Skip to content

B
binwalk
Commit d95e015d by devttys0
Options

Re-working code to better fit with new magic module

parent 9fc088e0
Showing with 275 additions and 271 deletions
setup.py
...@@ -119,29 +119,13 @@ class CleanCommand(Command): ...@@ -119,29 +119,13 @@ class CleanCommand(Command):
pass pass
if "install" in sys.argv: if "install" in sys.argv:
# If an older version of binwalk is currently installed, completely remove it to prevent conflicts # If a previous version of binwalk is currently installed, completely remove it to prevent conflicts
existing_binwalk_modules = find_binwalk_module_paths() if find_binwalk_module_paths():
if existing_binwalk_modules and not os.path.exists(os.path.join(existing_binwalk_modules[0], "core")):
remove_binwalk_module() remove_binwalk_module()
# Re-build the magic file during a build/install
if "install" in sys.argv or "build" in sys.argv:
# Generate a new magic file from the files in the magic directory
print("creating %s magic file" % MODULE_NAME)
magic_files = os.listdir("magic")
magic_files.sort()
fd = open("%s/magic/%s" % (MODULE_NAME, MODULE_NAME), "wb")
for magic in magic_files:
fpath = os.path.join("magic", magic)
if os.path.isfile(fpath):
fd.write(open(fpath, "rb").read())
fd.close()
# The data files to install along with the module # The data files to install along with the module
data_dirs = ["magic", "config", "plugins", "modules", "core"] install_data_files = []
install_data_files = [os.path.join("libs", "*.so"), os.path.join("libs", "*.dylib")] for data_dir in ["magic", "config", "plugins", "modules", "core"]:
for data_dir in data_dirs:
install_data_files.append("%s%s*" % (data_dir, os.path.sep)) install_data_files.append("%s%s*" % (data_dir, os.path.sep))
# Install the module, script, and support files # Install the module, script, and support files
......
src/binwalk/core/magic.py
...@@ -11,14 +11,35 @@ class SignatureTag(object): ...@@ -11,14 +11,35 @@ class SignatureTag(object):
for (k,v) in binwalk.core.compat.iterator(kwargs): for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v) setattr(self, k, v)
class SignatureResult(object):
def __init__(self, **kwargs):
# These are set by signature keyword tags
self.jump = 0
self.size = 0
self.name = None
self.offset = 0
self.adjust = 0
self.strlen = 0
self.string = False
self.invalid = False
# These are set by code internally
self.file = None
self.valid = True
self.display = True
self.description = ""
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class SignatureLine(object): class SignatureLine(object):
def __init__(self, line): def __init__(self, line):
self.tags = [] self.tags = []
self.original_text = line
line = line.replace('\\ ', '\x20') parts = line.replace('\\ ', '\\x20').split(None, 3)
parts = line.split(None, 3)
self.level = parts[0].count('>') self.level = parts[0].count('>')
...@@ -32,6 +53,10 @@ class SignatureLine(object): ...@@ -32,6 +53,10 @@ class SignatureLine(object):
(self.type, self.bitmask) = parts[1].split('&', 1) (self.type, self.bitmask) = parts[1].split('&', 1)
self.boolean = '&' self.boolean = '&'
self.bitmask = int(self.bitmask, 0) self.bitmask = int(self.bitmask, 0)
elif '|' in parts[1]:
(self.type, self.bitmask) = parts[1].split('|', 1)
self.boolean = '|'
self.bitmask = int(self.bitmask, 0)
else: else:
self.type = parts[1] self.type = parts[1]
self.boolean = None self.boolean = None
...@@ -171,22 +196,6 @@ class Signature(object): ...@@ -171,22 +196,6 @@ class Signature(object):
def append(self, line): def append(self, line):
self.lines.append(line) self.lines.append(line)
