing with 59 additions and 7 deletions

API.md API.md +7 -5

INSTALL.md INSTALL.md +3 -0

gzipvalid.py src/binwalk/plugins/gzipvalid.py +47 -0

zlibvalid.py src/binwalk/plugins/zlibvalid.py +2 -2

No files found.
--- a/API.md
+++ b/API.md
@@ -18,11 +18,13 @@ import binwalk
 binwalk.scan()
 ```

-The `scan` function accepts both args and kwargs, which correspond to the normal command line options accepted by the binwalk command line utility, providing a large amount of freedom in how you choose to specify binwalk options (if none are specified, sys.argv is used by default).
+The `scan` function accepts both args and kwargs, which correspond to the normal command line options accepted by the binwalk command line utility, providing a large amount of freedom in how you choose to specify binwalk options (if none are specified, `sys.argv` is used by default).

-For example, to execute a signature scan, you at the very least have to specify the `--signature` command line option, as well as a list of files to scan. This can be done in a number of ways:
+For example, to execute a signature scan, you at the very least have to specify the `--signature` option, as well as a list of files to scan. This can be done in a number of ways:

 ```python
+binwalk.scan('--signature', 'firmware1.bin', 'firmware2.bin')
+
 binwalk.scan('firmware1.bin', 'firmware2.bin', signature=True)

 binwalk.scan('firmware1.bin', 'firmware2.bin', **{'signature' : True})
@@ -30,8 +32,6 @@ binwalk.scan('firmware1.bin', 'firmware2.bin', **{'signature' : True})
 binwalk.scan(*['firmware1.bin', 'firmware2.bin'], signature=True)
        
 binwalk.scan(*['--signature', 'firmware1.bin', 'firmware2.bin',])
-
-binwalk.scan('--signature', 'firmware1.bin', 'firmware2.bin')
 ```

 All args and kwargs keys/values correspond to binwalk's command line options. Either args or kwargs, or a combination of the two may be used, with the following caveats:
@@ -66,12 +66,14 @@ binwalk.core.module.Error has the additional guarunteed attribute:
 Thus, scan results and errors can be programatically accessed rather easily:

 ```python
-for module in binwalk.scan('firmware1.bin', 'firmware2.bin', signature=True):
+for module in binwalk.scan('firmware1.bin', 'firmware2.bin', signature=True, quiet=True):
    print ("%s Results:" % module.name)
    for result in module.results:
        print ("\t%s    0x%.8X    %s" % (result.file.name, result.offset, result.description))
 ```

+Note the above use of the `--quiet` option which prevents the binwalk module from printing its normal output to screen.
+
 Module Exceptions
 =================


--- a/INSTALL.md
+++ b/INSTALL.md
@@ -51,10 +51,13 @@ $ (cd capstone-2.1.2/bindings/python && sudo python ./setup.py install)
 Binwalk relies on multiple external utilties in order to automatically extract/decompress files and data:

 ```bash
+# Install standard extraction utilities
 $ sudo apt-get install mtd-utils zlib1g-dev liblzma-dev ncompress gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract openjdk-6-jdk cramfsprogs cramfsswap squashfs-tools
 ```

 ```bash
+# Install sasquatch SquashFS extraction tool and its dependencies
+$ sudo apt-get install zlib1g-dev liblzma-dev liblzo2-dev
 $ git clone https://github.com/devttys0/sasquatch
 $ (cd sasquatch && make && sudo make install)
 ```

--- a/src/binwalk/plugins/gzipvalid.py
+++ b/src/binwalk/plugins/gzipvalid.py
+import binwalk.core.C
+import binwalk.core.plugin
+from binwalk.core.common import BlockFile
+
+class GzipValidPlugin(binwalk.core.plugin.Plugin):
+    '''
+    Validates gzip compressed data. Almost identical to zlibvalid.py.
+    '''
+    MODULES = ['Signature']
+
+    MIN_DECOMP_SIZE = 16 * 1024
+    MAX_DATA_SIZE = 33 * 1024
+
+    TINFL = "tinfl"
+    TINFL_FUNCTIONS = [
+        binwalk.core.C.Function(name="is_deflated", type=int),
+    ]
+
+    def init(self):
+        # Load libtinfl.so
+        self.tinfl = binwalk.core.C.Library(self.TINFL, self.TINFL_FUNCTIONS)
+
+    def scan(self, result):
+        # If this result is a gzip signature match, try to decompress the data
+        if result.file and result.description.lower().startswith('gzip'):
+            # Seek to and read the suspected gzip data
+            fd = self.module.config.open_file(result.file.name, offset=result.offset, length=self.MAX_DATA_SIZE)
+            data = fd.read(self.MAX_DATA_SIZE)
+            fd.close()
+
+            # Grab the flags and initialize the default offset of the start of
+            # compressed data.
+            flags = int(ord(data[3]))
+            offset = 10
+
+            # If there is a comment or the original file name, find the end of that
+            # string and start decompression from there.
+            if (flags & 0x0C) or (flags & 0x10):
+                while data[offset] != "\x00":
+                    offset += 1
+                offset += 1
+
+            # Check if this is valid deflate data (no zlib header)
+            decomp_size = self.tinfl.is_deflated(data[offset:], len(data[offset:]), 0)
+            if decomp_size <= 0:
+                result.valid = False
+
--- a/src/binwalk/plugins/zlibvalid.py
+++ b/src/binwalk/plugins/zlibvalid.py
@@ -2,9 +2,9 @@ import binwalk.core.C
 import binwalk.core.plugin
 from binwalk.core.common import BlockFile

-class ZlibPlugin(binwalk.core.plugin.Plugin):
+class ZlibValidPlugin(binwalk.core.plugin.Plugin):
    '''
-    Searches for and validates zlib compressed data.
+    Validates zlib compressed data.
    '''
    MODULES = ['Signature']