Advanced Binary Diffing with Diaphora
Joxean Koret
Virtual Training | July 20 - 26 | 32 hours
This course will teach you how to script and automate several basic and advanced binary diffing tasks. You will learn how to get the best out of Diaphora's techniques and heuristics for program diffing, how to script your own export filters, diffing filters, new project specific heuristics, how to automate the diffing of batches of samples, how to import symbols in batch from old to new versions, how to make your own tools based on Diaphora, and more.
ABSTRACT
Diaphora (διαφορά, in Greek "difference") is a pure python plugin for IDA Pro to perform program comparison, what is often referred as "Binary Diffing". Diaphora is open source, regularly maintained and offers more functionality than other similar tools such as Zynamics BinDiff, DarunGrim or TurboDiff.
Binary Diffing is a widely used technique to help in reverse engineering tasks like, patch diffing, importing symbols, library identification, plagiarism detection, etc. All these tasks can be simplified using Diaphora out-of-the-box. There are many cases where the tasks are more complex and require significant effort to apply, or be so tedious that automation becomes a must. There are little to no public resources on automation or scripting of binary diffing or methods to adapt generic techniques to more target specific techniques. And even fewer public resources that discuss deriving your own tools using Diaphora or any other binary diffing tool.
This course will teach you how to script and automate several basic and advanced binary diffing tasks. You will learn how to get the best out of Diaphora's techniques and heuristics for program diffing, how to script your own export filters, diffing filters, new project specific heuristics, how to automate the diffing of batches of samples, how to import symbols in batch from old to new versions, how to make your own tools based on Diaphora, and more.
This training is supplemented by several hands-on exercises to internalize concepts and techniques taught in class.
INTENDED AUDIENCE
COURSE DETAILS
AGENDA
Part 1 - Basics of Binary Diffing and Diaphora
The first part focuses on understanding how binary diffing works, learning how Diaphora works and the most common usage scenarios with some real world examples. Students will learn to understand how each of the Diaphora heuristics work and what quality of matches to expect from each one. Students will also learn how they can do some of the most common tasks in the reverse engineering field by performing patch analysis in order to find some infamous vulnerabilities, porting symbols from different versions of the same software, importing symbols from open source libraries into closed source binaries, as well as how to use some basic plagiarism detection techniques using Diaphora.
- Introduction to Binary Diffing and Diaphora
- Introduction and explanation of the heuristics
- Patch diffing exercises
- EXERCISE: Porting your work across version
- EXERCISE: Porting symbols between different target versions
- EXERCISE: Porting library symbols to a target binary using a static version of some library
- Basic plagiarism detection exercises
Part 2 - Advanced Use Cases and Automation
The second session is more focused on automation and scripting. Students will first learn the basics of Diaphora automation and sripting with exercises for some of the most common use cases. Students will also learn how to extend the tool as well as how to write their own tools using Diaphora.
- Diffing of specific areas and partial diffing
- Batch patch diffing
- Batch importing symbols
- Batch librari(es) identification
- Adding new heuristics
- Scripting the export process
- Adding filters and transformations
- Scripting the diffing process
- Scripting new heuristics
- Extending Diaphora
- Writing custom tools using Diaphora
CHOOSE YOUR OWN MINI-PROJECT!
Towards the end of the class, you will be able to work on your own custom Diaphora tools, based on your needs, assisted by the instructor. This way, you can put your knowledge to immediate use after the class!
REQUIREMENTS
- IDA Pro or IDA Home 7.5 or higher with Python 3.X.
- 8GB RAM required, at a minimum
- 40 GB free Hard disk space
ABOUT THE INSTRUCTOR
Joxean Koret is a Basque hacker interested in reverse engineering, security research, software development and nature photography.
"I analyse, break and code stuff in no specific order."
Joxean has been working for the past 15 years in many different computing areas. He started as a database software developer and DBA for a number of different RDBMS. Eventually he turned towards reverse engineering and applied this DB insights to discover dozens of vulnerabilities in major database products, especially Oracle. He also worked in areas like malware analysis, anti-malware software development and developing IDA Pro at Hex-Rays. He is currently a senior security engineer.
Ringzer0