Comments (6)
Generally, you can't have multiple string-len keywords which take strings from the file without opening yourself up to keyword injection from a maliciously crafted file. This goes for any keyword that takes a string argument.
I think a solution that would work for you (at least in this use case) is to create a signature like this:
>>4 lelong x {file-size:%d-{string-len}}
>>20 string x {offset-adjust:21+{string-len:%s}}
Binwalk could then safely process the {string-len:%s} keyword but also replace all {string-len} keywords with the string length. I can implement this easily if it is acceptable.
from binwalk.
Ok, it make sense and it will be great if it will work the same way as {raw-replace}. Now I am facing the problem with zero length string. _parse_string_len function doesn't strip the following: {string-len:}
Traceback (most recent call last):
File "/usr/local/bin/binwalk", line 483, in <module>
main()
File "/usr/local/bin/binwalk", line 413, in main
plugins_blacklist=plugin_blacklist)
File "/usr/local/lib/python2.7/dist-packages/binwalk/__init__.py", line 364, in scan
callback=callback)
File "/usr/local/lib/python2.7/dist-packages/binwalk/__init__.py", line 575, in single_scan
smart = self.smart.parse(magic_result)
File "/usr/local/lib/python2.7/dist-packages/binwalk/smartsignature.py", line 83, in parse
results['adjust'] = self._get_math_arg(data, 'adjust')
File "/usr/local/lib/python2.7/dist-packages/binwalk/smartsignature.py", line 192, in _get_math_arg
value = MathExpression(arg).value
File "/usr/local/lib/python2.7/dist-packages/binwalk/common.py", line 126, in __init__
self.value = self.evaluate(self.expression)
File "/usr/local/lib/python2.7/dist-packages/binwalk/common.py", line 131, in evaluate
return self._eval(ast.parse(expr).body[0].value)
File "/usr/lib/python2.7/ast.py", line 37, in parse
return compile(source, filename, mode, PyCF_ONLY_AST)
File "<unknown>", line 1
21+{string-len:
from binwalk.
This should be fixed now, as well as another bug I found in _parse_string_len.
Also added support for {string-len}, which works the same as {raw-replace}.
from binwalk.
It seems something is still broken.
I have the following magic:
16 lelong 0
20 string x Filename: %s
20 string x {file-name:%s}
4 lelong x {file-size:%d-{string-len}}
20 string x {offset-adjust:21+{string-len:%s}}
When it comes to _parse_string_len i have the following data passed to the function:
"Filename: index.html {file-name:index.html} {offset-adjust:21+{string-len:index.html}}"
After _parse_string_len execution I have the following "data":
"Filename: index.html {file-name:index.html} {offset-adjust:21+"
Hopefully it make sense for you.
from binwalk.
string-len now works the same as raw-replace, which means that {string-len:%s} and everything after it is removed and not replaced with the actual length of the string.
Instead, all instances of {string-len} are replaced with the length of the string. Changing your signature to something like the following should give you the correct offset-adjust value:
>16 lelong 0
>>20 string x Filename: %s
>>20 string x {file-name:%s}
>>4 lelong x {file-size:%d-{string-len}}{offset-adjust:21+{string-len}}
>>20 string x {string-len:%s}
This works for me, let me know if you still have issues.
from binwalk.
Ok, got it. Now it works like a charm.
from binwalk.
Related Issues (20)
- Anti-patterns in extractor.py module
- Binwalk stuck when extracting .xz archive
- Cannot extract anything from a device, not file
- If providing more than one file, binwalk uses verbose mode only.
- AttributeError: module 'binwalk' has no attribute 'scan'
- Symlink Error HOT 1
- ubireader problem HOT 6
- Unable to proceed from the installation guide.
- Add support for ArchLinux in deps.sh
- Would it be possible to use the built-in python module 'getpass' as a somewhat OS agnostic way to get the username? HOT 2
- Dockerfile fails to build due to ubi_reader changes HOT 1
- binwalk fails to extract after filename/extension confusion HOT 3
- Call plugins when Result is Valid
- Name 'np' is not defined while calculating file entropy. HOT 1
- deprecated nose dependency, deprecated used of setup.py test
- Python 3.12 compatibility issue: No module named 'imp' HOT 4
- Trouble extracting cpio embedded into kernel file
- Dead Project - Parent Company Killed by Microsoft :( - See readme HOT 6
- external extractor HOT 5
- [Feature Request] Extract RSA/Certificates and Private Keys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from binwalk.