I came across an interesting tool today called Binwalk.
Binwalk is a firmware analysis tool that scans a given binary file for embedded files and executable code.
Binwalk requires a Linux machine, I used the Backtrack VM I used from my article about WEP keys.
Note there is no binary distribution of Binwalk so you will need to compile it but this is a breeze.
Unpack the downloaded version (I used 0.3.10 which is the most recent at this time).
tar -zxvf binwalk-03.10.tar.gzBinwalk comes with a configure script that checks the preconditions and creates a make file. Start if from the src directory:
./configureIf it complains about libcurl, install it:
sudo apt-get install libgnutls-dev
sudo apt-get install libcurl4-gnutls-devThen compile it:
make
sudo make installNow analyse your binaries with binwalk <filename>. Here is some example output:
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
440 0x1B8 Linux Journalled Flash filesystem, little endian
16051 0x3EB3 zlib compressed data
35669 0x8B55 zlib compressed data
35955 0x8C73 zlib compressed data
58845 0xE5DD zlib compressed data
60235 0xEB4B zlib compressed data
85016 0x14C18 zlib compressed data
147952 0x241F0 zlib compressed data
148251 0x2431B zlib compressed data
195432 0x2FB68 zlib compressed data
235131 0x3967B zlib compressed data
254245 0x3E125 zlib compressed data
270740 0x42194 zlib compressed data
277773 0x43D0D zlib compressed data
324869 0x4F505 zlib compressed data
329091 0x50583 zlib compressed data
330495 0x50AFF zlib compressed data
423027 0x67473 zlib compressed data
451841 0x6E501 zlib compressed data
452191 0x6E65F zlib compressed data
452941 0x6E94D zlib compressed data
1081757 0x10819D LZMA compressed data, properties: 0x82, dictionary size: 47316992 bytes, uncompressed size: 16777216 bytes
The Binwalk wiki contains some usage examples to get you started.