#bindiff — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #bindiff, aggregated by home.social.
-
@HexRaysSA somewhat underhandedly added Linux ARM64 builds in their new IDA Pro 9.3 beta.
I really need to find some time to work on #BinDiff... -
PSA: If your #BinDiff workflow relies on a working BinExport for Ghidra, check https://github.com/google/binexport/pull/164.
-
Exciting! @vector35 's excellent #BinaryNinja ships with built-in BinExport in the latest dev version!
Here's how to use it with #BinDiff: https://dev-docs.binary.ninja/guide/binexport.html -
https://github.com/Lil-Ran/build-bindiff-for-ida-9
Disclaimer: I haven't checked it, apply due caution
-
PSA #BinDiff for IDA 9.1+ will happen: https://github.com/google/bindiff/issues/50#issuecomment-2677767234
-
ghidriff - mpengine.dll - VersionTrackingDiff - 1.1.24030.4 vs 1.1.24060.5
https://gist.github.com/v-p-b/f9aa39263e125c8e3b04c4d22fd4d78d#strings
This one executed much faster than SimpleDiff (with the O(n^2) FuncName:Param algorithm)!
Unfortunately the diff is so big it's difficult to judge quality, so the next step is to come up with some metrics that can be checked automatically.
#bindiff #ghidriff -
You diff binaries and immediately find the single change that adds the overflow check.
I diff mpengine.dll and break all reversing tools out there.
We are not the same.
https://gist.github.com/v-p-b/513a8f70a32c62f3ab7bf0d6a90e0941
#bindiff #ghidriff -
Ever wondered about how #BinDiff reads the BinExport2 format to build its flow graph representations?
This post by @williballenthin sheds some light on this:
https://www.williballenthin.com/post/binexport2-enumerating-a-functions-instructions/ -
I'll end this on a more positive note by saying that https://github.com/google/binexport/pull/133 at least enables the same workflow for IDA 9.0 as the one we use for Binary Ninja and Ghidra (export first, then invoke #BinDiff manually). 6/N
-
This is all a shame, really, as I would like to update #BinDiff to, e.g., use idalib for headless exports.
But right now, I don't have the time/capacity to work on any of this.
I'd rather spent my 20% time on more exciting parts of the project. Or maybe it's time to move on? 5/N -
On top of that, #BinDiff can no longer just be installed, because 8.4 plugins will not load in IDA Pro 9.0 (and vice versa) and installing both means ugly error message each time IDA starts.
So I need to implement something to select the version (idaswitch?). 4/N -
Supporting #BinDiff on 3 disassemblers (as a 20% project no less) is difficult enough, and initially, I was pleased that at least the 32-bit binaries are going away 2/N
-
PSA: An official #BinDiff that works with IDA 9.0 will be a bit delayed.
Good news is that there's a https://github.com/google/binexport/pull/133 for BinExport that should allow to use BinDiff manually.
@HexRaysSA -
I have just stumbled upon this post diffing some windows driver:
https://www.crowdfense.com/windows-wi-fi-driver-rce-vulnerability-cve-2024-30078/
Why use #BinDiff and see this [first picture] when you can use #Diaphora and see this [second picture]?
Of course, feel free to use whatever tool you prefer but, what's the point of doing more work? Diaphora finds out that only 2 functions are interesting for patch diffing and shows exactly, in the pseudo-code, what new chunk of code was added and what new function is being called. Diffing decompilation.
-
This is not at all my own idea and this is, basically, the only thing that academia researches as of today: almost every single academic paper published in the last years talking about binary diffing (or, as academia calls it "Binary Code Similarity Analysis") is based on "machine learning" techniques.
Some popular academic examples: DeepBinDiff or BindiffNN. Don't worry if you don't know them. Nobody uses them. At all.
-
This is not at all my own idea and this is, basically, the only thing that academia researches as of today: almost every single academic paper published in the last years talking about binary diffing (or, as academia calls it "Binary Code Similarity Analysis") is based on "machine learning" techniques.
Some popular academic examples: DeepBinDiff or BindiffNN. Don't worry if you don't know them. Nobody uses them. At all.
-
This is not at all my own idea and this is, basically, the only thing that academia researches as of today: almost every single academic paper published in the last years talking about binary diffing (or, as academia calls it "Binary Code Similarity Analysis") is based on "machine learning" techniques.
Some popular academic examples: DeepBinDiff or BindiffNN. Don't worry if you don't know them. Nobody uses them. At all.
-
This is not at all my own idea and this is, basically, the only thing that academia researches as of today: almost every single academic paper published in the last years talking about binary diffing (or, as academia calls it "Binary Code Similarity Analysis") is based on "machine learning" techniques.
