binwalk的实现原理
|
241
|
0
|
IoT Basic

951 字
|
42 分钟

1.安装

ReFirmLabs/binwalk: Firmware Analysis Tool (github.com)

2.命令行参数

binwalk -t -vv -e 固件文件名

提取固件系统的参数是-e

加上-t -vv参数可以查看详细的提取过程

iot@research:~$ binwalk -h

Binwalk v2.2.1+772f271
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk

Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

Disassembly Scan Options:
    -Y, --disasm                 Identify the CPU architecture of a file using the capstone disassembler
    -T, --minsn=<int>            Minimum number of consecutive instructions to be considered valid (default: 500)
    -k, --continue               Don't stop at the first match

Signature Scan Options:
    -B, --signature              Scan target file(s) for common file signatures
    -R, --raw=<str>              Scan target file(s) for the specified sequence of bytes
    -A, --opcodes                Scan target file(s) for common executable opcode signatures
    -m, --magic=<file>           Specify a custom magic file to use
    -b, --dumb                   Disable smart signature keywords
    -I, --invalid                Show results marked as invalid
    -x, --exclude=<str>          Exclude results that match <str>
    -y, --include=<str>          Only show results that match <str>

Extraction Options:
    -e, --extract                Automatically extract known file types
    -D, --dd=<type[:ext[:cmd]]>  Extract <type> signatures (regular expression), give the files an extension of <ext>, and execute <cmd>
    -M, --matryoshka             Recursively scan extracted files
    -d, --depth=<int>            Limit matryoshka recursion depth (default: 8 levels deep)
    -C, --directory=<str>        Extract files/folders to a custom directory (default: current working directory)
    -j, --size=<int>             Limit the size of each extracted file
    -n, --count=<int>            Limit the number of extracted files
    -r, --rm                     Delete carved files after extraction
    -z, --carve                  Carve data from files, but don't execute extraction utilities
    -V, --subdirs                Extract into sub-directories named by the offset

Entropy Options:
    -E, --entropy                Calculate file entropy
    -F, --fast                   Use faster, but less detailed, entropy analysis
    -J, --save                   Save plot as a PNG
    -Q, --nlegend                Omit the legend from the entropy plot graph
    -N, --nplot                  Do not generate an entropy plot graph
    -H, --high=<float>           Set the rising edge entropy trigger threshold (default: 0.95)
    -L, --low=<float>            Set the falling edge entropy trigger threshold (default: 0.85)

Binary Diffing Options:
    -W, --hexdump                Perform a hexdump / diff of a file or files
    -G, --green                  Only show lines containing bytes that are the same among all files
    -i, --red                    Only show lines containing bytes that are different among all files
    -U, --blue                   Only show lines containing bytes that are different among some files
    -u, --similar                Only display lines that are the same between all files
    -w, --terse                  Diff all files, but only display a hex dump of the first file

Raw Compression Options:
    -X, --deflate                Scan for raw deflate compression streams
    -Z, --lzma                   Scan for raw LZMA compression streams
    -P, --partial                Perform a superficial, but faster, scan
    -S, --stop                   Stop after the first result

General Options:
    -l, --length=<int>           Number of bytes to scan
    -o, --offset=<int>           Start scan at this file offset
    -O, --base=<int>             Add a base address to all printed offsets
    -K, --block=<int>            Set file block size
    -g, --swap=<int>             Reverse every n bytes before scanning
    -f, --log=<file>             Log results to file
    -c, --csv                    Log results to file in CSV format
    -t, --term                   Format output to fit the terminal window
    -q, --quiet                  Suppress output to stdout
    -v, --verbose                Enable verbose output
    -h, --help                   Show help output
    -a, --finclude=<str>         Only scan files whose names match this regex
    -p, --fexclude=<str>         Do not scan files whose names match this regex
    -s, --status=<int>           Enable the status server on the specified port

转译一下:

用法: binwalk [选项] [文件1] [文件2] [文件3] ...


