VxWorks support about binaryanalysis-ng HOT 12 CLOSED

Apologies, the Dockerfile is currently not well maintained (and needs more love). I have fixed the dependency issue in 8674131

The entry point for the Dockerfile is also wrong, I still need to look into that.

from binaryanalysis-ng.

Hey, no worries, really appreciate the celerity of your answer and fix, thanks! :)

I guess that what you're after is sth like this?:

diff --git a/Dockerfile b/Dockerfile
index 021c50d..5202736 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,4 +34,6 @@ RUN dnf update -y && \
                    util-linux \
                    zstd

-CMD ["python3","bangshell"]
+RUN chmod +x bang-scanner
+
+CMD ["./bang-scanner", "-d", "/mnt/input", "-u", "/mnt/output"]

I've just run it like so:

$ docker run -v VxWorks.bin:/mnt/input/VxWorks.bin -v /tmp:/mnt/tmp -v output:/mnt/output bang

Also using the file flag instead of the dir one inside an interactive container session:

./bang-scanner -f /mnt/input/VxWorks.bin -t /mnt/tmp -u /mnt/output

But the results are a bit underwhelming for my input file, unfortunately :_/ I might be doing something wrong here?

I am attach the (zip-compressed) input file here just in case you want to test it out yourself a bit and perhaps add more carving functionality ;)

VxWorks.bin.zip

from binaryanalysis-ng.

More context on why it is a bit underwhelming (from report.txt):

SCAN RESULTS FOR: /mnt/input/VxWorks.bin"
Start: 2019-07-23T13:12:58.404144
Stop: 2019-07-23T13:13:19.742314
Duration (seconds): 21.33817

File: VxWorks.bin
=================

MD5: 3e25c877e25afa75b3f58e1bdf9a0dc6
SHA256: 066bf57cd8c8761c1fa3019841634450cf8f323fc35889dff8fae1d3bb20ad8a
Size: 12411552
MIME type: application/octet-stream
Labels: binary, root
Bytes identified: 0 (0.000000 %)

Total labels:
=============
Name: root
Amount: 1
Name: binary
Amount: 1

Not much inside the pickles either:

$ ls -alh results/
total 8
drwxr-xr-x  3 romanvg  staff    96B Jul 23 23:13 .
drwx------  8 romanvg  staff   256B Jul 23 23:13 ..
-rw-r--r--  1 romanvg  staff   329B Jul 23 23:13 066bf57cd8c8761c1fa3019841634450cf8f323fc35889dff8fae1d3bb20ad8a.pickle

And the logs show many attempts to identify .ico and .jpeg files? Among other failed attempts:

TRYING VxWorks.bin jpeg at offset: 12146659
FAIL VxWorks.bin jpeg at offset: 12146659: invalid value for start of frame
TRYING VxWorks.bin jpeg at offset: 12153775
FAIL VxWorks.bin jpeg at offset: 12153775: invalid value for start of frame
TRYING VxWorks.bin ico at offset: 12173482
FAIL VxWorks.bin ico at offset: 12173482: wrong offset for image data
TRYING VxWorks.bin jpeg at offset: 12196191
FAIL VxWorks.bin jpeg at offset: 12196191: invalid value for start of frame
TRYING VxWorks.bin pbm at offset: 12246753
FAIL VxWorks.bin pbm at offset: 12246753: no integer in header
TRYING VxWorks.bin ppm at offset: 12254076
FAIL VxWorks.bin ppm at offset: 12254076: no whitespace in header
TRYING VxWorks.bin pgm at offset: 12284860
FAIL VxWorks.bin pgm at offset: 12284860: no whitespace in header
TRYING VxWorks.bin pbm at offset: 12285036
FAIL VxWorks.bin pbm at offset: 12285036: no whitespace in header
TRYING VxWorks.bin fat at offset: 12328687
FAIL VxWorks.bin fat at offset: 12328687: invalid jump instruction
TRYING VxWorks.bin fat at offset: 12328703
FAIL VxWorks.bin fat at offset: 12328703: invalid jump instruction
TRYING VxWorks.bin fat at offset: 12328719
FAIL VxWorks.bin fat at offset: 12328719: invalid jump instruction
TRYING VxWorks.bin fat at offset: 12328735
FAIL VxWorks.bin fat at offset: 12328735: invalid jump instruction
TRYING VxWorks.bin fat at offset: 12328751
FAIL VxWorks.bin fat at offset: 12328751: invalid jump instruction
TRYING VxWorks.bin fat at offset: 12328767
FAIL VxWorks.bin fat at offset: 12328767: invalid jump instruction
TRYING VxWorks.bin fat at offset: 12328783
FAIL VxWorks.bin fat at offset: 12328783: invalid jump instruction
TRYING VxWorks.bin fat at offset: 12328799

