{"id":157,"date":"2026-01-15T22:40:42","date_gmt":"2026-01-16T02:40:42","guid":{"rendered":"https:\/\/brockcooper.info\/?p=157"},"modified":"2026-01-15T22:40:44","modified_gmt":"2026-01-16T02:40:44","slug":"embedded-files-binwalk-searching-for-data","status":"publish","type":"post","link":"https:\/\/brockcooper.info\/index.php\/2026\/01\/15\/embedded-files-binwalk-searching-for-data\/","title":{"rendered":"Embedded Files: Binwalk &#8211; Searching for data"},"content":{"rendered":"\n<p>Embedded Files: Binwalk &#8211; Finding unseen data<\/p>\n\n\n\n<p>Have you ever wondered what sort of data could be embedded into a file?<\/p>\n\n\n\n<p>I don&#8217;t mean application resources and other easily found files like, pictures, resources, and data you might find using something such as <a href=\"https:\/\/www.angusj.com\/resourcehacker\/\">Resource Hacker<\/a>, <a href=\"https:\/\/www.pe-explorer.com\/\">PE Explorer<\/a>, <a href=\"https:\/\/www.mzrst.com\/\">PPEE (Professional PE file Explorer)<\/a>, or <a href=\"https:\/\/github.com\/horsicq\/Detect-It-Easy\">DiE (Detect it Easy)<\/a>. I mean file structures that are embedded in such a way, only the signature is what tells you they are most likely there.<\/p>\n\n\n\n<p>Before we look at <a href=\"https:\/\/github.com\/ReFirmLabs\/binwalk\">binwalk<\/a>, lets start off with some basics to understand how it works.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The Basics: Viewing Resources<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Using Resource Hacker (PE Explorer would work as well) we can, for example, view the icon associated with the executable (steam.exe in this case) and change it if we would like to. Pretty cool if you ask me.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-style-default\"><img loading=\"lazy\" decoding=\"async\" width=\"919\" height=\"455\" src=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-1.webp\" alt=\"\" class=\"wp-image-159\" srcset=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-1.webp 919w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-1-300x149.webp 300w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-1-768x380.webp 768w\" sizes=\"auto, (max-width: 919px) 100vw, 919px\" \/><\/figure>\n\n\n\n<p>So what else can we do to explorer a little more? If you don&#8217;t already know, a lot of the time you can use <a href=\"https:\/\/www.7-zip.org\/\">7-Zip<\/a> to view <span style=\"text-decoration: underline;\">some things, in some files<\/span>. It won&#8217;t show you everything but its a useful thing to keep in mind if you&#8217;re trying to view data that might be stored whithin a file. It&#8217;s more helpful for self extracting archives and files that have archives stored in them. You might be surprised at what you find if you start poking around! Below is the same .exe opened with 7-Zip. What you see below is the root &#8220;folder&#8221; containing the PE Sections and the Resource Table folder, then below, the same resource we have selected in Resource Hacker in the example above.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"972\" height=\"390\" src=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image.webp\" alt=\"\" class=\"wp-image-158\" srcset=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image.webp 972w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-300x120.webp 300w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-768x308.webp 768w\" sizes=\"auto, (max-width: 972px) 100vw, 972px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"972\" height=\"460\" src=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-2.webp\" alt=\"\" class=\"wp-image-160\" srcset=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-2.webp 972w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-2-300x142.webp 300w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-2-768x363.webp 768w\" sizes=\"auto, (max-width: 972px) 100vw, 972px\" \/><\/figure>\n\n\n\n<p>If you find this interesting or just want to learn more about the PE file format of x86 executable files, here are a few links to get you started:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wiki.osdev.org\/PE\">OS Dev Wiki<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Portable_Executable\">Wikipedia<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/debug\/pe-format\">Microsoft<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/medium.com\/@shaheeryasirofficial\/pe-file-structure-explained-a-guide-to-for-reverse-engineers-developers-855a062c82cc\">Medium &#8211; PE File Structure Explained : A Guide to for Reverse Engineers &amp; Developers<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Understanding: Its Magic Numbers!