文件签名扫描选项:
    -B, --signature              使用常见的文件签名扫描目标文件
    -R, --raw=<str>              使用指定字节序列扫描目标文件
    -A, --opcodes                使用普通可执行操作码签名扫描目标文件
    -m, --magic=<file>          使用指定的特殊格式文件
    -b, --dumb                   禁用智能签名关键字
    -I, --invalid                显示标记为无效的结果
    -x, --exclude=<str>          排除与str相匹配的结果
    -y, --include=<str>          只显示与str相匹配的结果

提取选项:
    -e, --extract                自动提取已知的文件类型
    -D, --dd=<type:ext:cmd>      提取类型的签名<type>, 文件扩展名为 <ext>, 执行的命令 <cmd>
    -M, --matryoshka             递归扫描提取文件
    -d, --depth=<int>            限制-M递归的范围 (默认值: 8次)
    -C, --directory=<str>       提取文件或文件夹至指定文件夹 (默认值: 当前工作文件夹)
    -j, --size=<int>            限制每个提取文件的大小
    -n, --count=<int>            限制提取文件的数量
    -r, --rm                     清除在提取过程中提取工具无法处理的零大小文件。
    -z, --carve                  从文件中切割数据,但是不执行提取程序

熵分析选项:
    -E, --entropy                计算文件熵
    -F, --fast                   使用快速但是不详细的熵分析
    -J, --save                   自动将由-E生成的的熵图保存为PNG文件而不是直接显示。
    -Q, --nlegend                将熵图的说明省略
    -N, --nplot                  不生成熵图
    -H, --high=<float>           设置上升边缘熵触发阈值 (默认值: 0.95)
    -L, --low=<float>           设置下降边缘熵触发阈值 (默认值: 0.85)

二进制比较选项:
    -W, --hexdump                执行输入文件的十六进制转储(s)和颜色编码区分:绿色—这些字节在所有文件中都是相同的。红色-这些字节在所有文件中都是不同的。蓝色—这些字节在某些文件中是不同的。
    -G, --green                  只显示在所有文件中都相同的字节所在的行
    -i, --red                    只显示在所有文件中都不相同的字节所在的行
    -U, --blue                  只显示在某些文件中都不相同的字节所在的行
    -w, --terse                  比较所有文件,但是只显示第一个文件的16进制转储

原始压缩选项:
    -X, --deflate                用蛮力识别可能的原始压缩数据流
    -Z, --lzma                   扫描原始LZMA压缩流
    -P, --partial                只使用常用的压缩选项搜索压缩流,速度快。
    -S, --stop                   在获得第一个结果后停止

通用选项:
    -l, --length=<int>           需扫描的字节数
    -o, --offset=<int>          跳过文件偏移量开始扫描
    -O, --base=<int>             为所有的打印结果偏移量增加一个基址
    -K, --block=<int>            设置文件块大小
    -g, --swap=<int>             在扫描前每n字节反转一次
    -f, --log=<file>             把结果记录到文件
    -c, --csv                    把结果记录到CSV文件中
    -t, --term                   格式化输出,已使用终端窗口
    -q, --quiet                  禁用输出到标准输出
    -v, --verbose                启用详细输出,包括目标文件MD5和扫描时间戳。
    -h, --help                   显示帮助信息
    -a, --finclude=<str>         只扫描文件名匹配正则表达式的文件
    -p, --fexclude=<str>         不扫描文件名匹配正则表达式的文件
    -s, --status=<int>           在指定端口启动状态服务器

3.实现原理

binwalk提取文件原理就是,通过自带的强大的magic特征集,扫描固件中文件系统初始地址的特征码,若匹配成功,则将该段数据dump下来,这个magic特征集已公开

binwalk/src/binwalk/magic/filesystems at 62e9caa164305a18d7d1f037ab27d14ac933d3cf · ReFirmLabs/binwalk (github.com)

#--------------------File Systems---------------------

# Minix filesystems
0x410   string      \x7f\x13\x00\x00\x00\x00    Minix filesystem, V1, little endian,
>0x402  beshort     x                           %d zones
>0x1e   string      minix                       \b, bootable
>0x1e   string      !minix
>>0x1e  string      !\x00\x00\x00\x00\x00       {invalid}

0x410   string      \x13\x7f\x00\x00\x00\x00    Minix filesystem, V1, big endian,
>0x402  beshort     x                           %d zones
>0x1e   string      minix                       \b, bootable
>0x1e   string      !minix
>>0x1e  string      !\x00\x00\x00\x00\x00       {invalid}

0x410   string      \x8f\x13\x00\x00\x00\x00    Minix filesystem, V1, little endian, 30 char names,
>0x402  beshort     x                           %d zones
>0x1e   string      minix                       \b, bootable
>0x1e   string      !minix
>>0x1e  string      !\x00\x00\x00\x00\x00       {invalid}

0x410   string      \x13\x8f\x00\x00\x00\x00    Minix filesystem, V1, big endian, 30 char names,
>0x402  beshort     x                           %d zones
>0x1e   string      minix                       \b, bootable
>0x1e   string      !minix
>>0x1e  string      !\x00\x00\x00\x00\x00       {invalid}

