05月15, 2018

Diaphora, a program diffing plugin for IDA Pro

Diaphora (διαφορά, in Greek “difference”) is a pure python plugin for IDA Pro to perform program comparison, what is often referred as “Binary Diffing”

I always found that the bindiff tools did not import enough information from database to database, if at all.

1) structures and enumerations in IDA and I always have to manually import them. 2) want to check the call graph of the malware, only Zynamics BinDiff does so. 3)many times I need to match functions from x86, x86_64 and ARM binaries interchangeably

The Zynamics plugin works “great” overall, but can fail matching many functions because the compiler used is different, naturally. 不能匹配许多函数,因为编译器使用的是不同的。

However, the Hex-Rays decompiler is not typically bothered by such changes and the pseudo-code is rather similar if not 100% equal.

但是,Hex-Rays反编译器通常不会受到这种更改的困扰,如果不是100%相等,则伪代码相当相似。

那么,为什么不使用反编译器呢? 使用AST Hex-Rays反编译器提供的和伪代码。 它允许在x86,x86_64和ARM的二进制比较中执行二进制比较,比目前的二进制比较工具或插件更先进。

I will take as example 2 different versions of the “avast” binary from Avast for Linux x86_64. The files has the following hashes: 1.ed5bdbbfaf25b065cf9ee50730334998 avast

2.72a05d44b2ac3d7a1c9d2ab5939af782 avast-72a05d44b2ac3d7a1c9d2ab5939af782

if it’s installed (i.e., copied in the $IDA_DIR/plugins/ directory), using the Edit → Plugins → Diaphora – Export or diff option. The following dialog will open:

The nodes in yellow color, are these with only minor changes; pink ones, are these that are either new or heavily modified and the blank ones, the basic blocks that were not modified at all.

Let’s diff now the assembly in plain text: go back to the “Partial matches” tab, right click on the function “handle_scan_item” and select “Diff assembly”:

http://joxeankoret.com/blog/2015/03/13/diaphora-a-program-diffing-plugin-for-ida-pro/

本文链接:https://harry.uno/post/diaphora.html

-- EOF --

Comments