John Mcintosh - Saturday, 24 February- 90 mins



The goal of this workshop is to teach participants how to use patch diffing techniques to analyze real-world vulnerabilities in Microsoft Windows via (CVE-2023-28308) and Android via (CVE-2022-36934). The main point of the workshop is to help researchers understand that they already have the information and tools needed to understand complex vulnerabilities. By learning to patch diff “in the dark”, a researcher can progress from knowing about a vulnerability to actually understanding its root cause.


  • Introduction (15 minutes)
    • Explain what patch diffing is and why it is useful for vulnerability research
    • Give an overview of both CVE vulnerabilities and their impact
    • Introduce the tools and data sets that will be used in the workshop (Ghidra, patched and unpatched binaries, updates files, etc.)
    • Exercise:
      • Check participants can run required tools and have access to provided resources
  • Patch Analysis (40 minutes)
    • Learn the different methods to obtain the binaries needed for patch diffing across Windows and Android
    • Demonstrate how to use Ghidra to compare the patched and unpatched binaries and identify the changes
    • Explain how to interpret the diff results and locate the vulnerable function
    • Exercise:
      • Have participants import and analyze binaries, and perform patch diff
  • Vulnerability Analysis (40 minutes)
    • Teach a method to determine how to reach the identified vulnerable function
    • Explain how the vulnerabilities can be triggered by sending a specially crafted input
    • Show how to use a debugger (WinDbg / adb) to attach to a process and set breakpoints on the vulnerable function
    • Demonstrate how to craft a malicious input to trigger the CVE
    • Exercise:
      • Have participants try to identify the vulnerable function and provide guidance.
      • Have participants step through the vulnerable function
  • Conclusion (15 minutes)
    • Summarize the main points and learning outcomes of the workshop
    • Provide some tips and resources for further learning and practice on patch diffing and vulnerability analysis
    • Answer any questions from the participants and collect feedback

Requirements for the Workshop:

  • Laptop with Ghidra installed or ability to run workshop VM
  • Internet access to download workshop resources


John Mcintosh is a security researcher @clearseclabs who is passionate about learning and sharing knowledge on various aspects of information security. He has a keen interest in binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security tools and also blogs regularly about his research projects and experiments with ghidra and patch diffing. You can follow him on twitter @clearbluejar or visit his website https://clearbluejar.Github.Io.