《工业互联网安全测试技术:工控固件分析工具安装和使用.docx》由会员分享,可在线阅读,更多相关《工业互联网安全测试技术:工控固件分析工具安装和使用.docx(10页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、工控固件分析工具安装和使用实验原理Binwalk是一款快速、易用,用于分析,逆向工程和提取固件映像的工具。简单易用,完全自 动化脚本,并通过自定义签名,提取规那么和插件模块。该工具对linux支持较好,对于windows 功能支持较差。IDA使用数据类型信息,通过派生的变量和函数名称来尽其所能地注释生成的反汇编代码。 这些注释将原始十六进制代码的数量减到最少,并显著增加了符号化信息的数量。实验目的掌握安装软件Binwalk和IDA掌握Binwalk命令掌握IDA命令实验环境Windows 10, kali-Linux 计算机,python 2. 7+或 python 3. 4+版本推荐课时数推
2、荐课时数:2课时实验步骤任务一:安装Binwalk和IDAbinwalk工具安装支持的平台:Operating SystemCore SupportOptional Feature SupportLinuxExcellentExcellentOSXExcellentGoodCygwinExcellentGoodFreeBSDExperimentalUnknownWindowsExperimentalPoor选择 kali Linux 和 windows 系统安装 binwalko kali Linux 自带 binwalk,无需安装。Window 下载地址: s:/github /devtty
3、sO/binwalk 在 windows 上安装前你需要已经安装python (python), 在 cmd 里输入cd c:GKbinwaIk-master#进入安装程序setup.py所在文件夹python setup.py install如图SB C:Wi n d owssyste m 3 2c m d. exe XMicrosoft Windows 版本 10. 0. 19043. 1348 (c) Microsoft Corporation。保存所有权利。二:Usersyancd c:GKbinwalk-masterc:GKbinwalk-masterpython setup, py
4、 install running install running bdist_egg running egg_info creating srcbinwalk. egg-infoAri ting srcbinwalk. egg-infoPKG-INF0 writing dependency_links to srcbinwalk. egg-infodependency_links, txt Ariting top-level names to srcbinwalk. egg-infotop_level. txt Ariting manifest file srcbinwalk.egg-info
5、SOURCES.txt adding license file LICENSE (matched pattern LICENCSE*) adding license file 1 NOTICE, nd1 (matched pattern 9 NOTICE* ) reading manifest file srcbinwalk. egg-infoSOURCES. txt Ariting manifest file srcbinwalk. egg-infoSOURCES. txt installing library code to buildbdist. win-amd64egg running
6、 install_lib running bui1d_py creating build creating buildlib creating buildlibbinwalk copying srcbinwalk_init_. py - buildlibbinwalk copying srcbinwalk main_. py - bui1dlibbinwalk creating buildlibbinwalkmagic copying srcbinwalkmagicanimation - bui1dlibbinwalkmagic copying srcbinwalkmagicarchives
7、- buildlibbinwalkinagic copying srcbinwalkmagicbinarch - buildlibbinwalkmagicIDA是交互式反汇编器,用来分析程序,支持数十种CPU指令集其中包括Intel x86, x64, PowerPC, ARM等等。IDA从网上下载好后解压或安装,双击idaq.exe或idaq64.exe即可运行程 序。/X任务二:命令介绍使用名称修改日期踵大小J ida64.int2015/4/13 18:35INT文件952 KBida64.wll2015/4/25 8:51WLL文件1,942 KBj idacolor.cf2015/4
8、/13 18:35CF文件1 KB件 idag.ico2015/4/13 18:35图标2 KBj: idahelp.chm2015/4/13 18:35编译的HTML帮546 KB” id叫.exe2015/4/23 17:20逊的3,178 KB id叫64.exe2015/4/23 14:243,214 KB回 idaw.exe2015/4/13 18:35遮出947 KB电 idaw64.exe2015/4/13 18:35980 KB0 libdwarf.dllH license.txt国 msvcp100.dll2015/4/13 18:35应用程序b展174 KB2015/4/1
9、3 18:35义本义档5 KB2015/4/13 18:35应用程序b展412 KB国 msvcr100.dll j QtCore4.dll2015/4/13 18:35应用程序扩展756 KB2015/4/13 18:35应用程序i展2,888 KB翻开kali-linux的terminal emulator,用cd进入固件所在文件夹位置(本实验固件放在了桌面即 Desktop )o(1)扫描固件:扫描的固件从施耐德官网下载。(下载地址: s: schneider- ity%20ard%20Non%20Urity%20Users/)。本实验用到的固件是 NOE77101_Exec_V64.b
10、in。可以看 到文件的压缩类型是zlib。binwalk NOE77101 Exec V64.bin匕kalikali: */DesktopFile Actions Edit View Help(kali kali)-*I-S cd DesktoD( kal i ?: k.A i i ) -/DesktopI$ binwalk 140NOE77101 Exec V64.binDECIMALHEXADECIMALDESCRIPTION9010x385Zlib compressed data, default compression(kali kali)-Desktop(2)文件提取(extrac