class SignatureResult(object):
def __init__(self, **kwargs):
self.offset = 0
self.adjust = 0
self.jump = 0
self.size = 0
self.description = ""
self.valid = True
self.invalid = False
self.display = True
self.file = None
for (k,v) in binwalk.core.compat.iterator(kwargs):
setattr(self, k, v)
class Magic(object): class Magic(object):
def __init__(self, exclude=[], include=[], invalid=False): def __init__(self, exclude=[], include=[], invalid=False):
...@@ -209,6 +218,7 @@ class Magic(object): ...@@ -209,6 +218,7 @@ class Magic(object):
def filtered(self, text): def filtered(self, text):
filtered = None filtered = None
text = text.lower()
for include in self.includes: for include in self.includes:
if include.match(text): if include.match(text):
...@@ -230,6 +240,7 @@ class Magic(object): ...@@ -230,6 +240,7 @@ class Magic(object):
def parse(self, signature, offset): def parse(self, signature, offset):
description = [] description = []
tag_strlen = None
max_line_level = 0 max_line_level = 0
tags = {'offset' : offset, 'invalid' : False} tags = {'offset' : offset, 'invalid' : False}
...@@ -275,12 +286,19 @@ class Magic(object): ...@@ -275,12 +286,19 @@ class Magic(object):
except struct.error as e: except struct.error as e:
dvalue = 0 dvalue = 0
elif line.size: elif line.size:
dvalue = self.data[start:end] # Strings have line.value == None
if line.value is None: if line.value is None:
dvalue = dvalue.split('\x00')[0].split('\r')[0].split('\r')[0] if [x for x in line.tags if x.name == 'string'] and binwalk.core.compat.has_key(tags, 'strlen'):
dvalue = self.data[start:(start+tags['strlen'])]
else:
dvalue = self.data[start:end].split('\x00')[0].split('\r')[0].split('\r')[0]
else:
dvalue = self.data[start:end]
if line.boolean == '&': if line.boolean == '&':
dvalue &= line.bitmask dvalue &= line.bitmask
elif line.boolean == '|':
dvalue |= line.bitmask
if ((line.value is None) or if ((line.value is None) or
(line.condition == '=' and dvalue == line.value) or (line.condition == '=' and dvalue == line.value) or
...@@ -295,13 +313,22 @@ class Magic(object): ...@@ -295,13 +313,22 @@ class Magic(object):
dvalue = ts.strftime("%Y-%m-%d %H:%M:%S") dvalue = ts.strftime("%Y-%m-%d %H:%M:%S")
if '%' in line.format: if '%' in line.format:
description.append(line.format % dvalue) desc = line.format % dvalue
else: else:
description.append(line.format) desc = line.format
if desc:
description.append(desc)
for tag in line.tags: for tag in line.tags:
if isinstance(tag.value, str) and '%' in tag.value: if isinstance(tag.value, str) and '%' in tag.value:
tags[tag.name] = tag.value % dvalue tags[tag.name] = tag.value % dvalue
try:
tags[tag.name] = int(tags[tag.name], 0)
except KeyboardInterrupt as e:
raise e
except Exception as e:
pass
else: else:
try: try:
tags[tag.name] = int(tag.value, 0) tags[tag.name] = int(tag.value, 0)
...@@ -316,12 +343,19 @@ class Magic(object): ...@@ -316,12 +343,19 @@ class Magic(object):
max_line_level = line.level + 1 max_line_level = line.level + 1
else: else:
# No match on the first line, abort
if line.level == 0:
break
else:
max_line_level = line.level max_line_level = line.level
tags['description'] = self.bspace.sub('', " ".join(description)) tags['description'] = self.bspace.sub('', " ".join(description))
if (('\\' in tags['description']) or if not tags['description']:
(self.printable.match(tags['description']).group() != tags['description'])): tags['display'] = False
tags['invalid'] = True
if self.printable.match(tags['description']).group() != tags['description']:
