Advanced Binary Diffing with Diaphora

Analysis and Automation

2 Day u_long 16 CPE Hour Training: January 2021

FEB 1-5 [detailed schedule coming soon]

Abstract

Diaphora (διαφορά, in Greek "difference") is a pure python plugin for IDA Pro to perform program comparison, what is often referred as "Binary Diffing". Diaphora is open source, regularly maintained and offers more functionality than other similar tools such as Zynamics BinDiff, DarunGrim or TurboDiff.

Binary Diffing is a widely used technique to help in reverse engineering tasks like, patch diffing, importing symbols, library identification, plagiarism detection, etc. All these tasks can be simplified using Diaphora out-of-the-box. There are many cases where the tasks are more complex and require significant effort to apply, or be so tedious that automation becomes a must. There are little to no public resources on automation or scripting of binary diffing or methods to adapt generic techniques to more target specific techniques. And even fewer public resources that discuss deriving your own tools using Diaphora or any other binary diffing tool.

This course will teach you how to script and automate several basic and advanced binary diffing tasks. You will learn how to get the best out of Diaphora's techniques and heuristics for program diffing, how to script your own export filters, diffing filters, new project specific heuristics, how to automate the diffing of batches of samples, how to import symbols in batch from old to new versions, how to make your own tools based on Diaphora, and more.

This training is supplemented by several hands-on exercises to internalize concepts and techniques taught in class.

Course Topics

Binary Diffing - Concepts and Basics

  • Introduction to Binary Diffing and Diaphora
  • Introduction and explanation of the heuristics
  • Patch diffing exercises
  • EXERCISE: Porting your work across versions
  • EXERCISE: Porting symbols between different target versions
  • EXERCISE: Porting library symbols to a target binary using a static version of some library
  • Basic plagiarism detection exercises

Advanced Use Cases and Automation

  • Diffing of specific areas and partial diffing
  • Batch patch diffing
  • Batch importing symbols
  • Batch librari(es) identification
  • Adding new heuristics
  • Scripting the export process
    • Adding filters and transformations
  • Scripting the diffing process
    • Scripting new heuristics
  • Extending Diaphora
  • Writing custom tools using Diaphora

Intended Audience

Reverse engineers, bug hunters, security researchers, vulnerability researchers, exploit developers, anybody who wants to learn advanced usages of program diffing tools to augment their reverse engineering capabilities and make their life easier.

System Requirements

  • IDA Pro or IDA Home 7.5 or higher with Python 3.X.
  • 8GB RAM required, at a minimum
  • 40 GB free Hard disk space
Joxean Koret

Joxean Koret

Register Now

Basque hacker interested in reverse engineering, security research, software development and nature photography.

"I analyse, break and code stuff in no specific order."

Joxean Koret has been working for the past 15 years in many different computing areas. He started as a database software developer and DBA for a number of different RDBMS. Eventually he turned towards reverse engineering and applied this DB insights to discover dozens of vulnerabilities in major database products, especially Oracle. He also worked in areas like malware analysis, anti-malware software development and developing IDA Pro at Hex-Rays. He is currently a senior security engineer.