#0x410   leshort     0x2468      Minix filesystem, V2, little endian,
#>0x402  beshort     x           %d zones
#>0x1e   string      minix       \b, bootable

#0x410   beshort     0x2468      Minix filesystem, V2, big endian,
#>0x402  beshort     x           %d zones
#>0x1e   string      minix       \b, bootable

# YAFFS
0    string     \x03\x00\x00\x00\x01\x00\x00\x00\xFF\xFF\x00\x00    YAFFS filesystem, little endian
# The big endian signature has to be done a bit differently to prevent it from being self-overlapping
4    string     \x00\x00\x00\x01\xFF\xFF                            YAFFS filesystem, big endian
>0   string     !\x00\x00\x00\x03                                   {invalid}(first object is not a directory)
>10  string     !\x00                                               {invalid}(unexpected name in the first object entry)

# EFS2 file system - jojo@utulsa.edu
0      lelong       0x53000000       EFS2 Qualcomm filesystem super block, little endian,
>8     string       !EFSSuper        {invalid},
>4     leshort&0x01 1                NAND
>4     leshort&0x01 0                NOR
>4     leshort      x                version 0x%x,
>24    lelong       x                %d blocks,
>16    lelong       x                0x%x pages per block,
>20    lelong       x                0x%x bytes per page

0      belong       0x53000000       EFS2 Qualcomm filesystem super block, big endian,
>8     string       !SSFErepu        {invalid},
>4     beshort&0x01 1                NAND
>4     beshort&0x01 0                NOR
>4     beshort      x                version 0x%x,
>24    belong       x                %d blocks,
>16    belong       x                0x%x pages per block,
>20    belong       x                0x%x bytes per page

# TROC file system
0       string      TROC    TROC filesystem,
>4      lelong      x       %d file entries
>4      lelong      <1      {invalid}

# PFS file system
0       string    PFS/      PFS filesystem,
>5      byte      !0x2E     {invalid}
>4      string    x         version %s,
>14     leshort   x         %d files

# MPFS file system
0       string      MPFS     MPFS filesystem, Microchop,
>4      byte        <0       {invalid}
>4      byte        >10      {invalid}
>5      byte        <0       {invalid}
>4      byte        0
>>5     byte        0        {invalid}
>4      byte        x        version %d.
>5      byte        x        \b%d,
>6      leshort     <0       {invalid}
>6      leshort     x        %d file entries

# cramfs filesystem - russell@coker.com.au
0       lelong      0x28cd3d45      CramFS filesystem, little endian,
>4      lelong      <1              invalid size,{invalid}
>4      lelong      >1073741824     invalid size,{invalid}
>4      ulelong     x               size: %u,
>8      lelong      &1              version 2,
>8      lelong      &2              sorted_dirs,
>8      lelong      &4              hole_support,
>32     ulelong     0               invalid{invalid}
>32     ulelong     x               CRC 0x%.8X,
>36     ulelong     x               edition %u,
>40     lelong      <0              invalid blocks,{invalid}
>40     ulelong     x               %u blocks,
>44     lelong      <1              invalid file count,{invalid}
>44     ulelong     x               %u files
>4      ulelong     x               {jump:%u}
>4      ulelong     x               {size:%u}

0       belong      0x28cd3d45      CramFS filesystem, big endian
>4      belong      <1              {invalid}
>4      belong      >1073741824     {invalid}
>4      belong      x               size %u,
>8      belong      &1              version 2,
>8      belong      &2              sorted_dirs,
>8      belong      &4              hole_support,
>32     ubelong     0               invalid{invalid}
>32     ubelong     x               CRC 0x%.8X,
>36     belong      x               edition %u,
>40     belong      <0              invalid blocks,{invalid}
>40     ubelong     x               %u blocks,
>44     belong      <1              invalid file count,{invalid}
>44     ubelong     x               %u files
>4      ubelong     x               {jump:%u}
>4      ubelong     x               {size:%u}

# http://www.dubeiko.com/development/FileSystems/UBI/ubidesign.pdf
0       string      UBI!            UBI volume ID header,
>4      ubyte       x               version: %d,
>5      ubyte       x               type: %d,
>8      ubelong     x               volume id: %d,
>8      ubelong     >256            {invalid}
>12     ubelong     x               size: %d
>12     ubelong     !0              {invalid}
>28     string      !\x00*12        {invalid}