Some popular academic examples: DeepBinDiff or BindiffNN. Don't worry if you don't know them. Nobody uses them. At all.
-
This is not at all my own idea and this is, basically, the only thing that academia researches as of today: almost every single academic paper published in the last years talking about binary diffing (or, as academia calls it "Binary Code Similarity Analysis") is based on "machine learning" techniques.
Some popular academic examples: DeepBinDiff or BindiffNN. Don't worry if you don't know them. Nobody uses them. At all.
-
Huh, with the new IDAlib headless mode in @HexRaysSA IDA 9.0, #BinDiff can get rid of the visible second IDA instance. Need to play around with this more.
-
Meanwhile, while I'm on a #Ghidra bender this evening - I just found this neat tutorial on using Zynamics #BinDiff with Ghidra, via the #BinExport plugin:
https://www.0x90.se/reverse%20engineering/install-binexport-and-bindiff/I'm planning to give this a go - while I had access to IDA+Bindiff, I used it a fair bit.
Edit - in case you missed it, BinDiff and BinExport are also now open-source:
BinDiff: https://github.com/google/bindiff
BinExport: https://github.com/google/binexport -
It's very sad, but it's always a damn waste of time reading academic research about binary diffing or, as it's called at the academia, about binary code similarity analysis. It's either all fairytales that cannot be proved or, plainly, false and/or wrong.
An example? One paper that I have re-read today says that #BinDiff and #Diaphora are mono-architecture and totally discard these tools for the paper. LOL.
-
It's very sad, but it's always a damn waste of time reading academic research about binary diffing or, as it's called at the academia, about binary code similarity analysis. It's either all fairytales that cannot be proved or, plainly, false and/or wrong.
An example? One paper that I have re-read today says that #BinDiff and #Diaphora are mono-architecture and totally discard these tools for the paper. LOL.
-
It's very sad, but it's always a damn waste of time reading academic research about binary diffing or, as it's called at the academia, about binary code similarity analysis. It's either all fairytales that cannot be proved or, plainly, false and/or wrong.
An example? One paper that I have re-read today says that #BinDiff and #Diaphora are mono-architecture and totally discard these tools for the paper. LOL.
-
It's very sad, but it's always a damn waste of time reading academic research about binary diffing or, as it's called at the academia, about binary code similarity analysis. It's either all fairytales that cannot be proved or, plainly, false and/or wrong.
An example? One paper that I have re-read today says that #BinDiff and #Diaphora are mono-architecture and totally discard these tools for the paper. LOL.
-
It's very sad, but it's always a damn waste of time reading academic research about binary diffing or, as it's called at the academia, about binary code similarity analysis. It's either all fairytales that cannot be proved or, plainly, false and/or wrong.
An example? One paper that I have re-read today says that #BinDiff and #Diaphora are mono-architecture and totally discard these tools for the paper. LOL.
-
I’ve finally played with the new #BinDiff and even though it requires just a few minutes to diff what #Diaphora is diffing for like 12 hours the output quality is just bad imo. I see some things that are clearly false positives and missing simple stuff like pseudo code or assembly diffing (I know it’s not too precise or even meaningful when there are more or less large changes, but it’s good for visualizing small patches) and buggy interface bring a lot of pain into using it. I sure hope I’m using it wrong and someone could correct me
-
Another OSS binary #bindiff-ing tool #Ghidra
https://github.com/clearbluejar/ghidriff -
-
In the spirit of "this talk could've been a tweet", I just pushed a button:
#BinDiff is now open source.
- This is a snapshot release, no major new functionality
- Release binaries will follow later today or tomorrow
- This is my 20% and I won't we able to act on PRs until end of Q4 (OOO traveling)Thanks everyone for making this possible!
Shout out to @HalvarFlake, ObfuscaTHOR, Nils, Tora,
@shanehuntley, @erocarrera, 0xfffffffeHappy diffing!
-
QueueJumper analysis using #BinDiff
https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/
(thx @jvoisin) -
It's again time to fire up #BinDiff!
Patch Tuesday -> #Exploit Wednesday: Pwning #Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours
// by @chompie1337 and @FuzzySec
-
-
So, continuing my rant about academic research in the #bindiffing area and not releasing required stuff: In one paper they say that 2 malware samples aren't properly diffed by both #Diaphora and #BinDiff, so I have tried to search for the samples to do the diffing myself and see why, if at all, it fails. There is no dataset or sample hashes anywhere, only a set of assembly instructions for a specific basic block... #Fail