tags['invalid'] = True tags['invalid'] = True
tags['valid'] = (not tags['invalid']) tags['valid'] = (not tags['invalid'])
...@@ -330,19 +364,20 @@ class Magic(object): ...@@ -330,19 +364,20 @@ class Magic(object):
def scan(self, data, dlen=None): def scan(self, data, dlen=None):
results = [] results = []
matched_offsets = set()
self.data = data self.data = data
if dlen is None: if dlen is None:
dlen = len(self.data) dlen = len(self.data)
for signature in self.signatures: for signature in self.signatures:
for match in signature.regex.finditer(self.data): for match in signature.regex.finditer(self.data):
offset = match.start() - signature.offset offset = match.start() - signature.offset
if offset >= 0 and offset <= dlen: if (offset not in matched_offsets or self.show_invalid) and offset >= 0 and offset <= dlen:
tags = self.parse(signature, offset) tags = self.parse(signature, offset)
if not tags['invalid'] or self.show_invalid: if not tags['invalid'] or self.show_invalid:
results.append(SignatureResult(**tags)) results.append(SignatureResult(**tags))
matched_offsets.add(offset)
results.sort(key=lambda x: x.offset, reverse=False) results.sort(key=lambda x: x.offset, reverse=False)
return results return results
...@@ -381,15 +416,3 @@ class Magic(object): ...@@ -381,15 +416,3 @@ class Magic(object):
self.signatures.sort(key=lambda x: x.confidence, reverse=True) self.signatures.sort(key=lambda x: x.confidence, reverse=True)
if __name__ == '__main__':
import sys
m = Magic(invalid=True)
m.load(sys.argv[1])
print ("Loaded %d signatures" % len(m.signatures))
for signature in m.scan(open(sys.argv[2], "r").read()):
if signature.valid:
print (signature.offset, signature.description)
src/binwalk/core/settings.py
...@@ -58,6 +58,20 @@ class Settings: ...@@ -58,6 +58,20 @@ class Settings:
prefix=self._system_path(self.BINWALK_CONFIG_DIR, self.PREFIX_FILE), prefix=self._system_path(self.BINWALK_CONFIG_DIR, self.PREFIX_FILE),
plugins=self._system_path(self.BINWALK_PLUGINS_DIR)) plugins=self._system_path(self.BINWALK_PLUGINS_DIR))
def magic_signature_files(self, system_only=False, user_only=False):
files = []
if not system_only:
user_dir = os.path.join(self.user_dir, self.BINWALK_USER_DIR, self.BINWALK_MAGIC_DIR)
files += [os.path.join(user_dir, x) for x in os.listdir(user_dir)]
if not user_only:
system_dir = os.path.join(self.system_dir, self.BINWALK_MAGIC_DIR)
files += [os.path.join(system_dir, x) for x in os.listdir(system_dir)]
if self.system.binarch in files:
files.remove(self.system.binarch)
return files
def find_magic_file(self, fname, system_only=False, user_only=False): def find_magic_file(self, fname, system_only=False, user_only=False):
''' '''
Finds the specified magic file name in the system / user magic file directories. Finds the specified magic file name in the system / user magic file directories.
......
src/binwalk/magic/binarch
...@@ -3,13 +3,13 @@ ...@@ -3,13 +3,13 @@
# sw XX, XX($sp) # sw XX, XX($sp)
# 27 BD FF XX # 27 BD FF XX
# AF BX XX XX # AF BX XX XX
0 string \xFF\xBD\x27 MIPSEL instructions, function prologue{offset-adjust:-1} 1 string \xFF\xBD\x27 MIPSEL instructions, function prologue
>6 byte !0xAF (invalid) >6 byte !0xAF {invalid}
>5 byte&0xE0 !0xA0 (invalid) >5 byte&0xE0 !0xA0 {invalid}
0 string \x27\xBD\xFF MIPS instructions, function prologue 0 string \x27\xBD\xFF MIPS instructions, function prologue
>4 byte !0xAF (invalid) >4 byte !0xAF {invalid}
>5 byte&0xE0 !0xA0 (invalid) >5 byte&0xE0 !0xA0 {invalid}
# MIPS epilogue # MIPS epilogue
# jr $ra # jr $ra
...@@ -18,14 +18,14 @@ ...@@ -18,14 +18,14 @@
