-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Speed and Accuracy
devttys0 edited this page Oct 18, 2024
·
1 revision
Binwalk version 3 provides significant improvements in both speed and accuracy.
These improvements are primarily thanks to two major factors:
- A complete re-write in Rust
- The use of custom file parsers
Rust, being a compiled language, is inherently faster than Python, an interpreted language.
The custom file parsers not only validate that an identified file type is correctly formatted (resulting in fewer false positives), but also identify the size of the file's data. This means that Binwalk does not have to waste time scanning the contents of, say, a gzip file; it can confidently skip over the compressed gzip data and resume analysis from the end of the compressed data on wards.
The accuracy and speed of results reported by Binwalkv3 vs Binwalkv2 speak for themselves:
# Binwalkv3
$ binwalk random.bin
Analyzed 1 file for 78 file signatures (180 magic patterns) in 719.0 milliseconds# Binwalkv2
$ time binwalkv2 random.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
79836457 0x4C23529 StuffIt Deluxe Segment (data): f
104213526 0x6362C16 HPACK archive data
real 0m20.295s
user 0m20.170s
sys 0m0.123s# Binwalkv3
$ binwalk x86_64-linux-musl-cross.tgz
/home/craig/Projects/github/firmware-corpus/GZIP/x86_64-linux-musl-cross.tgz
-----------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
-----------------------------------------------------------------------------------------------------------------------------------------------------
0 0x0 gzip compressed data, operating system: Unix, timestamp: 1970-01-01 00:00:00,
total size: 115063639 bytes
-----------------------------------------------------------------------------------------------------------------------------------------------------
Analyzed 1 file for 78 file signatures (180 magic patterns) in 966.0 milliseconds# Binwalkv2
$ time binwalkv2 x86_64-linux-musl-cross.tgz
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 gzip compressed data, from Unix, last modified: 1970-01-01 00:00:00 (null date)
28690885 0x1B5C9C5 MySQL MISAM index file Version 7
65460801 0x3E6DA41 MySQL MISAM index file Version 6
95507838 0x5B1557E MySQL ISAM compressed data file Version 4
97529880 0x5D03018 Zlib compressed data, default compression
97960465 0x5D6C211 Zlib compressed data, default compression
105169124 0x644C0E4 Zlib compressed data, default compression
106109523 0x6531A53 Zlib compressed data, default compression
real 0m23.172s
user 0m23.048s
sys 0m0.122s# Binwalkv3
$ binwalk DGN2200v4-V1.0.0.126_1.0.126.chk
/home/craig/Projects/github/firmware-corpus/CHK/DGN2200v4-V1.0.0.126_1.0.126.chk
-----------------------------------------------------------------------------------------------------------------------------------------------------
DECIMAL HEXADECIMAL DESCRIPTION
-----------------------------------------------------------------------------------------------------------------------------------------------------
0 0x0 CHK firmware header, board ID: U12L227T01_NETGEAR, header size: 58 bytes, data
size: 14794772 bytes
58 0x3A JFFS2 filesystem, big endian, nodes: 11014, total size: 14794752 bytes
-----------------------------------------------------------------------------------------------------------------------------------------------------
Analyzed 1 file for 78 file signatures (180 magic patterns) in 89.0 milliseconds# Binwalkv2
$ time binwalkv2 DGN2200v4-V1.0.0.126_1.0.126.chk
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
58 0x3A JFFS2 filesystem, big endian
real 0m4.400s
user 0m4.269s
sys 0m0.131s