Advanced Binary Diffing with Diaphora

Joxean Koret
Virtual Training | July 20 - 26 | 32 hours

BOOK NOW

Advanced Binary Diffing with Diaphora

Joxean Koret

Book Now - Early Bird Rate USD 4000

This course will teach you how to script and automate several basic and advanced binary diffing tasks. You will learn how to get the best out of Diaphora's techniques and heuristics for program diffing, how to script your own export filters, diffing filters, new project specific heuristics, how to automate the diffing of batches of samples, how to import symbols in batch from old to new versions, how to make your own tools based on Diaphora, and more.

ABSTRACT

Diaphora (διαφορά, in Greek "difference") is a pure python plugin for IDA Pro to perform program comparison, what is often referred as "Binary Diffing". Diaphora is open source, regularly maintained and offers more functionality than other similar tools such as Zynamics BinDiff, DarunGrim or TurboDiff.

Binary Diffing is a widely used technique to help in reverse engineering tasks like, patch diffing, importing symbols, library identification, plagiarism detection, etc. All these tasks can be simplified using Diaphora out-of-the-box. There are many cases where the tasks are more complex and require significant effort to apply, or be so tedious that automation becomes a must. There are little to no public resources on automation or scripting of binary diffing or methods to adapt generic techniques to more target specific techniques. And even fewer public resources that discuss deriving your own tools using Diaphora or any other binary diffing tool.

This course will teach you how to script and automate several basic and advanced binary diffing tasks. You will learn how to get the best out of Diaphora's techniques and heuristics for program diffing, how to script your own export filters, diffing filters, new project specific heuristics, how to automate the diffing of batches of samples, how to import symbols in batch from old to new versions, how to make your own tools based on Diaphora, and more.

This training is supplemented by several hands-on exercises to internalize concepts and techniques taught in class.

INTENDED AUDIENCE

💡
Reverse engineers, bug hunters, security researchers, vulnerability researchers, exploit developers, anybody who wants to learn advanced usages of program diffing tools to augment their reverse engineering capabilities and make their life easier.

COURSE DETAILS

AGENDA

Part 1 - Basics of Binary Diffing and Diaphora

The first part focuses on understanding how binary diffing works, learning how Diaphora works and the most common usage scenarios with some real world examples. Students will learn to understand how each of the Diaphora heuristics work and what quality of matches to expect from each one. Students will also learn how they can do some of the most common tasks in the reverse engineering field by performing patch analysis in order to find some infamous vulnerabilities, porting symbols from different versions of the same software, importing symbols from open source libraries into closed source binaries, as well as how to use some basic plagiarism detection techniques using Diaphora.

  • Introduction to Binary Diffing and Diaphora
  • Introduction and explanation of the heuristics
  • Patch diffing exercises
  • EXERCISE: Porting your work across version
  • EXERCISE: Porting symbols between different target versions
  • EXERCISE: Porting library symbols to a target binary using a static version of some library
  • Basic plagiarism detection exercises

Part 2 - Advanced Use Cases and Automation

The second session is more focused on automation and scripting. Students will first learn the basics of Diaphora automation and sripting with exercises for some of the most common use cases. Students will also learn how to extend the tool as well as how to write their own tools using Diaphora.

  • Diffing of specific areas and partial diffing
  • Batch patch diffing
  • Batch importing symbols
  • Batch librari(es) identification
  • Adding new heuristics
  • Scripting the export process
    • Adding filters and transformations
  • Scripting the diffing process
    • Scripting new heuristics
  • Extending Diaphora
  • Writing custom tools using Diaphora

CHOOSE YOUR OWN MINI-PROJECT!

Towards the end of the class, you will be able to work on your own custom Diaphora tools, based on your needs, assisted by the instructor. This way, you can put your knowledge to immediate use after the class!

REQUIREMENTS

  • IDA Pro or IDA Home 7.5 or higher with Python 3.X.
  • 8GB RAM required, at a minimum
  • 40 GB free Hard disk space

ABOUT THE INSTRUCTOR

Joxean Koret is a Basque hacker interested in reverse engineering, security research, software development and nature photography.

"I analyse, break and code stuff in no specific order."

Joxean has been working for the past 15 years in many different computing areas. He started as a database software developer and DBA for a number of different RDBMS. Eventually he turned towards reverse engineering and applied this DB insights to discover dozens of vulnerabilities in major database products, especially Oracle. He also worked in areas like malware analysis, anti-malware software development and developing IDA Pro at Hex-Rays. He is currently a senior security engineer.