# addiu $sp, XX # addiu $sp, XX
# jr $ra # jr $ra
0 belong 0x03e00008 MIPS instructions, function epilogue 0 belong 0x03e00008 MIPS instructions, function epilogue
>4 beshort !0x27BD (invalid) >4 beshort !0x27BD {invalid}
0 beshort 0x27BD MIPS instructions, function epilogue 0 beshort 0x27BD MIPS instructions, function epilogue
>2 belong !0x03e00008 (invalid) >2 belong !0x03e00008 {invalid}
0 lelong 0x03e00008 MIPSEL instructions, function epilogue 0 lelong 0x03e00008 MIPSEL instructions, function epilogue
>6 leshort !0x27BD (invalid) >6 leshort !0x27BD {invalid}
0 leshort 0x27BD MIPS instructions, function epilogue 0 leshort 0x27BD MIPS instructions, function epilogue
>2 lelong !0x03e00008 (invalid) >2 lelong !0x03e00008 {invalid}
# MIPS16e # MIPS16e
# nop (x4) # nop (x4)
...@@ -36,17 +36,17 @@ ...@@ -36,17 +36,17 @@
# save a0-a1, XX # save a0-a1, XX
# addiu XX, XX # addiu XX, XX
0 string \xf0\x08\x64 MIPS16e instructions, function prologue 0 string \xf0\x08\x64 MIPS16e instructions, function prologue
>4 byte !0x01 (invalid) >4 byte !0x01 {invalid}
# move $sp, $s1 # move $sp, $s1
# restore XX, XX, XX # restore XX, XX, XX
# jrc $ra # jrc $ra
0 beshort 0x65B9 MIPS16e instructions, function epilogue 0 beshort 0x65B9 MIPS16e instructions, function epilogue
>3 byte !0x64 (invalid) >3 byte !0x64 {invalid}
>4 beshort !0xE8A0 (invalid) >4 beshort !0xE8A0 {invalid}
0 leshort 0x65B9 MIPSEL16e instructions, function epilogue 0 leshort 0x65B9 MIPSEL16e instructions, function epilogue
>3 byte !0x64 (invalid) >3 byte !0x64 {invalid}
>4 leshort !0xE8A0 (invalid) >4 leshort !0xE8A0 {invalid}
# jrc $ra # jrc $ra
# nop # nop
...@@ -68,19 +68,19 @@ ...@@ -68,19 +68,19 @@
# STMFD SP!, {XX} # STMFD SP!, {XX}
# <any instruction whose opcode begins with 0xE> # <any instruction whose opcode begins with 0xE>
0 beshort 0xE92D ARMEB instructions, function prologue 0 beshort 0xE92D ARMEB instructions, function prologue
>4 byte&0xF0 !0xE0 (invalid) >4 byte&0xF0 !0xE0 {invalid}
>8 byte&0xF0 !0xE0 (invalid) >8 byte&0xF0 !0xE0 {invalid}
0 leshort 0xE92D ARM instructions, function prologue{offset-adjust:-2} 0 leshort 0xE92D ARM instructions, function prologue{adjust:-2}
>5 byte&0xF0 !0xE0 (invalid) >5 byte&0xF0 !0xE0 {invalid}
>9 byte&0xF0 !0xE0 (invalid) >9 byte&0xF0 !0xE0 {invalid}
# ARM epilogue # ARM epilogue
# MOV R0, XX # MOV R0, XX
# LDMFD SP!, {XX} # LDMFD SP!, {XX}
0 beshort 0xE1A0 ARMEB instructions, function epilogue 0 beshort 0xE1A0 ARMEB instructions, function epilogue
>4 beshort !0xE8BD (invalid) >4 beshort !0xE8BD {invalid}
0 leshort 0xE1A0 ARM instructions, function epilogue{offset-adjust:-2} 0 leshort 0xE1A0 ARM instructions, function epilogue{adjust:-2}
>4 leshort !0xE8BD (invalid) >4 leshort !0xE8BD {invalid}
# Ubicom32 prologue # Ubicom32 prologue
...@@ -120,5 +120,5 @@ ...@@ -120,5 +120,5 @@
# push esi # push esi
0 string \x55\x89\xE5\x83\xEC Intel x86 instructions, function prologue 0 string \x55\x89\xE5\x83\xEC Intel x86 instructions, function prologue
0 string \x55\x89\xE5\x57\x56 Intel x86 instructions, function prologue 0 string \x55\x89\xE5\x57\x56 Intel x86 instructions, function prologue
0 string \x90\x90\x90\x90\x90\x90\x90\x90 Intel x86 instructions, nops{jump-to-offset:8} 0 string \x90\x90\x90\x90\x90\x90\x90\x90 Intel x86 instructions, nops{jump:8}
src/binwalk/magic/bincast deleted 100644 → 0
0 belong x Hex: 0x%.8X
#0 string x String: %s
#0 lequad x Little Endian Quad: %lld
#0 bequad x Big Endian Quad: %lld
0 lelong x Little Endian Long: %d
0 belong x Big Endian Long: %d