<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>If you dug around and read a bit from those links above, you may have noticed something &#8211; the &#8220;magic number&#8221; or &#8220;magic byte(s)&#8221;. The magic of those 2 bytes (it can be larger) is that it&#8217;s actually the file (type) signature or what tells the OS and other applications, the expected contents or type of file it is. Apologies if that&#8217;s a bit wordy.<\/p>\n\n\n\n<p>Now that we have taken a quick look at the resource for &#8220;steam.exe&#8221;; Have you ever wondered how 7-Zip knows something is an archive that it can extract? You might think it&#8217;s looking at the structure of the file, and while possible, it would waste precious resources to do so; and it can be validated during extraction. What it&#8217;s actually doing, is looking for the file signature or those magic bytes at the beginning of a file used to identify what kind of file it is without relying on the file extension. Neat huh? You could change the extension to &#8220;.8z&#8221; and it would still extract just the same.<\/p>\n\n\n\n<p>So, if you ever wondered how the OS knows a given file is an executable even if you remove the .exe file extension, now you know! The beauty of this is that not only can we have some fun with it, we can use them to identify files embedded within other files! One fun things you can do by manipulating the magic bytes is to spoof a file type to circumvent file uploads that filter the file types you may upload. <\/p>\n\n\n\n<p><a href=\"https:\/\/medium.com\/@d.harish008\/what-is-a-magic-byte-and-how-to-exploit-1e286da1c198\">Getting a PHP Reverse Shell through an image upload web page exploit via magic byte manipulation.<\/a><\/p>\n\n\n\n<p>Above we are looking at &#8220;steam.exe&#8221; but executable files aren&#8217;t the only file type with a file signature. The specific byte pattern 7-Zip uses to identify a &#8220;.7Z&#8221; file is &#8220;37 7A BC AF 27 1C&#8221; in hexadecimal, which if we take a look at an archive with a hex editor, it looks like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"880\" height=\"406\" src=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-3.webp\" alt=\"\" class=\"wp-image-161\" srcset=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-3.webp 880w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-3-300x138.webp 300w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-3-768x354.webp 768w\" sizes=\"auto, (max-width: 880px) 100vw, 880px\" \/><\/figure>\n\n\n\n<p>The same is true for Windows Executable (.exe) files, with a different signature. In this case it actually shares the same signature with a few other file types &#8211; COM, DLL, DRV, EXE, PIF, QTS, QTX, and SYS.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"553\" height=\"99\" src=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-4.webp\" alt=\"\" class=\"wp-image-162\" srcset=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-4.webp 553w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-4-300x54.webp 300w\" sizes=\"auto, (max-width: 553px) 100vw, 553px\" \/><\/figure>\n\n\n\n<p><span style=\"text-decoration: underline;\"><strong>Fun fact:<\/strong><\/span> &#8220;MZ&#8221; are the initials of Mark Zbikowski, one of leading developers of MS-DOS.<\/p>\n\n\n\n<p>For anyone that is curious, the hex editor I&#8217;m using is <a href=\"https:\/\/imhex.werwolv.net\/\">ImHex<\/a> and it&#8217;s by far (to date) my absolute favorite hex editor. It has a ton of cool and useful feature, including analysis, pattern searching, <a href=\"https:\/\/virustotal.github.io\/yara\/\">YARA<\/a> rules and its own custom language &#8220;<a href=\"https:\/\/github.com\/WerWolv\/PatternLanguage\">PatternLanguage<\/a>&#8220;. You should check it out if your looking to find or try a new <strong>open source <\/strong>hex editor out.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Finding Known Signatures<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Since we now understand what they are, how many are there? basically infinite since the magic bytes are decided by the creator \/ developer of a given file type. There are quite a few common ones you will usually find: exe, dll, com, jpg, png, etc. This is where its nice to have a list of known signature you can find:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/filesig.search.org\/\">GCK File Signature Table<\/a> (My favorite)<\/li>\n\n\n\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/List_of_file_signatures\">List of File Signatures<\/a> (Wikipedia)<\/li>\n<\/ul>\n\n\n\n<p>Keep in mind, if you can&#8217;t find a signature for something publicly, you can &#8220;create&#8221; your own. A signature is just a unique byte pattern that can be used to identify a file or anything else. Hopefully its at the start or end of a file. Otherwise you&#8217;re looking for any pattern that spans multiple files of the same type. (ie. you see XY or &#8217;58 59&#8242; at the beginning of every file).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Discovering Data: Binwalk<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>GitHub Repository &#8211; <a href=\"https:\/\/github.com\/ReFirmLabs\/binwalk\">https:\/\/github.com\/ReFirmLabs\/binwalk<\/a><\/p>\n\n\n\n<p>Now that we understand what file signatures are and how they work, we actually already understand how Binwalk works to identify embedded files! Originally written to find embedded data within firmware files (usually .bin) it can be used on any file! So lets take a look at steam.exe again, and see what binwalk finds.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"769\" src=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-5-1024x769.webp\" alt=\"\" class=\"wp-image-163\" srcset=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-5-1024x769.webp 1024w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-5-300x225.webp 300w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-5-768x577.webp 768w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-5.webp 1115w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"162\" src=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-6-1024x162.webp\" alt=\"\" class=\"wp-image-164\" srcset=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-6-1024x162.webp 1024w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-6-300x48.webp 300w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-6-768x122.webp 768w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-6-1536x243.webp 1536w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-6.webp 1623w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Just above is another example using my motherboards BIOS update file &#8211; Just to show you some other things it finds. You can also check <a href=\"https:\/\/github.com\/ReFirmLabs\/binwalk\/wiki\/Supported-Signatures\">this<\/a> GitHub page to view the most up to date signatures binwalk detects.<\/p>\n\n\n\n<div data-wp-context=\"{ &quot;autoclose&quot;: false, &quot;accordionItems&quot;: [] }\" data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context=\"{ &quot;id&quot;: &quot;accordion-item-1&quot;, &quot;openByDefault&quot;: false }\" data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-1-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" id=\"accordion-item-1\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Binwalk: What Did It Find<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n\n\n\n<div inert aria-labelledby=\"accordion-item-1\" data-wp-bind--inert=\"!state.isOpen\" id=\"accordion-item-1-panel\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<pre class=\"wp-block-syntaxhighlighter-code\">$ binwalk --list\n----------------------------------------------------------------------------------------------------\nSignature Description              Signature Name                     Extraction Utility\n----------------------------------------------------------------------------------------------------\n7-zip archive data                 7zip                               7zz\nAES Acceleration Table             aes_acceleration_table             None\nAES Forward Table                  aes_forward_table                  None\nAES RCON                           aes_rcon                           None\nAES Reverse Table                  aes_reverse_table                  None\nAES S-Box                          aes_sbox                           None\nAndroid boot image                 android_bootimg                    None\nAndroid sparse image               android_sparse                     Built-in\nApple Disk iMaGe                   dmg                                dmg2img\nAPple File System                  apfs                               7zz\nArcadyan obfuscated LZMA           arcadyan                           Built-in\nARJ archive data                   arj                                7zz\nAutel obfuscated firmware          autel                              Built-in\nBIN firmware header                binhdr                             None\nBMP image (Bitmap)                 bmp                                Built-in\nBTRFS file system                  btrfs                              None\nbzip2 compressed data              bzip2                              Built-in\nCFE bootloader                     cfe                                None\nCHK firmware header                chk                                None\ncompress'd data                    compressd                          7zz\nCopyright text                     copyright                          None\nCPIO ASCII archive                 cpio                               7zz\nCramFS filesystem                  cramfs                             7zz\nCRC32 polynomial table             crc32                              None\nCSman DAT file                     csman                              Built-in\nD-Link Encrpted Image              encrpted_img                       Built-in\nD-Link MH01 firmware image         mh01                               Built-in\nD-Link TLV firmware                dlink_tlv                          Built-in\nDahua ZIP archive                  dahua_zip                          Built-in\nDebian package file                deb                                None\nDevice tree blob (DTB)             dtb                                Built-in\nDirectX shader bytecode            dxbc                               Built-in\nDKBS firmware header               dkbs                               Built-in\nDLK encrypted firmware             dlke                               Built-in\nDLOB firmware header               dlob                               None\nDMS firmware image                 dms                                Built-in\nDOS Master Boot Record             mbr                                Built-in\nDPAPI blob data                    dpapi                              None\neCos kernel exception handler      ecos                               None\nEFI Global Partition Table         efigpt                             7zz\nELF binary                         elf                                None\nEXT filesystem                     ext                                tsk_recover\nFAT file system                    fat                                tsk_recover\nGIF image                          gif                                Built-in\nGPG signed file                    gpg_signed                         Built-in\ngzip compressed data               gzip                               Built-in\nHP Printer Job Language data       pjl                                None\nIntel serial flash for PCH ROM     pchrom                             uefi-firmware-parser\nISO9660 primary volume             iso9660                            7zz\nJBOOT firmware header              jboot_arm                          None\nJBOOT SCH2 header                  jboot_sch2                         Built-in\nJBOOT STAG header                  jboot_stag                         None\nJFFS2 filesystem                   jffs2                              jefferson\nJPEG image                         jpeg                               Built-in\nKnown encrypted firmware           encfw                              Built-in\nLinux ARM boot executable zImage   linux_arm_zimage                   None\nLinux kernel ARM64 boot image      linux_arm64_boot_image             None\nLinux kernel boot image            linux_boot_image                   None\nLinux kernel version               linux_kernel                       vmlinux-to-elf\nLogFS file system                  logfs                              None\nLUKS header                        luks                               None\nLZ4 compressed data                lz4                                lz4\nLZFSE compressed data              lzfse                              lzfse\nLZMA compressed data               lzma                               Built-in\nLZO compressed data                lzop                               lzop\nMatter OTA firmware                matter_ota                         Built-in\nMD5 hash constants                 md5                                None\nMicrosoft Cabinet archive          cab                                cabextract\nMotorola S-record                  srecord                            srec_cat\nMotorola S-record (generic)        srecord_generic                    srec_cat\nNTFS partition                     ntfs                               tsk_recover\nOpenSSL encryption                 openssl                            Built-in\nPackImg firmware header            packimg                            None\nPcap-NG capture file               pcapng                             Built-in\nPDF document                       pdf                                None\nPEM certificate                    pem_certificate                    Built-in\nPEM private key                    pem_private_key                    Built-in\nPEM public key                     pem_public_key                     Built-in\nPKCS DER hash                      pkcs_der_hash                      None\nPNG image                          png                                Built-in\nPOSIX tar archive                  tarball                            tar\nQEMU QCOW Image                    qcow                               None\nQNX IFS image                      qnx_ifs                            dumpifs\nRAR archive                        rar                                unrar\nRIFF image                         riff                               Built-in\nRomFS filesystem                   romfs                              Built-in\nRSA encrypted session key          rsa                                None\nRTK firmware header                rtk                                None\nSEAMA firmware header              seama                              None\nSHA256 hash constants              sha256                             None\nSHRS encrypted firmware            shrs                               Built-in\nSquashFS file system               squashfs                           sasquatch\nSVG image                          svg                                Built-in\nTP-Link firmware header            tplink                             None\nTP-Link RTOS firmware              tplink_rtos                        None\nTRX firmware image                 trx                                Built-in\nU-Boot version string              uboot                              None\nUBI image                          ubi                                ubireader_extract_images\nUBIFS image                        ubifs                              ubireader_extract_files\nUEFI capsule image                 uefi_capsule                       uefi-firmware-parser\nUEFI PI firmware volume            uefi_pi_volume                     uefi-firmware-parser\nuImage firmware image              uimage                             Built-in\nVxWorks symbol table               vxworks_symtab                     Built-in\nVxWorks WIND kernel version        wind_kernel                        None\nWindows CE binary image            wince                              Built-in\nWindows PE binary                  pe                                 None\nXZ compressed data                 xz                                 Built-in\nYAFFSv2 filesystem                 yaffs                              unyaffs\nZIP archive                        zip                                7zz\nZlib compressed file               zlib                               Built-in\nZSTD compressed data               zstd                               zstd\n----------------------------------------------------------------------------------------------------\nTotal signatures: 111\nExtractable signatures: 72<\/pre>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p>That&#8217;s quite a bit of stuff output from running binwalk on steme.exe. As you can see, binwalk can identify tons of different file types. So not only can it be used to see whats in the file, it also tells you where in the file. This allow us to use something like &#8220;dd&#8221; in Linux to extract the files ourself if we would like to, or utilize binwalk&#8217;s extraction features.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Binwalk: Extraction<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Ok, we finally made it to the important part! Getting the data we want out. Below are the arguments I like to use most of the time. As well as a screenshot of what the output files look like.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>binwalk -MDe steam.exe<\/code><\/pre>\n\n\n\n<p>-M, &#8211;matryoshka Recursively scan extracted files<br>-D, &#8211;dd= Extract signatures (regular expression), give the files an extension of , and execute<br>-e, &#8211;extract Automatically extract known file types<\/p>\n\n\n\n<div data-wp-context=\"{ &quot;autoclose&quot;: false, &quot;accordionItems&quot;: [] }\" data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context=\"{ &quot;id&quot;: &quot;accordion-item-2&quot;, &quot;openByDefault&quot;: false }\" data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-2-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" id=\"accordion-item-2\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Console Output: steam.exe<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n\n\n\n<div inert aria-labelledby=\"accordion-item-2\" data-wp-bind--inert=\"!state.isOpen\" id=\"accordion-item-2-panel\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<pre class=\"wp-block-code\"><code>brock@DESKTOP-V89BI36:\/mnt\/c\/Program Files (x86)\/Steam$ sudo binwalk -MDe --run-as=root steam.exe\n&#91;sudo] password for brock:\n\nScan Time:     2025-12-06 21:02:41\nTarget File:   \/mnt\/c\/Program Files (x86)\/Steam\/steam.exe\nMD5 Checksum:  0384cab4ffa96ec5973f99cd18852e75\nSignatures:    411\n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n0             0x0             Microsoft executable, portable (PE)\n17408         0x4400          SHA256 hash constants, little endian\n3341080       0x32FB18        Base64 standard index table\n3350660       0x332084        Copyright string: \"Copyright (C) 2010, Thomas G. Lane, Guido Vollbeding\"\n3382176       0x339BA0        HTML document header\n3382214       0x339BC6        HTML document footer\n3383640       0x33A158        CRC32 polynomial table, little endian\n3391876       0x33C184        OpenSSH RSA1 private key, version \"519\"\n3434600       0x346868        Copyright string: \"Copyright Violation\"\n3434976       0x3469E0        Zip archive data, at least v2.0 to extract, name: z\n3435056       0x346A30        End of Zip archive, footer length: 22\n3454464       0x34B600        HTML document header\n3454534       0x34B646        HTML document footer\n3476484       0x350C04        PEM certificate\n3481184       0x351E60        Base64 standard index table\n3807952       0x3A1AD0        AES Inverse S-Box\n3935300       0x3C0C44        Ubiquiti firmware header, third party, ~CRC32: 0x0, version: \"SSL_ENGINES\"\n3968944       0x3C8FB0        Base64 standard index table\n4343312       0x424610        PNG image, 256 x 256, 8-bit\/color RGBA, non-interlaced\n4343353       0x424639        Zlib compressed data, best compression\n4407492       0x4340C4        Boot section Start 0x42424242 End 0x9E4142\n4407497       0x4340C9        Boot section Start 0x9E41 End 0x0\n4413224       0x435728        PNG image, 256 x 256, 8-bit\/color RGBA, non-interlaced\n4413265       0x435751        Zlib compressed data, best compression\n4484636       0x446E1C        PNG image, 256 x 256, 8-bit\/color RGBA, non-interlaced\n4484677       0x446E45        Zlib compressed data, best compression\n4554519       0x457F17        XML document, version: \"1.0\"\n4689416       0x478E08        Object signature in DER format (PKCS header length: 4, sequence length: 11404\n4689557       0x478E95        Certificate in DER format (x509 v3), header length: 4, sequence length: 1421\n4690982       0x479426        Certificate in DER format (x509 v3), header length: 4, sequence length: 1424\n4692410       0x4799BA        Certificate in DER format (x509 v3), header length: 4, sequence length: 1712\n4694126       0x47A06E        Certificate in DER format (x509 v3), header length: 4, sequence length: 1716\n4695846       0x47A726        Certificate in DER format (x509 v3), header length: 4, sequence length: 1753\n4697603       0x47AE03        Certificate in DER format (x509 v3), header length: 4, sequence length: 1773\n\n\nScan Time:     2025-12-06 21:02:45\nTarget File:   \/mnt\/c\/Program Files (x86)\/Steam\/_steam.exe-6.extracted\/424639\nMD5 Checksum:  cf93e82f08b20e896d044bdbe1bf4b2c\nSignatures:    411\n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n\n\nScan Time:     2025-12-06 21:02:45\nTarget File:   \/mnt\/c\/Program Files (x86)\/Steam\/_steam.exe-6.extracted\/435751\nMD5 Checksum:  ce8b997ea29fd4cb68776af65b1a49af\nSignatures:    411\n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n\n\nScan Time:     2025-12-06 21:02:45\nTarget File:   \/mnt\/c\/Program Files (x86)\/Steam\/_steam.exe-6.extracted\/446E45\nMD5 Checksum:  19115af34f22073c014e5de1d7b26e3a\nSignatures:    411\n\nDECIMAL       HEXADECIMAL     DESCRIPTION\n--------------------------------------------------------------------------------\n229393        0x38011         MySQL MISAM index file Version 1<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"983\" height=\"465\" src=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-7.webp\" alt=\"\" class=\"wp-image-174\" srcset=\"https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-7.webp 983w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-7-300x142.webp 300w, https:\/\/brockcooper.info\/wp-content\/uploads\/2025\/12\/image-7-768x363.webp 768w\" sizes=\"auto, (max-width: 983px) 100vw, 983px\" \/><\/figure>\n\n\n\n<p>You might have noticed, the files are named the base offset address of the data. That just means its telling us how far from the start of the file the data begins; So from the start of the file, we move X bytes, and begin reading until (in this case) we hit the beginning of the next detected file signature.