Binary Analysis Tool

Similar documents
Opera Web Browser Archive - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Leaseweb Hosting Services - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Northwest Internet Access Provider - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Practical Installing utility software 7Zip on Windows

Vienna University of Technology - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Software Distribution and Package Management

RWTH Aachen University - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Goethe University Frankfurt - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

University of the Free State - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Open Source Digitalization Application. Installation Manual

Internet Solutions - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

HugeServer Networks Software Archive - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

SysadminSG RHCSA Study Guide

Introduction p. 1 Why Linux? p. 2 Embedded Linux Today p. 3 Open Source and the GPL p. 3 Free Versus Freedom p. 4 Standards and Relevant Bodies p.

Linux Software Management. Linux System Administration COMP2018 Summer 2017

CDNetworks Software Archive - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Red Hat JBoss Enterprise Application Platform 7.2

Tomsk State Pedagogical University - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Adding hardware support to Buildroot

Red Hat JBoss Enterprise Application Platform 7.0

7 zip linux gui. Search

1Z Oracle Linux Fundamentals (Oracle Partner Network) Exam Summary Syllabus Questions

Welcome to Rootkit Country

RZ/G Verified Linux Package V2.1.0-RT

7 zip linux. 7 zip linux

Applied Informatics POCO PRO C++ Frameworks

GWDG Software Archive - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Indiana University - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Java Manuals For Windows Xp Latest Version 6.1

University of Hagen - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Croatian Academic and Research Network - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Linux Freedom Archive - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Dandified way to package management in Yocto Project

============================================================ About this release:

Pair Networks Hosting Services - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Linux Essentials. Smith, Roderick W. Table of Contents ISBN-13: Introduction xvii. Chapter 1 Selecting an Operating System 1

Red Hat Application Migration Toolkit 4.0

SupremeBytes Hosting Services - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Unzip zip files command line

LINUXBUILD User's Manual

OvertheWire Telecommunications - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Contents in Detail. Acknowledgments

============================================================

How-To Build a Simple Slack Package

Pulsant Cloud Hosting - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Evaluation of MIPS Prelinking

Getting Started with RTEMS

Prerequisites: General computing knowledge and experience. No prior knowledge with Linux is required. Supported Distributions:

Linux Fundamentals (L-120)

7 zip linux mint. 7 zip linux mint

D1S - Embedded Linux with Ac6 System Workbench

Red Hat Application Migration Toolkit 4.2

client X11 Linux workstation

Linux Essentials Objectives Topics:

Embedded lightweight unix

REGEX HELPER USER MANUAL CONTENTS

Forensic and Log Analysis GUI

Drupal Command Line Instructions Windows 7 List All Printers

Release Notes for McAfee(R) VirusScan Enterprise for Linux Version Hotfix Copyright (C) 2013 McAfee, Inc. All Rights Reserved

Moodle Destroyer Tools Documentation

Using NAL XML Reporting to report on ZENworks Imaging

UNIX and Linux Essentials Student Guide

EnSight 10.2 Installation Guide

IBM Software Archive - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Server Edition. V8 Peregrine User Manual. for Linux and Unix operating systems

Configuration. Monday, November 30, :28 AM. Configuration

e2 factory the emlix Embedded Build Framework

Zephyr Kernel Installation & Setup Manual

Red Hat JBoss Fuse 6.3

Advantech General FAQ. How to change ubuntu specific kernel for quick cross test

AutoForm plus R6.0.3 Release Notes

Tux Paint Project Archive - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

Red Hat Single Sign-On 7.1 Getting Started Guide

7zip windows mobile 7-Zip Windows Mobile -Zip 7-Zip Windows Mobile 7-Zip 7-Zip 7-Zip 7-Zip Windows 7-Zip Windows Windows Windows Windows Windows

Initial Bootloader > Flash Drive. Warning. If not used carefully this process can be dangerous

These instructions cover how to install and use pre-compiled binaries to monitor AIX 5.3 using NRPE.

Faculty of Computer Science Institute for System Architecture, Operating Systems Group. Complex Lab Operating Systems 2016 Winter Term.

EMBEDDED LINUX ON ARM9 Weekend Workshop

Archives. Gather and compress Campus-Booster ID : **XXXXX. Copyright SUPINFO. All rights reserved

IBM Rational Rhapsody TestConductor Add On. Testing on a Linux Target

Classified Documentation

LINUX FUNDAMENTALS (5 Day)

FOSSology Project Information

BUILDING YOUR OWN RPMS

Unrar for windows xp

Manual Java Update Mac Developer Package

Embedded Systems Programming

Red Hat Developer Studio 12.9

Patch Management. Proposal

It is possible to use OpenDLP in an agentless mode, but the agent shifts the processing to the host instead of the server.

Package management rpm Package management with yum The tar tool

Linux Everywhere. A look at Linux outside the world of desktops. CIS 191 Spring 2012 Guest Lecture by Philip Peng

CS108, Stanford Handout #37. Source Control CVS

S3C6410-TFAUbuntu Easy Guide

Web Ontology for Software Package Management

Red Hat JBoss Enterprise Application Platform 6.4

The student will have the essential skills needed to be proficient at the Unix or Linux command line.

D1Y - Embedded Linux with Yocto

Spango Internet - FTP Site Statistics. Top 20 Directories Sorted by Disk Space

VCGL software quality sessions: Documenting with. Anatoliy Antonov May 2012

Transcription:

Binary Analysis Tool Quick Start Guide This tool was developed by: Sponsored by Version 4

Table of Contents Getting and installing the tool...3 Technical requirements...3 Get the tool...3 Confirm it is correctly installed...4 Get to work...4 Automated extraction of the version and configuration of busybox...4 Extraction of file systems...5 Automated checking for the Linux kernel...6 Brute force scanning of firmware...7 Feeding known information through a knowledgebase...7 More information...7 2

Getting and installing the tool Technical requirements A recent Linux installation. We have tested on Fedora 13, Fedora 14 and Ubuntu 10.10. python (2.5 or higher preferred, but not 3) python-magic GNU binutils (for readelf and strings) e2tools http://freshmeat.net/projects/e2tools/ (optional) squashfs tools (4.0 highly recommended) module-init-tools (for modinfo) gzip (for zcat) xz (for lzma) zip unrar cabextract 7z cpio tar PyXML sqlite3 Get the tool You can download the latest release version of the tool from: http://www.binaryanalysis.org/en/content/show/download The tool is available as RPM for Fedora 13 and Fedora 14, as SRPM so it can be rebuilt on another distribution, and as a DEB package for Ubuntu 10.10. You can access the latest development version through Subversion at: http://www.binaryanalysis.org/trac/browser 3

Confirm it is correctly installed If you used a binary package (RPM, DEB) you can check the installation works by executing the bruteforce.py tool from the commandline: bruteforce.py -c /etc/bat/bruteforce-config b /path/to/binary If you downloaded the source code you can open a terminal and navigate to the folder the source code was unpacked into. Please note that you might have to take care of installing some dependencies yourself if you used this method. Test the tool by running the bruteforce scanner on a binary: python./bruteforce.py -c./bruteforce-config binary=/path/to/binary If you see XML output the tool is installed correctly. If you did not see the expected output please download and read the user manual. Get to work At the moment the tool is focused on the analysis of binary firmware. It provides: Automated extraction of the version and configuration of BusyBox; Extraction of file systems; Automated checking for the Linux kernel; Brute force scanning of firmware; Feeding known information through a knowledgebase. All the top level scripts have a --help option which displays more information on how to invoke the scripts. Automated extraction of the version and configuration of busybox The busybox.py tool has three modes: printing a possible configuration extracting from a BusyBox binary, printing names of applets for which no configuration exists in the source code of the official BusyBox release, or both. By default it prints just a configuration that could have been used to compile the BusyBox binary. In the near future there will be an export to a very simple XML file as well. 4