0 leshort x Little Endian Short: %d
0 beshort x Big Endian Short: %d
0 ledate x Little Endian Date: %s
0 bedate x Big Endian Date: %s
src/magic/bootloaders src/binwalk/magic/bootloaders
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
# U-Boot boot loader # U-Boot boot loader
0 string U-Boot\x20 U-Boot version string, 0 string U-Boot\x20 U-Boot version string,
>7 byte <48 {invalid}, >7 byte <48 {invalid}
>7 byte >57 {invalid}, >7 byte >57 {invalid}
>8 byte !0x2E {invalid}, >8 byte !0x2E {invalid}
>0 string x "%s" >0 string x "%s"
src/binwalk/magic/compressed 0 → 100644
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
2 string -afx- AFX compressed file data
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data,
>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 {invalid}
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data,
>4 ubyte 0 {invalid}
# Current version is still 1.x
>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
0 string LRZI lrzip compressed data
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 {invalid}
>6 byte 0
>>7 byte 0 {invalid}
>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Disabled until a python alternative can be foudn for the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
>3 byte &0x20 \b, encrypted{invalid}
# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 {invalid}
>4 lelong >0
>>4 lelong <694224000 {invalid}
>>4 lelong =694224000 {invalid}
>>4 lelong >694224000 \b, last modified:
>>>4 ledate x %s
>>>4 lelong x {epoch:%d}
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
# See lzma file for LZMA signatures
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier
#0 beshort 0x7801 Zlib header, no compression
0 beshort 0x789c Zlib compressed data, default compression
0 beshort 0x78da Zlib compressed data, best compression
0 beshort 0x785e Zlib compressed data, compressed
src/binwalk/modules/signature.py
...@@ -94,8 +94,7 @@ class Signature(Module): ...@@ -94,8 +94,7 @@ class Signature(Module):
# Use the system default magic file if no other was specified, or if -B was explicitly specified # Use the system default magic file if no other was specified, or if -B was explicitly specified
if (not self.magic_files) or (self.explicit_signature_scan and not self.cast_data_types): if (not self.magic_files) or (self.explicit_signature_scan and not self.cast_data_types):
self.magic_files.append(self.config.settings.user.binwalk) self.magic_files += self.config.settings.magic_signature_files()
self.magic_files.append(self.config.settings.system.binwalk)
# Initialize libmagic # Initialize libmagic
self.magic = binwalk.core.magic.Magic(include=self.include_filters, self.magic = binwalk.core.magic.Magic(include=self.include_filters,
...@@ -147,6 +146,8 @@ class Signature(Module): ...@@ -147,6 +146,8 @@ class Signature(Module):
if r.offset < current_block_offset: if r.offset < current_block_offset:
continue continue
relative_offset = r.offset
# Set the absolute offset inside the target file # Set the absolute offset inside the target file
# TODO: Don't need the offset adjust stuff anymore, get rid of it # TODO: Don't need the offset adjust stuff anymore, get rid of it
r.offset = block_start + r.offset + r.adjust r.offset = block_start + r.offset + r.adjust
...@@ -164,7 +165,7 @@ class Signature(Module): ...@@ -164,7 +165,7 @@ class Signature(Module):
# Is this a valid result and did it specify a jump-to-offset keyword, and are we doing a "smart" scan? # Is this a valid result and did it specify a jump-to-offset keyword, and are we doing a "smart" scan?