# http://lxr.free-electrons.com/source/fs/ubifs/ubifs-media.h
0       string      UBI\x23         UBI erase count header,
>4      ubyte       x               version: %d,
>5      string      !\x00*3         {invalid}
>8      ubequad     x               EC: 0x%lX,
>16     ubelong     x               VID header offset: 0x%X,
>20     ubelong     x               data offset: 0x%X
# dummy jump - actual jump value is determined in UBIValidPlugin
>20       ubyte       x               {jump:0}

# http://lxr.free-electrons.com/source/fs/ubifs/ubifs-media.h
0        lelong      0x06101831     UBIFS filesystem
>20      ubyte       <6             {invalid}
>20      ubyte       >7             {invalid} # Only look for superblock and master nodes
>22      leshort     !0             {invalid} # 2 bytes of padding should be filled with NULLs
>20      ubyte       6              superblock node,
>20      ubyte       7              master node,
>4       ulelong     x              CRC: 0x%X,
# Master node
>20      ubyte       7
>>24     lequad      x              highest inode: %d,
>>32     lequad      x              commit number: %d
# Superblock node
>20      ubyte       6
>>24     leshort     !0             {invalid}
>>28     ulelong      x             flags: 0x%X,
>>32     lelong      x              min I/O unit size: %d,
>>36     lelong      x              erase block size: %d,
>>40     lelong      x              erase block count: %d,
>>44     lelong      x              max erase blocks: %d,
>>80     lelong      x              format version: %d,
>>84     uleshort    >2             {invalid}
>>84     uleshort    x              compression type:
>>84     uleshort    0              none
>>84     uleshort    1              lzo
>>84     uleshort    2              zlib
>>86     leshort     !0             invalid padding,{invalid}
>>128    string      !\x00*3968     invalid padding{invalid}

# JFFS2 file system
# If used with binwalk's smart signature feature (on by default, -S to disable)
# this signature can potentially lead to missing some JFFS2 file systems if there
# are multiple JFFS2 file systems in a target file and there are no other identified
# files in between the JFFS2 file systems. This is an unlikely scenario however, and
# the below signatures are much improved in terms of readability and accuracy in the
# vast majority of real world scenarios.
0                   uleshort    0x1985      JFFS2 filesystem, little endian
>2                  uleshort    !0xE001
>>2                 uleshort    !0xE002
>>>2                uleshort    !0x2003
>>>>2               uleshort    !0x2004
>>>>>2              uleshort    !0x2006
>>>>>>2             uleshort    !0xE008
>>>>>>>2            uleshort    !0xE009     {invalid}
>4                  lelong      0           {invalid}
>4                  lelong      <0          {invalid}
>4                  lelong      x           {many}{jump:%d}

0                   ubeshort    0x1985      JFFS2 filesystem, big endian
>2                  ubeshort    !0xE001
>>2                 ubeshort    !0xE002
>>>2                ubeshort    !0x2003
>>>>2               ubeshort    !0x2004
>>>>>2              ubeshort    !0x2006
>>>>>>2             ubeshort    !0xE008
>>>>>>>2            ubeshort    !0xE009     {invalid}
>4                  belong      0           {invalid}
>4                  belong      <0          {invalid}
>4                  belong      x           {many}{jump:%d}


# Squashfs, big endian
0       string  sqsh    Squashfs filesystem, big endian,
>28     beshort >10     {invalid}
>28     beshort <1      {invalid}
>30     beshort >10     {invalid}
>28     beshort x       version %d.
>30     beshort x       \b%d,
>28     beshort >3      compression:
>>20    beshort 1       \bgzip,
>>20    beshort 2       \blzma,
>>20    beshort 3       \bgzip (non-standard type definition),
>>20    beshort 4       \bxz,
>>20    beshort 0       \b{invalid},
>>20    beshort >4      \b{invalid},
>28     beshort <3
>>8     belong  x       size: %d bytes,
>>8     belong  x       \b{jump:%d}
>>8     belong  x       \b{size:%d}
>28     beshort 3
>>63    bequad  x       size: %ld bytes,
>>63    bequad  x       \b{jump:%ld}
>>63    bequad  x       \b{size:%ld}
>28     beshort >3
>>40    bequad  x       size: %ld bytes,
>>40    bequad  x       \b{jump:%ld}
>>40    bequad  x       \b{size:%ld}
>4      belong  x       %d inodes,
>28     beshort >3
>>12    belong  x       blocksize: %d bytes,
>28     beshort <2
>>32    beshort x       blocksize: %d bytes,
>28     beshort 2
>>51    belong  x       blocksize: %d bytes,
>28     beshort 3
>>51    belong  x       blocksize: %d bytes,
>28     beshort <4
>>39    bedate  x       created: %s
>28     beshort >3
>>8     bedate  x       created: %s