The architecture of the .bin is SuperH4, perhaps it is a bit too much to ask in terms of detection/unpacking of signatures? ;)

from binaryanalysis-ng.

It tries to find a structure in the file and it seems that it cannot find any. The signatures for ico and jpeg are very generic, so there are always many false tries.

I would need to look into the structure of VxWorks binaries and add support for that. I will search for a public specification (no leaked docs), but I am a bit pessimistic about my chances of finding one.

I looked into the file and there doesn't seem to be any obvious compression used. I looked into what binwalk could detect but it seems they can't detect much either.

from binaryanalysis-ng.

That's accurate, that's why I moved away from binwalk which generates a ton of false positives and hoped for binaryanalysis-ng to be able to crack this nut semi-automatically:

http://www.devttys0.com/2011/07/reverse-engineering-vxworks-firmware-wrt54gv8/

from binaryanalysis-ng.

Currently I am mostly focusing on embedded Linux and Java, but I have found some papers that might get me some further with this, but I still have to read them. Have you checked out radare2 for this?

from binaryanalysis-ng.

Yep, I have been dabbling with r2 for a while :)

After a few quick searches I found some interesting VxWorks-related resources:

https://www.secniche.org/vxworks/vxworks_os_holistic_security_adityaks.pdf (section 8.1)
https://wikileaks.org/ciav7p1/cms/page_16384164.html (Binwalk detecting some VxWorks symbol tables)

Would you mind sharing those papers you found over here? Let's see how far we can run with this ;)

from binaryanalysis-ng.

Heh, so conveniently timed:

https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf

I wish @ArmisSecurity were a bit more verbose about the unpacking of VxWorks firmware so that we don't have to cook it ourselves:

these firmwares are commonly shipped with ELF files containing full debug symbols, making them easy to decompile with modern tools, arriving at high quality results.

There are a bit more sections than just ELFs in the 64MB one I'm currently looking at.

from binaryanalysis-ng.

Yep, I have been dabbling with r2 for a while :)

After a few quick searches I found some interesting VxWorks-related resources:

https://www.secniche.org/vxworks/vxworks_os_holistic_security_adityaks.pdf (section 8.1)
https://wikileaks.org/ciav7p1/cms/page_16384164.html (Binwalk detecting some VxWorks symbol tables)

Would you mind sharing those papers you found over here? Let's see how far we can run with this ;)

https://www.blackhat.com/presentations/bh-usa-07/Maynor_and_Graham/Whitepaper/bh-usa-07-maynor_and_graham-WP.pdf

and a forum:

http://www.openrce.org/forums/posts/1212

I haven't had time to dig into this though.

from binaryanalysis-ng.

This is quite spot on, really nice talk from this year's Black Hat Asia:

https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Zhu-Dive-into-VxWorks-Based-IoT-Device-Debug-the-Undebugable-Device.pdf

The underlying tooling (GHidra plugin) can be used in your project, I reckon.

from binaryanalysis-ng.

Thanks! I will look into this soon (currently traveling)

from binaryanalysis-ng.

Fixed by using radare2 and vxHunter: PAGalaxyLab/vxhunter#2
See: PAGalaxyLab/vxhunter@a04849e

from binaryanalysis-ng.