11、t):提取NOE77101_Exec_V64.bin内的文件,提取后会在当前文件夹下 创立文件夹:NOE77101_Exec_V64.bin.extracted,文件夹内有两个文件:385和385.zlib。查看cpu 架构会用到385。binwalk -e NOE77101_Exec_V64上inI(kali ) kali)-/DesktopIS binwalk t 140NOE77101 Exec V64.binDECIMALHEXADECIMALDESCRIPTION9010*385Zlib compressed data, default compression(心 1 i:7) ka
12、 i)-| */Desktop(3)搜索各种CPU架构常见的可执行操作码,把内的385 复制到桌面,用以下命令可以查看的385的CPU架构。如下列图,CPU架构是PowerPC。binwalk -A 3851more(kalkali)-/Desktop $ binwalk - 385|moreDESCRIPTIONDECIMALHEXADECIMAL1600*A0PowerPC big endian instructions, function epilogue4000x190PowerPC big endian instructions, function epilogue4080x198P
13、owerPC big endian instructions, function prologue4600xlCCPowerPC big endian instructions, function epilogue4680xlD4PowerPC big endian instructions, function prologue5160x204PowerPC big endian instructions, function epilogue5240x20CPowerPC big endian instructions, function prologue6160x268PowerPC big
14、 endian instructions, function epilogue6240x270PowerPC big endian instructions, function prologue6760*2A4PowerPC big endian instructions, function epilogue6840x2ACPowerPC big endian instructions, function prologue7400x2E4PowerPC big endian instructions, function epilogue7480x2ECPowerPC big endian in
15、structions, function prologue7880x314PowerPC big endian instructions, function epilogue7960x31CPowerPC big endian instructions, function prologue8440x34CPowerPC big endian instructions, function epilogue8520x354PowerPC big endian instructions, function prologue9000*384PowerPC big endian instructions
16、, function epilogue9440x3B0PowerPC big endian instructions, function epilogue9520x3B8PowerPC big endian instructions, function prologue10560x420PowerPC big endian instructions, function epilogue10640*428PowerPC big endian instructions, function prologue11840*4A0PowerPC big endian instructions, funct
17、ion epilogue11920x4A8PowerPC big endian instructions, function prologue13120x520PowerPC big endian instructions, function epilogue13200x528PowerPC big endian instructions, function prologue14800x5C8PowerPC big endian instructions, function epilogue14880x5D0PowerPC big endian instructions, function p
18、rologue18680x74CPowerPC big endian instructions, function epilogue18760x754PowerPC big endian instructions, function prologue20960x830PowerPC big endian instructions, function epilogue(4)显示所有包括误标记为无效结果binwalk将有效结果误标记为无效结果,并产生垃圾输出。binwalk -I NOE77101 Exec V64上inI(kalid kali)-*/Desktop$ binwalk -: 140
19、NOE77101 Exec V64.binDECIMALHEXADECIMAL DESCRIPTION9010x385Zlib compressed data, default compression1100044CBFF volume entry, AIXv3, file name: deeefEb|Ar(,Mr;dEO3Y| YAAai70: R :Su6:ZoaaisE&dq,68U|AxIa34,BlXAWntECO0|(r(kalikali)-/DesktopL$ |(5)清理无法处理的零文件和文件用于清除提取期间从目标文件复制的误报文件。binwalk -e -r NOE77101
20、 Exec V64上inr(kali kali)-/DesktopJ binwalk -e -r 140NOE77101 Exec V64.bin3DECIMAL HEXADECIMAL DESCRIPTION9010x385Zlib compressed data, default compression任务三:winlO下的IDA(1)图1:翻开有new按钮可以新建一个工程,按钮previous用于加载以前的工程;最下方 的框中会给出以前创立的工程及它在电脑中的位置,双击也可以翻开。图2:翻开后程序内load file下新建,Script file用于加载执行脚本代码,open用于翻开已有
21、的工程。.IDA: Quick startNewDisassemble a new fileGoWork on your ownPreviousLoad the old disassemblyC:UsersyanDesktop385.idbC:U s e r sy a nD e s kt。p新彳牛拈385. i d b图1翻开程序时的界面File Edit Jump Search View Debugger Options Windows HelpNew instance f Open.Load fileProduce fileAlt+F7Shift+F2Ctrl+WCtrl+Shift+W武