# Squashfs, little endian
0       string  hsqs    Squashfs filesystem, little endian,
>28     leshort >10     {invalid}
>28     leshort <1      {invalid}
>30     leshort >10     {invalid}
>28     leshort x       version %d.
>30     leshort x       \b%d,
>28     leshort >3      compression:
>>20    leshort 1       \bgzip,
>>20    leshort 2       \blzma,
>>20    leshort 3       \bgzip (non-standard type definition),
>>20    leshort 4       \bxz,
>>20    leshort 0       \b{invalid},
>>20    leshort >4      \b{invalid},
>28     leshort <3
>>8     lelong  x       size: %d bytes,
>>8     lelong  x       {size:%d}
>28     leshort 3
>>63    lequad  x       size: %ld bytes,
>>63    lequad  x       {size:%ld}
>28     leshort >3    
>>40    lequad  x       size: %ld bytes,
>>40    lequad  x       {size:%ld}
>4      lelong  x       %d inodes,
>28     leshort >3
>>12    lelong  x       blocksize: %d bytes,
>28     leshort <2
>>32    leshort x       blocksize: %d bytes,
>28     leshort 2
>>51    lelong  x       blocksize: %d bytes,
>28     leshort 3
>>51    lelong  x       blocksize: %d bytes,
>28     leshort <4
>>39    ledate  x       created: %s
>28     leshort >3
>>8     ledate  x       created: %s
>28     leshort <3
>>8     lelong  x       {jump:%d}
>28     leshort 3
>>63    lequad  x       {jump:%ld}
>28     leshort >3
>>40    lequad  x       {jump:%ld}

# Squashfs with LZMA compression
0       string  sqlz    Squashfs filesystem, big endian, lzma compression, 
>28     beshort >10     {invalid}
>28     beshort <1      {invalid}
>30     beshort >10     {invalid}
>28     beshort x       version %d.
>30     beshort x       \b%d,
>28     beshort >3      compression:
>>20    beshort 1       \bgzip,
>>20    beshort 2       \blzma,
>>20    beshort 3       \bgzip (non-standard type definition),
>>20    beshort 4       \blzma (non-standard type definition),
>>20    beshort 0       \b{invalid},
>>20    beshort >4      \b{invalid},
>28     beshort <3
>>8     belong  x       size: %d bytes,
>>8     belong  x       {size:%d}
>28     beshort 3
>>63    bequad  x       size: %ld bytes,
>>63    bequad  x       {size:%ld}
>28     beshort >3
>>40    bequad  x       size: %ld bytes,
>>40    bequad  x       {size:%ld}
>4      belong  x       %d inodes,
>28     beshort >3
>>12    belong  x       blocksize: %d bytes,
>28     beshort <2
>>32    beshort x       blocksize: %d bytes,
>28     beshort 2
>>51    belong  x       blocksize: %d bytes,
>28     beshort 3
>>51    belong  x       blocksize: %d bytes,
>28     beshort <4
>>39    bedate  x       created: %s
>28     beshort >3
>>8     bedate  x       created: %s
>28     beshort <3
>>8     belong  x       {jump:%d}
>28     beshort 3
>>63    bequad  x       {jump:%ld}
>28     beshort >3
>>40    bequad  x       {jump:%ld}

# Squashfs 3.3 LZMA signature
0       string  qshs    Squashfs filesystem, big endian, lzma signature,
>28     beshort >10     {invalid}
>28     beshort <1      {invalid}
>30     beshort >10     {invalid}
>28     beshort x       version %d.
>30     beshort x       \b%d,
>28     beshort >3      compression:
>>20    beshort 1       \bgzip,
>>20    beshort 2       \blzma,
>>20    beshort 3       \bgzip (non-standard type definition),
>>20    beshort 4       \bxz,
>>20    beshort 0       \b{invalid},
>>20    beshort >4      \b{invalid},
>28     beshort <3
>>8     belong  x       size: %d bytes,
>>8     belong  x       {size:%d}
>28     beshort 3
>>63    bequad  x       size: %ld bytes,
>>63    bequad  x       {size:%ld}
>28     beshort >3
>>40    bequad  x       size: %ld bytes,
>>40    bequad  x       {size:%ld}
>4      belong  x       %d inodes,
>28     beshort >3
>>12    belong  x       blocksize: %d bytes,
>28     beshort <2
>>32    beshort x       blocksize: %d bytes,
>28     beshort 2
>>51    belong  x       blocksize: %d bytes,
>28     beshort 3
>>51    belong  x       blocksize: %d bytes,
>28     beshort <4
>>39    bedate  x       created: %s
>28     beshort >3
>>8     bedate  x       created: %s
>28     beshort <3
>>8     belong  x       {jump:%d}
>28     beshort 3
>>63    bequad  x       {jump:%ld}
>28     beshort >3
>>40    bequad  x       {jump:%ld}