if r.valid and r.jump > 0 and not self.dumb_scan: if r.valid and r.jump > 0 and not self.dumb_scan:
absolute_jump_offset = r.offset + r.jump absolute_jump_offset = r.offset + r.jump
current_block_offset = candidate_offset + r.jump current_block_offset = relative_offset + r.jump
# If the jump-to-offset is beyond the confines of the current block, seek the file to # If the jump-to-offset is beyond the confines of the current block, seek the file to
# that offset and quit processing this block of data. # that offset and quit processing this block of data.
......
src/magic/compressed deleted 100644 → 0
#------------------Compression Formats-----------------------------
# AFX compressed files (Wolfram Kleff)
0 string -afx- AFX compressed file data{offset-adjust:-2}
# bzip2
0 string BZh91AY&SY bzip2 compressed data, block size = 900k
0 string BZh81AY&SY bzip2 compressed data, block size = 800k
0 string BZh71AY&SY bzip2 compressed data, block size = 700k
0 string BZh61AY&SY bzip2 compressed data, block size = 600k
0 string BZh51AY&SY bzip2 compressed data, block size = 500k
0 string BZh41AY&SY bzip2 compressed data, block size = 400k
0 string BZh31AY&SY bzip2 compressed data, block size = 300k
0 string BZh21AY&SY bzip2 compressed data, block size = 200k
0 string BZh11AY&SY bzip2 compressed data, block size = 100k
# lzop from <markus.oberhumer@jk.uni-linz.ac.at>
0 string \x89\x4c\x5a\x4f\x00\x0d\x0a\x1a\x0a lzop compressed data
>9 beshort >0x093F {invalid}
>9 beshort <0x0940
>>9 byte&0xf0 =0x00 - version 0.
>>9 beshort&0x0fff x \b%03x,
>>9 beshort&0x0fff <1 {invalid},
>>13 byte 1 LZO1X-1,
>>13 byte 2 LZO1X-1(15),
>>13 byte 3 LZO1X-999,
## >>22 bedate >0 last modified: %s,
>>14 byte =0x00 os: MS-DOS
>>14 byte =0x01 os: Amiga
>>14 byte =0x02 os: VMS
>>14 byte =0x03 os: Unix
>>14 byte =0x05 os: Atari
>>14 byte =0x06 os: OS/2
>>14 byte =0x07 os: MacOS
>>14 byte =0x0A os: Tops/20
>>14 byte =0x0B os: WinNT
>>14 byte =0x0E os: Win32
>9 beshort >0x0939
>>9 byte&0xf0 =0x00 - version 0.
>>9 byte&0xf0 =0x10 - version 1.
>>9 byte&0xf0 =0x20 - version 2.