22、 Script file. 目 Script command. 日 SaveSave as.由 Take database snapshot.CloseQuick start 0. C:UsersyanDesktop新牛夹(2)385.i641. C:UsersyanDesktop385.i64C:UsersyanDesktop_NOE77101 ,bin.extracted328.zlib2. C:UsersyanDesktop_NOE77101 ,bin.extracted328C:GKSNDNOE77101.bin短 ExitAlt+X图2(2)在Jump中有不同方式可以快速跳转到指定位
23、置。Jump下操作依次是:1,跳到操作数,2.跳到新窗口,3.跳到上一个位置,4.跳到下一个位置,5.清空导航堆栈,6.跳转到指定地址,7.跳转到选定名称,8.跳到函数,9,跳到段,10,跳转到段寄存器,1L交叉引用 列表,12 ,跳转到交叉引用,13 .跳转到操作数外部引用,14.跳转到入口点,15 .跳转到文件偏移 量,14 .标记位置,15 .跳转到标记的位置,16 .清除标记。Jump Search View Debugger Options Wir- HIISJump to operandJump in a new windowEnterAlt+Enter3Jump to previ
24、ous positionEsc* nJump to next position Empty navigation stackCtrl + Enterc4Jump to address.GIJump by name.Ctrl+L1flJump to function.Ctrl+P1Jump to segment.Ctrl+S1Jump to segment register.Ctrl+G1 nJump to problem.Ctrl+QuList cross references to.Ctrl+XnrList cross references from.Ctrl + JHJump to xre
25、f to operand.Xi,0Jump to entry point- jump to file offset.Ctrl + E.IIMark position.Alt+MIIJump to marked position.Clear mark.Ctrl + M(3)按下空格键可以切换汇编语言试图(IDAView-A,左图)与函数窗口(function右图):右图):window,HI或案- 裳 。h IHirrl4二三三三i:1OC.X。11rt, 2r% r11 , nMIA XBi * : ROH:BaeBtUDMnReH:BM0oeeneiF7Bia|o .1DC,M_AM:stb
26、 1WZ X01C StM .r0. r0.2 rt. loc.g !三=三三三三三: nunnnnunnununnnnunoununnunonnu iiiiii:!:!黑!普 iiiiiiiiiii =三三三M = 三M三三在硬件底层,存储的内容被编译成二进制保存。在hex-view视图中,四位的二进制数组成一 个十六进制数显示,可以查看到每个位存储的内容,比方:0000000000000010的内容。国 IDA Viev-A 0000000800000000 0000000000000810 0000000000000020 00000000000000300000000000000050
27、 0000000000000060 0080000000000070 0000000000000080 0000()00()0000009 0 OOOOOO00O0O0OOAO 0OOOOOO0OOOOOOBO O0O0OO0OOO00OOCO 000OOOOOO000OODO 0O0O0OOOOOOO0OEO (HHHHMHKW00M0OF 0 0800000000000100 0000000000000110 0000000000000120 0000000000000130 0000()00()00000140 0000000000000150 0000000000000160 0000
28、000000000170 0000000000000180 0000000000000190 (HHHHMHKW000O1AO 0OOOOOOOOO0OO1BO 00OOOO0OOO0O01CO 00OOOOO0OOOOO1DO O00OOOOOO00O01EO 00000000000001F0 0000000000000200 0000000000000210 0000000000000220Structures54 8M 06 BO 38 8 00 00 38 84 00 00 38 84 00 00 3C 20 00 01 38 21 FF F0 7C 3F OB 78 3D 20 04
29、 80 3C 00 00 02 7D 61 5B 78 7C 3F OB 78 81 7F 00 OC 90 1F 00 14 61 29 FO 80 7C 09 03 78 28 80 OF FF 7C 09 03 78 7C 09 03 96 B1 3F 00 10 A1 3F 00 10 7C 09 4B 78 91 3F 00 14 7D 2B ”B 78 80 1F 00 14 7D 61 5B 78 93 E1 00 OC 7C 60 1B 78 so 08 oo on 4E 80 00 20 90 01 00 1C 48 00 3A 59 83 EB FF FC 7C 08 02
30、 A6 90 7F 00 08 55 20 04 3EImports B 回Exports00000000 0000000000000000: _ (Synchronized with IDA Vlew-A)(4) IDA中还可以翻开子视图,分别对应:1 .快速查看,2,反汇编,3.邻近浏览器,4,十六进制转储,5.输出函数,6.输入函数,7.名称, 8.函数,9.字符串,10.段,1L段寄存器,12.选择器,13.签名,14.类型库,15.结构体,16.枚举, 17.本地类型,18.交叉引用,19.函数调用,20.记事本,21.异常位置,22,已修补字节。Open subviewsGraph
31、sToolbarsCalculator.?Full screenF11能 Graph Overview目 Recent scriptsAlt+F9(停 Database snapshot manager.Ctrl+Shift+TPrint segment registersCtrl+SpaceI Print internal flagsF= HideCtrl + Numpad+-# UnhideCtrl + Numpad+ +. Hide all Unhide allX Delete hidden areaSetup hidden items.1View Debugger Options Wi
32、ndows Help囱HlQuick viewCtrl + 1DisassemblyProximity browserHex dumpExportsImportsNamesShift+F4FunctionsShift+F3StringsShift+F12SegmentsShift+F7Segment registersShift+F8SelectorsSignaturesShift+F5Type librariesShift+F11StructuresShift+F9EnumerationsShift+F1OLocal typesShift+F1Cross referencesFunction calls肩国团NotepadProblemsPatched bytesCtrl + Alt+P