# Squashfs for DD-WRT
0       string  tqsh    Squashfs filesystem, big endian, DD-WRT signature,
>28     beshort >10     {invalid}
>28     beshort <1      {invalid}
>30     beshort >10     {invalid}
>28     beshort x       version %d.
>30     beshort x       \b%d,
>28     beshort >3      compression:
>>20    beshort 1       \bgzip,
>>20    beshort 2       \blzma,
>>20    beshort 3       \bgzip (non-standard type definition),
>>20    beshort 4       \bxz,
>>20    beshort 0       \b{invalid},
>>20    beshort >4      \b{invalid},
>28     beshort <3
>>8     belong  x       size: %d bytes,
>>8     belong  x       {size:%d}
>28     beshort 3
>>63    bequad  x       size: %ld bytes,
>>63    bequad  x       {size:%ld}
>28     beshort >3
>>40    bequad  x       size: %ld bytes,
>>40    bequad  x       {size:%ld}
>4      belong  x       %d inodes,
>28     beshort >3
>>12    belong  x       blocksize: %d bytes,
>28     beshort <2
>>32    beshort x       blocksize: %d bytes,
>28     beshort 2
>>51    belong  x       blocksize: %d bytes,
>28     beshort 3
>>51    belong  x       blocksize: %d bytes,
>28     beshort <4
>>39    bedate  x       created: %s
>28     beshort >3
>>8     bedate  x       created: %s
>28     beshort <3
>>8     belong  x       {jump:%d}
>28     beshort 3
>>63    bequad  x       {jump:%ld}
>28     beshort >3
>>40    bequad  x       {jump:%ld}

# Squashfs for DD-WRT
0       string  hsqt    Squashfs filesystem, little endian, DD-WRT signature,
>28     leshort >10     {invalid}
>28     leshort <1      {invalid}
>30     leshort >10     {invalid}
>28     leshort x       version %d.
>30     leshort x       \b%d,
>28     leshort >3      compression:
>>20    leshort 1       \bgzip,
>>20    leshort 2       \blzma,
>>20    leshort 3       \bgzip (non-standard type definition),
>>20    leshort 4       \bxz,
>>20    leshort 0       \b{invalid},
>>20    leshort >4      \b{invalid},
>28     leshort <3
>>8     lelong  x       size: %d bytes,
>>8     lelong  x       {size:%d}
>28     leshort 3
>>63    lequad  x       size: %ld bytes,
>>63    lequad  x       {size:%ld}
>28     leshort >3
>>40    lequad  x       size: %ld bytes,
>>40    lequad  x       {size:%ld}
>4      lelong  x       %d inodes,
>28     leshort >3
>>12    lelong  x       blocksize: %d bytes,
>28     leshort <2
>>32    leshort x       blocksize: %d bytes,
>28     leshort 2
>>51    lelong  x       blocksize: %d bytes,
>28     leshort 3
>>51    lelong  x       blocksize: %d bytes,
>28     leshort <4
>>39    ledate  x       created: %s
>28     leshort >3
>>8     ledate  x       created: %s
>28     leshort <3
>>8     lelong  x       {jump:%d}
>28     leshort 3
>>63    lequad  x       {jump:%ld}
>28     leshort >3
>>40    lequad  x       {jump:%ld}

# Non-standard Squashfs signature found on some D-Link routers
0       string  shsq    Squashfs filesystem, little endian, non-standard signature, 
>28     leshort >10     {invalid}
>28     leshort <1      {invalid}
>30     leshort >10     {invalid}
>28     leshort x       version %d.
>30     leshort x       \b%d,
>28     leshort >3      compression:
>>20    leshort 1       \bgzip,
>>20    leshort 2       \blzma,
>>20    leshort 3       \bgzip (non-standard type definition),
>>20    leshort 4       \bxz,
>>20    leshort 0       \b{invalid},
>>20    leshort >4      \b{invalid},
>28     leshort <3
>>8     lelong  x       size: %d bytes,
>>8     lelong  x       {size:%d}
>28     leshort 3
>>63    lequad  x       size: %ld bytes,
>>63    lequad  x       {size:%ld}
>28     leshort >3
>>40    lequad  x       size: %ld bytes,
>>40    lequad  x       {size:%ld}
>4      lelong  x       %d inodes,
>28     leshort >3
>>12    lelong  x       blocksize: %d bytes,
>28     leshort <2
>>32    leshort x       blocksize: %d bytes,
>28     leshort 2
>>51    lelong  x       blocksize: %d bytes,
>28     leshort 3
>>51    lelong  x       blocksize: %d bytes,
>28     leshort <4
>>39    ledate  x       created: %s
>28     leshort >3
>>8     ledate  x       created: %s
>28     leshort <3
>>8     lelong  x       {jump:%d}
>28     leshort 3
>>63    lequad  x       {jump:%ld}
>28     leshort >3
>>40    lequad  x       {jump:%ld}

# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
# volume label and UUID Russell Coker
# http://etbe.coker.com.au/2008/07/08/label-vs-uuid-vs-device/
0x438       uleshort        0xEF53          Linux EXT filesystem,
>0x43A      leshort         >4              {invalid}invalid state
>0x43A      leshort         3               {invalid}invalid state
>0x43A      leshort         <0              {invalid}invalid state
>0x43C      leshort         >3              {invalid}invalid error behavior
>0x43C      leshort         <0              {invalid}invalid error behavior
>0x43C      lelong          >4              {invalid}invalid major revision
>0x43C      lelong          <0              {invalid}invalid major revision
>0x43C      lelong          x               rev %d
>0x43E      leshort         x               \b.%d,
# No journal?  ext2
>0x438+36   lelong&0x04     0               ext2 filesystem data
>>0x43A     leshort&0x01    0               (mounted or unclean)
# Has a journal?  ext3 or ext4
>0x438+36   lelong          &0x0000004
#  and small INCOMPAT?
>>0x438+40  lelong          <0x0000040
#   and small RO_COMPAT?
>>>0x438+44 lelong          <0x0000008      ext3 filesystem data
#   else large RO_COMPAT?
>>>0x438+44 lelong          >0x0000007      ext4 filesystem data
#  else large INCOMPAT?
>>0x438+40  lelong          >0x000003f      ext4 filesystem data
>0x438+48   ubelong         x               \b, UUID=%08x
>0x438+52   ubeshort        x               \b-%04x
>0x438+54   ubeshort        x               \b-%04x
>0x438+56   ubeshort        x               \b-%04x
>0x438+58   ubelong         x               \b-%08x
>0x438+60   ubeshort        x               \b%04x
>0x438+64   byte            !0
>>0x438+64  string          x               \b, volume name "%s"


#romfs filesystems - Juan Cespedes <cespedes@debian.org>
0       string      -rom1fs-\0      romfs filesystem, version 1
>8      belong      >10000000       {invalid}
>8      belong      <1              {invalid}
>8      belong      x               size: %d bytes,
>16     string      x               {name:%s}
>16     string      x               named "%s"
>8      belong      x               {size:%d}
>8      belong      x               {jump:%d}

# Not to be confused with an actual romfs image!
# ftp://ftp.dlink.eu/Products/dir/dir-600/driver_software/DIR-600_fw_revC1_3-05B15__all_en_20120216.zip
0x10    string          ROMFS\x20v      D-Link ROMFS filesystem,
>0x17   string          x               version %s,
>0      string          !\x2EmoR
>>0     string          !Rom\x2E        {invalid} unknown endianess
>0      string          \x2EmoR         little endian,
>>8     lelong          x               size: <= %d
>>8     lelong-0x20     x               {jump:%d}
>0      string          Rom\x2E         big endian,
>>8     belong          x               size: <= %d
>>8     belong-0x20     x               {jump:%d}

# Wind River MemFS file system, found in some VxWorks devices
0       string    owowowowowowowowowowowowowowow    Wind River management filesystem,{overlap}
>30     string    !ow                               {invalid},
>32     belong    1                                 compressed,
>32     belong    2                                 plain text,
>32     belong    <1                                {invalid}
>32     belong    >2                                {invalid}
>36     belong    x                                 %d files

# Wind River MemFS file system, found in some VxWorks devices
0       string    OWOWOWOWOWOWOWOWOWOWOWOWOWOWOW    Wind River management filesystem,{overlap}
>30     string    !OW                               {invalid},
>32     lelong    1                                 compressed,
>32     lelong    2                                 plain text,
>32     lelong    <1                                {invalid}
>32     lelong    >2                                {invalid}
>36     lelong    x                                 %d files