>>9 beshort&0x0fff x \b%03x,
>>15 byte 1 LZO1X-1,
>>15 byte 2 LZO1X-1(15),
>>15 byte 3 LZO1X-999,
## >>25 bedate >0 last modified: %s,
>>17 byte =0x00 os: MS-DOS
>>17 byte =0x01 os: Amiga
>>17 byte =0x02 os: VMS
>>17 byte =0x03 os: Unix
>>17 byte =0x05 os: Atari
>>17 byte =0x06 os: OS/2
>>17 byte =0x07 os: MacOS
>>17 byte =0x0A os: Tops/20
>>17 byte =0x0B os: WinNT
>>17 byte =0x0E os: Win32
# lzip
0 string LZIP lzip compressed data,
>4 ubyte 0 {invalid}
# Current version is still 1.x
>4 ubyte >4 {invalid}
>4 byte x version: %d
# lrzip
0 string LRZI lrzip compressed data
# LZO
0 string \211LZO\000\015\012\032\012 LZO compressed data
# 7-zip archiver, from Thomas Klausner (wiz@danbala.tuwien.ac.at)
# http://www.7-zip.org or DOC/7zFormat.txt
#
0 string 7z\274\257\047\034 7-zip archive data,
>6 byte <0 {invalid}
>6 byte 0
>>7 byte 0 {invalid}
>6 byte >20 {invalid}
>6 byte x version %d
>7 byte x \b.%d
# standard unix compress
# Disabled until a python alternative can be foudn for the compress binwalk plugin.
#0 string \x1f\x9d\x90 compress'd data, 16 bits
# http://tukaani.org/xz/xz-file-format.txt
0 string \xFD\x37\x7a\x58\x5a\x00 xz compressed data
# gzip (GNU zip, not to be confused with Info-ZIP or PKWARE zip archiver)
# Edited by Chris Chittleborough <cchittleborough@yahoo.com.au>, March 2002
# * Original filename is only at offset 10 if "extra field" absent
# * Produce shorter output - notably, only report compression methods
# other than 8 ("deflate", the only method defined in RFC 1952).
#0 string \037\213\x08 gzip compressed data
0 string \x1f\x8b\x08 gzip compressed data
>3 byte &0x01 \b, ASCII
>3 byte&0xE0 !0x00 \b, {invalid} reserved flag bits
>8 byte 2 \b, maximum compression
>8 byte 4 \b, fastest compression
>8 byte 1 \b, {invalid} extra flags
>8 byte 3 \b, {invalid} extra flags
>8 byte >4 \b, {invalid} extra flags
>3 byte &0x02 \b, has header CRC
>3 byte&0x04 0x04
>>10 leshort x \b, has %d bytes of extra data
>3 byte&0xC =0x08 \b, has original file name
>>10 string x \b{file-name:%s}
>>10 string x \b: "%s"
>3 byte &0x10 \b, has comment
>>3 byte&0xC 0
>>>10 string x \b: "%s"
>9 byte =0x00 \b, from FAT filesystem (MS-DOS, OS/2, NT)
>9 byte =0x01 \b, from Amiga
>9 byte =0x02 \b, from VMS
>9 byte =0x03 \b, from Unix
>9 byte =0x04 \b, from VM/CMS
>9 byte =0x05 \b, from Atari
>9 byte =0x06 \b, from HPFS filesystem (OS/2, NT)
>9 byte =0x07 \b, from MacOS
>9 byte =0x08 \b, from Z-System
>9 byte =0x09 \b, from CP/M
>9 byte =0x0A \b, from TOPS/20
>9 byte =0x0B \b, from NTFS filesystem (NT)
>9 byte =0x0C \b, from QDOS
>9 byte =0x0D \b, from Acorn RISCOS
#>9 byte =0xFF \b, from ZyNOS
#>9 byte >0x0D \b, {invalid}
#>>9 byte x source: 0x%.2X
#>9 byte <0 \b, {invalid}
#>>9 byte x source: 0x%.2X
>3 byte &0x20 \b, encrypted ({invalid})
# Dates before 1992 are {invalid}, unless of course you're DD-WRT in which
# case you don't know how to set a date in your gzip files. Brilliant.
>4 lelong =0 \b, NULL date:
>4 lelong <0 \b, {invalid} date:
>4 lelong >0
>>4 lelong <694224000 \b, {invalid} date:
>>4 lelong =694224000 \b, {invalid} date:
>>4 lelong >694224000 \b, last modified:
>4 ledate x %s
>4 lelong x \b{file-epoch:%d}
# Supplementary magic data for the file(1) command to support
# rzip(1). The format is described in magic(5).
#
# Copyright (C) 2003 by Andrew Tridgell. You may do whatever you want with
# this file.
#
0 string RZIP rzip compressed data
>4 byte x - version %d
>5 byte x \b.%d
>6 belong x (%d bytes)
# JAR
0 belong 0xcafed00d JAR compressed with pack200,
>5 byte x version %d.
>4 byte x \b%d
# New LZMA format signature
# See lzma file for LZMA signatures
0 string \xFFLZMA\x00 LZMA compressed data (new),
>6 byte&0x10 0 single-block stream
>6 byte&0x10 0x10 multi-block stream
0 string \xff\x06\x00\x00\x73\x4e\x61\x50\x70\x59 Snappy compression, stream identifier
#0 beshort 0x7801 Zlib header, no compression
0 beshort 0x789c Zlib compressed data, default compression
0 beshort 0x78da Zlib compressed data, best compression
0 beshort 0x785e Zlib compressed data, compressed
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment