LinuxCommandLibrary

binwalk

tool for searching binary images for embedded files and exe‐ cutable code

TLDR

Scan a binary file

$ binwalk [path/to/binary]
copy


Extract files from a binary, specifying the output directory
$ binwalk --extract --directory [output_directory] [path/to/binary]
copy


Recursively extract files from a binary limiting the recursion depth to 2
$ binwalk --extract --matryoshka --depth [2] [path/to/binary]
copy


Extract files from a binary with the specified file signature
$ binwalk --dd '[png image:png]' [path/to/binary]
copy


Analyze the entropy of a binary, saving the plot with the same name as the binary and .png extension appended
$ binwalk --entropy --save [path/to/binary]
copy


Combine entropy, signature and opcodes analysis in a single command
$ binwalk --entropy --signature --opcodes [path/to/binary]
copy

SYNOPSIS

binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ...

DESCRIPTION

Binwalk v2.1.1 Craig Heffner, http://www.binwalk.org

Signature Scan Options:

-B, --signature

Scan target file(s) for common file signatures

-R, --raw=<str>

Scan target file(s) for the specified sequence of bytes

-A, --opcodes

Scan target file(s) for common executable opcode signatures

-m, --magic=<file>

Specify a custom magic file to use

-b, --dumb

Disable smart signature keywords

-I, --invalid

Show results marked as invalid

-x, --exclude=<str>

Exclude results that match <str>

-y, --include=<str>

Only show results that match <str>

Extraction Options:

-e, --extract

Automatically extract known file types

-D, --dd=<type:ext:cmd>

Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>

-M, --matryoshka

Recursively scan extracted files

-d, --depth=<int>

Limit matryoshka recursion depth (default: 8 levels deep)

-C, --directory=<str>

Extract files/folders to a custom directory (default: current working directory)

-j, --size=<int>

Limit the size of each extracted file

-n, --count=<int>

Limit the number of extracted files

-r, --rm

Delete carved files after extraction

-z, --carve

Carve data from files, but don't execute extraction utilities

Entropy Analysis Options:

-E, --entropy

Calculate file entropy

-F, --fast

Use faster, but less detailed, entropy analysis

-J, --save

Save plot as a PNG

-Q, --nlegend

Omit the legend from the entropy plot graph

-N, --nplot

Do not generate an entropy plot graph

-H, --high=<float>

Set the rising edge entropy trigger threshold (default: 0.95)

-L, --low=<float>

Set the falling edge entropy trigger threshold (default: 0.85)

Binary Diffing Options:

-W, --hexdump

Perform a hexdump / diff of a file or files

-G, --green

Only show lines containing bytes that are the same among all files

-i, --red

Only show lines containing bytes that are different among all files

-U, --blue

Only show lines containing bytes that are different among some files

-w, --terse

Diff all files, but only display a hex dump of the first file

Raw Compression Options:

-X, --deflate

Scan for raw deflate compression streams

-Z, --lzma

Scan for raw LZMA compression streams

-P, --partial

Perform a superficial, but faster, scan

-S, --stop

Stop after the first result

General Options:

-l, --length=<int>

Number of bytes to scan

-o, --offset=<int>

Start scan at this file offset

-O, --base=<int>

Add a base address to all printed offsets

-K, --block=<int>

Set file block size

-g, --swap=<int>

Reverse every n bytes before scanning

-f, --log=<file>

Log results to file

-c, --csv

Log results to file in CSV format

-t, --term

Format output to fit the terminal window

-q, --quiet

Suppress output to stdout

-v, --verbose

Enable verbose output

-h, --help

Show help output

-a, --finclude=<str>

Only scan files whose names match this regex

-p, --fexclude=<str>

Do not scan files whose names match this regex

-s, --status=<int>

Enable the status server on the specified port

Copied to clipboard