Example invocations: $ python busybox.py --binary=test/busybox --found $ python busybox.py --binary=test/busybox --found --missing $ python busybox.py --binary=test/busybox --missing The busyboxversion.py tool does one thing: printing the version number of a BusyBox binary. $ python busyboxversion.py --binary=test/busybox The busybox-compare-configs.py tool can be used to compare an extracted configuration with an existing configuration. The tool takes at least two parameters: the path of the configuration extracted from a BusyBox binary and the configuration from a source archive. If available the BusyBox version number can be supplied to weed out some false positives. $ python busybox-compare-configs.py -e /tmp/extracted-config -f /tmp/original-config $ python busybox-compare-configs.py -e /tmp/extracted-config -f /tmp/original-config -n 1.11.1 The appletname-extractor.py tool takes two arguments: the full path to include/applets.h for a BusyBox source tree and a version number. It outputs a Python pickle file, which should be stored in the directory 'configs' before it can be used by busybox.py. $ python appletname-extractor.py -a /tmp/busybox-1.00-rc3/include/applets.h -n 1.00-rc3 This tool is typically run when a new version of BusyBox is released. Extraction of file systems There are currently no standalone scripts to extract individual file system. The code is being used from other scripts, like bruteforce.py. 5

Automated checking for the Linux kernel The findkernelstrings.py tool takes at least two parameters: the path to the binary kernel image and the path to the directory containing a search database, generated with the extractkernelstrings.py helper script. By default the tool will report what strings are found and in what file. There is an option to print which strings were not found and which might need further investigation. It should be noted that right now not all strings are correctly detected and there will be false positives. To avoid many false positives we have set a minimal limit for the length of the strings we look at. This limit can be changed if necessary. If configuration information extracted with extractkernelconfig.py is available this can be fed to the tool to try and guess a kernel configuration. This functionality is limited at the moment. If information about the architecture is available it can be supplied as well, although this is very crude at the moment. $ python findkernelstrings.py -k /tmp/kernelimage -i /tmp/kernelstrings $ python findkernelstrings.py -k /tmp/kernelimage -i /tmp/kernelstrings -m $ python findkernelstrings.py -k /tmp/kernelimage -i /tmp/kernelstrings -s 9 $ python findkernelstrings.py -k /tmp/kernelimage -i /tmp/kernelstrings -c /tmp/kernelconfig $ python findkernelstrings.py -k /tmp/kernelimage -i /tmp/kernelstrings -c /tmp/kernelconfig -a mips The extractkernelconfig.py tool takes two arguments: the path to a directory with the unpacked Linux kernel sources and a path to a directory in which to store the search database. To ensure correctness the archive with the Linux kernel sources should be a directory to which all necessary patches have been applied. The reason for this is that the patch file format does not work great with our multiline regular expressions and could also lead to false positives. $ python extractkernelconfig.py -d ~/linux-2.6.15/ -i /tmp/kernelconfig/ The extractkernelstrings.py tool takes two arguments: the path to a directory with the unpacked Linux kernel sources and a path to a directory in which to store the search database. To ensure correctness the archive with the Linux kernel sources should be a directory to which all necessary patches have been applied. The reason for this is that the patch file format does not work great with our multiline regular expressions and could also lead to false positives. 6

$ python extractkernelstrings.py -d ~/linux-2.6.15/ -i /tmp/kernelstrings/ Brute force scanning of firmware The bruteforce.py tool tries to determine what is inside a firmware without much knowledge of what is inside the firmware. It does so by scanning for known magic markers of file systems (such as SquashFS) and compression methods (such as gzip), bootloader and kernel strings, unpack these files and do more in depth analysis of the files. The checks that need to be run in the bruteforce.py tool can be configured through a configuration file. Documentation for the format of the configuration file is included in the source distribution. In the source release there is also a demo configuration which configures basic functionality. The bruteforce.py tool outputs its results in XML. $ python bruteforce.py -b /tmp/firmware.bin -c /tmp/bruteforce-config Feeding known information through a knowledgebase The knowledgebase is currently functional for information extracted from the official BusyBox releases and the Linux kernel. These scripts have been described above. Experimental support for querying and populating a knowledgebase for the bruteforce scanning has been added, but not used by default. Documentation for these experimental features can be found in the source archive. More information You can find more detailed instructions and background reading about the tool in the user guide. You will find it at: http://www.binaryanalysis.org/en/content/show/documentation This document is licensed under the Creative Commons Attribution-No Derivative Works 3.0 Unported License. All trademarks belong to their respective owners. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback