Abstract
Diaphora (διαφορά, in Greek “difference”) is a pure python plugin for IDA Pro to perform program comparison, what is often referred as “Binary Diffing”. Diaphora is open source, regularly maintained and offers more functionality than other similar tools such as Zynamics BinDiff, DarunGrim or TurboDiff.
Binary Diffing is a widely used technique to help in reverse engineering tasks like, patch diffing, importing symbols, library identification, plagiarism detection, etc. All these tasks can be simplified using Diaphora out-of-the-box. There are many cases where the tasks are more complex and require significant effort to apply, or be so tedious that automation becomes a must. There are little to no public resources on automation or scripting of binary diffing or methods to adapt generic techniques to more target specific techniques. And even fewer public resources that discuss deriving your own tools using Diaphora or any other binary diffing tool.
This course will teach you how to script and automate several basic and advanced binary diffing tasks. You will learn how to get the best out of Diaphora's techniques and heuristics for program diffing, how to script your own export filters, diffing filters, new project specific heuristics, how to automate the diffing of batches of samples, how to import symbols in batch from old to new versions, how to make your own tools based on Diaphora, and more.
This training is supplemented by several hands-on exercises to internalize concepts and techniques taught in class.
Course Topics
Part 1 - Basics of Binary Diffing and Diaphora
The first part focuses on understanding how binary diffing works, learning how Diaphora works and the most common usage scenarios with some real world examples. Students will learn to understand how each of the Diaphora heuristics work and what quality of matches to expect from each one. Students will also learn how they can do some of the most common tasks in the reverse engineering field by performing patch analysis in order to find some infamous vulnerabilities, porting symbols from different versions of the same software, importing symbols from open source libraries into closed source binaries, as well as how to use some basic plagiarism detection techniques using Diaphora.
- Introduction to Binary Diffing and Diaphora
- Introduction and explanation of the heuristics
- Patch diffing exercises
- EXERCISE: Porting your work across version
- EXERCISE: Porting symbols between different target versions
- EXERCISE: Porting library symbols to a target binary using a static version of some library
- Basic plagiarism detection exercises
Part 2 - Advanced Use Cases and Automation
The second session is more focused on automation and scripting. Students will first learn the basics of Diaphora automation and sripting with exercises for some of the most common use cases. Students will also learn how to extend the tool as well as how to write their own tools using Diaphora.
- Diffing of specific areas and partial diffing
- Batch patch diffing
- Batch importing symbols
- Batch librari(es) identification
- Adding new heuristics
- Scripting the export process
- Adding filters and transformations
- Scripting the diffing process
- Scripting new heuristics
- Extending Diaphora
- Writing custom tools using Diaphora
CHOOSE YOUR OWN MINI-PROJECT!
TOWARDS THE END OF THE CLASS, YOU WILL BE ABLE TO WORK ON YOUR OWN CUSTOM DIAPHORA TOOLS, BASED ON YOUR NEEDS, ASSISTED BY THE INSTRUCTOR. THIS WAY, YOU CAN PUT YOUR KNOWLEDGE TO IMMEDIATE USE AFTER THE CLASS!
Who Should Attend
Reverse engineers, bug hunters, security researchers, vulnerability researchers, exploit developers, anybody who wants to learn advanced usages of program diffing tools to augment their reverse engineering capabilities and make their life easier.
System Requirements
- IDA Pro or IDA Home 7.5 or higher with Python 3.X.
- 8GB RAM required, at a minimum
- 40 GB free Hard disk space