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Binwalk: Command Arguments<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>Binwalk v2.3.3<br>Craig Heffner, ReFirmLabs<br>https:\/\/github.com\/ReFirmLabs\/binwalk<br><strong><br>Usage:<\/strong> binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] \u2026<\/p>\n\n\n\n<div data-wp-context=\"{ &quot;autoclose&quot;: false, &quot;accordionItems&quot;: [] }\" data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context=\"{ &quot;id&quot;: &quot;accordion-item-3&quot;, &quot;openByDefault&quot;: false }\" data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-3-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" id=\"accordion-item-3\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Signature Scan Options:<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n\n\n\n<div inert aria-labelledby=\"accordion-item-3\" data-wp-bind--inert=\"!state.isOpen\" id=\"accordion-item-3-panel\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>-B, &#8211;signature Scan target file(s) for common file signatures<br>-R, &#8211;raw= Scan target file(s) for the specified sequence of bytes<br>-A, &#8211;opcodes Scan target file(s) for common executable opcode signatures<br>-m, &#8211;magic= Specify a custom magic file to use<br>-b, &#8211;dumb Disable smart signature keywords<br>-I, &#8211;invalid Show results marked as invalid<br>-x, &#8211;exclude= Exclude results that match<br>-y, &#8211;include= Only show results that match<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div data-wp-context=\"{ &quot;autoclose&quot;: false, &quot;accordionItems&quot;: [] }\" data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context=\"{ &quot;id&quot;: &quot;accordion-item-4&quot;, &quot;openByDefault&quot;: false }\" data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-4-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" id=\"accordion-item-4\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Extraction Options:<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n\n\n\n<div inert aria-labelledby=\"accordion-item-4\" data-wp-bind--inert=\"!state.isOpen\" id=\"accordion-item-4-panel\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>-e, &#8211;extract Automatically extract known file types<br>-D, &#8211;dd= Extract signatures (regular expression), give the files an extension of , and execute<br>-M, &#8211;matryoshka Recursively scan extracted files<br>-d, &#8211;depth= Limit matryoshka recursion depth (default: 8 levels deep)<br>-C, &#8211;directory= Extract files\/folders to a custom directory (default: current working directory)<br>-j, &#8211;size= Limit the size of each extracted file<br>-n, &#8211;count= Limit the number of extracted files<br>-0, &#8211;run-as= Execute external extraction utilities with the specified user&#8217;s privileges<br>-1, &#8211;preserve-symlinks Do not sanitize extracted symlinks that point outside the extraction directory (dangerous)<br>-r, &#8211;rm Delete carved files after extraction<br>-z, &#8211;carve Carve data from files, but don&#8217;t execute extraction utilities<br>-V, &#8211;subdirs Extract into sub-directories named by the offset<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div data-wp-context=\"{ &quot;autoclose&quot;: false, &quot;accordionItems&quot;: [] }\" data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context=\"{ &quot;id&quot;: &quot;accordion-item-5&quot;, &quot;openByDefault&quot;: false }\" data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-5-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" id=\"accordion-item-5\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Entropy Options:<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n\n\n\n<div inert aria-labelledby=\"accordion-item-5\" data-wp-bind--inert=\"!state.isOpen\" id=\"accordion-item-5-panel\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>-E, &#8211;entropy Calculate file entropy<br>-F, &#8211;fast Use faster, but less detailed, entropy analysis<br>-J, &#8211;save Save plot as a PNG<br>-Q, &#8211;nlegend Omit the legend from the entropy plot graph<br>-N, &#8211;nplot Do not generate an entropy plot graph<br>-H, &#8211;high= Set the rising edge entropy trigger threshold (default: 0.95)<br>-L, &#8211;low= Set the falling edge entropy trigger threshold (default: 0.85)<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div data-wp-context=\"{ &quot;autoclose&quot;: false, &quot;accordionItems&quot;: [] }\" data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context=\"{ &quot;id&quot;: &quot;accordion-item-6&quot;, &quot;openByDefault&quot;: false }\" data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-6-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" id=\"accordion-item-6\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Binary Diffing Options:<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n\n\n\n<div inert aria-labelledby=\"accordion-item-6\" data-wp-bind--inert=\"!state.isOpen\" id=\"accordion-item-6-panel\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>-W, &#8211;hexdump Perform a hexdump \/ diff of a file or files<br>-G, &#8211;green Only show lines containing bytes that are the same among all files<br>-i, &#8211;red Only show lines containing bytes that are different among all files<br>-U, &#8211;blue Only show lines containing bytes that are different among some files<br>-u, &#8211;similar