Improved false positive detection for ELF, PNG and TRX signatures

ef653b30 · devttys0 · 4508cec8 · ef653b30 · ef653b30 · ef653b30
Commit ef653b30 authored Dec 21, 2013 by devttys0
Show whitespace changes
Inline Side-by-side

Showing with 10 additions and 3 deletions

binwalk src/binwalk/magic/binwalk +0 -0

executables src/magic/executables +4 -1

firmware src/magic/firmware +2 -0

images src/magic/images +4 -2

No files found.
--- a/src/binwalk/magic/binwalk
+++ b/src/binwalk/magic/binwalk
--- a/src/magic/executables
+++ b/src/magic/executables
@@ -23,7 +23,10 @@
 >>18	beshort		10
 >>>36	belong		&0x20		N32
 >4	byte		2		64-bit
->5	byte		0		invalid byte order
+>4	byte		>2
+>>4	byte		x		unknown ELF class: 0x%X
+>5	byte		!1
+>>5	byte		!2		invalid byte order
 >5	byte		1		LSB
 # The official e_machine number for MIPS is now #8, regardless of endianness.
 # The second number (#10) will be deprecated later. For now, we still

--- a/src/magic/firmware
+++ b/src/magic/firmware
@@ -95,6 +95,7 @@
 >4	lelong		x		image size: %d bytes,
 >8	lelong		x		CRC32: 0x%X
 >12	leshort		x		flags: 0x%X,
+>14	leshort		>5		invalid
 >14	leshort		x		version: %d
 0	string		0RDH	TRX firmware header, big endian, header size: 28 bytes,
@@ -102,6 +103,7 @@
 >4	belong		x		image size: %d bytes,
 >8	belong		x		CRC32: 0x%X
 >12	beshort		x		flags: 0x%X,
+>14	beshort		>5		invalid
 >14	beshort		x		version: %d

--- a/src/magic/images
+++ b/src/magic/images
@@ -11,8 +11,10 @@
 # 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
 #
 0       string          \x89PNG\x0d\x0a\x1a\x0a         PNG image
->16	belong		0		invalid
+>16		belong			<1				invalid
->20	belong		0		invalid
+>16		belong			>10000			invalid
+>20		belong			<1				invalid
+>20		belong			>10000			invalid
 >16     belong          x               \b, %ld x
 >20     belong          x               %ld,
 >24     byte            x               %d-bit