# ISO 9660 Boot Record - http://wiki.osdev.org/ISO_9660
0       string      \x00CD001\x01                   ISO 9660 Boot Record,
>7      byte        !0
>>7      string      x                               Boot System Identifier: "%.32s",
>39      byte        !0
>>39     string      x                               Boot Identifier: "%.32s"

# ISO 9660 Primary Volume - http://wiki.osdev.org/ISO_9660
0       string      \x01CD001\x01\x00               ISO 9660 Primary Volume,
>8      byte        !0
>>8      string      x                               System Identifier: "%.32s",
>40      byte        !0
>>40     string      x                               Volume Identifier: "%.32s"

# netboot image - Juan Cespedes <cespedes@debian.org>
0       lelong              0x1b031336      Netboot image,
>4      lelong&0xFFFFFF00   0
>>4     lelong&0x100        0x000           mode 2
>>4     lelong&0x100        0x100           mode 3
>4      lelong&0xFFFFFF00   !0              unknown mode {invalid}

18      string            WDK\x202.0\x00    WDK file system, version 2.0,
>11     byte              !0                %d files,
>4      bedate            !0                Last modified %s GMT

32769   string        CD001                                         ISO
>6144   string        !NSR0                                         9660 CD-ROM filesystem data,
>6144   string        NSR0                                          UDF filesystem data,
>32770  byte          !1                                            {invalid}
>6148   string        1                                             version 1.0,
>6148   string        2                                             version 2.0,
>6148   string        3                                             version 3.0
>6148   byte          >0x33                                         {invalid} version,
>6148   byte          <0x31                                         {invalid} version,
>38     byte          !0
>>38    string        x                                             volume name: "%s",
>2047   string        \000CD001\001EL\x20TORITO\x20SPECIFICATION    bootable

# updated by Joerg Jenderek at Nov 2012
# DOS Emulator image is 128 byte, null right padded header + harddisc image
0               string      DOSEMU\0        DOS Emulator image
>0x27E          leshort     !0xAA55         {invalid}
>0x27E          leshort     0xAA55
#offset is 128
>>19            byte        128
>>>(19.b-1)     byte        0x0
>>>>7           lelong      >0              \b, %d heads
>>>>11          lelong      >0              \b, %d sectors/track
>>>>15          lelong      >0              \b, %d cylinders

# From: Alex Beregszaszi <alex@fsn.hu>
0       string  COWD\x03        VMWare3 disk image,
>32     lelong  x               (%d/
>36     lelong  x               \b%d/
>40     lelong  x               \b%d)

0       string  COWD\x02    VMWare3 undoable disk image,
>32     byte    !0
>32     string  x           "%s"

# TODO: Add header validation
0       string        VMDK             VMware4 disk image
0       string        KDMV             VMware4 disk image

#--------------------------------------------------------------------
# Qemu Emulator Image
# Lines written by Friedrich Schwittay (f.schwittay@yousable.de)
# Updated by Adam Buchbinder (adam.buchbinder@gmail.com)
# Made by reading sources, reading documentation, and doing trial and error
# on existing QCOW files
0       string        QFI\xFB       QEMU QCOW Image

# BSD 2.x file system image; used in RetroBSD for PIC32.
0        string        FS\x3C\x3C       BSD 2.x filesystem,
>1020    string        !\x3E\x3EFS      {invalid}(missing FSMAGIC2),
>8       lelong*1024   x                size: %d bytes,
>8       lelong*1024   x                {size:%d}
>8       lelong*1024   x                {jump:%d}
>8       lelong        x                total blocks: %d,
>972     lelong        x                free blocks: %d,
>968     ledate        x                last modified: %s
>980     byte          !0
>>980    string        x                \b, last mounted on: "%s"

# Simple file system found in Foscam camera firmware
0       beshort  0xbd9a  Foscam WebUI filesystem,
>2      uleshort x       checksum: 0x%X,
>16     lelong   <3      {invalid}invalid first file name length,
>16     lelong   >127    {invalid}invalid first file name length,
>20     byte     0       {invalid}invalid first file name,
>20     byte     !0x2E
>>20    byte     !0x2F
>>>20   byte     <65     {invalid}invalid first file name,
>>>20   byte     >122    {invalid}invalid first file name,
>16     lelong   x       {strlen:%d}
>20     string   x       first file name: "{string}"

# QNX6 filesystem
0       string   \xEB\x10\x90\x00    QNX6 filesystem

# QNX IFS
0       string   \xEB\x7E\xFF\x00    QNX IFS
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