Only display lines that are the same between all files<br>-w, &#8211;terse Diff all files, but only display a hex dump of the first file<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div data-wp-context=\"{ &quot;autoclose&quot;: false, &quot;accordionItems&quot;: [] }\" data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context=\"{ &quot;id&quot;: &quot;accordion-item-7&quot;, &quot;openByDefault&quot;: false }\" data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-7-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" id=\"accordion-item-7\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">Raw Compression Options:<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n\n\n\n<div inert aria-labelledby=\"accordion-item-7\" data-wp-bind--inert=\"!state.isOpen\" id=\"accordion-item-7-panel\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>-X, &#8211;deflate Scan for raw deflate compression streams<br>-Z, &#8211;lzma Scan for raw LZMA compression streams<br>-P, &#8211;partial Perform a superficial, but faster, scan<br>-S, &#8211;stop Stop after the first result<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div data-wp-context=\"{ &quot;autoclose&quot;: false, &quot;accordionItems&quot;: [] }\" data-wp-interactive=\"core\/accordion\" role=\"group\" class=\"wp-block-accordion is-layout-flow wp-block-accordion-is-layout-flow\">\n<div data-wp-class--is-open=\"state.isOpen\" data-wp-context=\"{ &quot;id&quot;: &quot;accordion-item-8&quot;, &quot;openByDefault&quot;: false }\" data-wp-init=\"callbacks.initAccordionItems\" data-wp-on-window--hashchange=\"callbacks.hashChange\" class=\"wp-block-accordion-item is-layout-flow wp-block-accordion-item-is-layout-flow\">\n<h3 class=\"wp-block-accordion-heading\"><button aria-expanded=\"false\" aria-controls=\"accordion-item-8-panel\" data-wp-bind--aria-expanded=\"state.isOpen\" data-wp-on--click=\"actions.toggle\" data-wp-on--keydown=\"actions.handleKeyDown\" id=\"accordion-item-8\" class=\"wp-block-accordion-heading__toggle\"><span class=\"wp-block-accordion-heading__toggle-title\">General Options:<\/span><span class=\"wp-block-accordion-heading__toggle-icon\" aria-hidden=\"true\">+<\/span><\/button><\/h3>\n\n\n\n<div inert aria-labelledby=\"accordion-item-8\" data-wp-bind--inert=\"!state.isOpen\" id=\"accordion-item-8-panel\" role=\"region\" class=\"wp-block-accordion-panel is-layout-flow wp-block-accordion-panel-is-layout-flow\">\n<p>-l, &#8211;length= Number of bytes to scan<br>-o, &#8211;offset= Start scan at this file offset<br>-O, &#8211;base= Add a base address to all printed offsets<br>-K, &#8211;block= Set file block size<br>-g, &#8211;swap= Reverse every n bytes before scanning<br>-f, &#8211;log= Log results to file<br>-c, &#8211;csv Log results to file in CSV format<br>-t, &#8211;term Format output to fit the terminal window<br>-q, &#8211;quiet Suppress output to stdout<br>-v, &#8211;verbose Enable verbose output<br>-h, &#8211;help Show help output<br>-a, &#8211;finclude= Only scan files whose names match this regex<br>-p, &#8211;fexclude= Do not scan files whose names match this regex<br>-s, &#8211;status= Enable the status server on the specified port<\/p>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>So for now, I think that&#8217;s all I have! Play around a bit with the extraction arguments as there are a few different and useful ways you can have everything extracted. Otherwise, using &#8220;dd&#8221; in linux is by far the easiest if you are just looking to extract a single artifact.<\/p>\n\n\n\n<p>I hope this was at least interesting and something more people will play with as it can be quite a lot of fun.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Embedded Files: Binwalk &#8211; Finding unseen data Have you ever wondered what sort of data could be embedded into a file? I don&#8217;t mean application&#46;&#46;&#46;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[22,21,23],"class_list":["post-157","post","type-post","status-publish","format-standard","hentry","category-utilities","tag-analysis","tag-binwalk","tag-tools"],"_links":{"self":[{"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/posts\/157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/comments?post=157"}],"version-history":[{"count":4,"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions"}],"predecessor-version":[{"id":209,"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/posts\/157\/revisions\/209"}],"wp:attachment":[{"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/media?parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/categories?post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/brockcooper.info\/index.php\/wp-json\/wp\/v2\/tags?post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}