Search the Community
Showing results for tags 'bindiffing'.
-
Diaphora is a plugin for IDA Pro that aims to help in the typical BinDiffing tasks. It’s similar to other competitor products and open sources projects like Zynamics BinDiff, DarunGrim, or TurboDiff. However, it’s able to perform more actions than any of the previous IDA plugins or projects. Diaphora is distributed as a compressed file with various files and folders inside it. The structure is similar to the following one: diaphora.py: The main IDAPython plugin. It contains all the code of the heuristics, graphs displaying, export interface, etc… jkutils/kfuzzy.py: This is an unmodified version of the kfuzzy.py library, part of the DeepToad project, a tool and a library for performing fuzzy hashing of binary files. It’s included because fuzzy hashes of pseudo-codes are used as part of the various heuristics implemented. jkutils/factor.py: This is a modified version of a private malware clusterization toolkit based on graphs theory. This library offers the ability to factor numbers quickly in Python and, also, to compare arrays of prime factors. Diaphora uses it to compare fuzzy AST hashes and call graph fuzzy hashes based on small-primes-products (an idea coined and implemented by Thomas Dullien and Rolf Rolles first, authors or former authors of the Zynamics BinDiff commercial product, in their “Graph-based comparison of Executable Objects – Zynamics” paper). Pygments/: This directory contains an unmodified distribution of the Python pygments library, a “generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code”. [hide][Hidden Content]]
-
Diaphora is a plugin for IDA Pro that aims to help in the typical BinDiffing tasks. It’s similar to other competitor products and open sources projects like Zynamics BinDiff, DarunGrim, or TurboDiff. However, it’s able to perform more actions than any of the previous IDA plugins or projects. Diaphora is distributed as a compressed file with various files and folders inside it. The structure is similar to the following one: diaphora.py: The main IDAPython plugin. It contains all the code of the heuristics, graphs displaying, export interface, etc… jkutils/kfuzzy.py: This is an unmodified version of the kfuzzy.py library, part of the DeepToad project, a tool and a library for performing fuzzy hashing of binary files. It’s included because fuzzy hashes of pseudo-codes are used as part of the various heuristics implemented. jkutils/factor.py: This is a modified version of a private malware clusterization toolkit based on graphs theory. This library offers the ability to factor numbers quickly in Python and, also, to compare arrays of prime factors. Diaphora uses it to compare fuzzy AST hashes and call graph fuzzy hashes based on small-primes-products (an idea coined and implemented by Thomas Dullien and Rolf Rolles first, authors or former authors of the Zynamics BinDiff commercial product, in their “Graph-based comparison of Executable Objects – Zynamics” paper). Pygments/: This directory contains an unmodified distribution of the Python pygments library, a “generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code”. Changelog v2.0.6 BUG: Do not crash when we cannot analyse one Diaphora SQLite database. BUG: Diaphora was incorrectly searching the pattern ‘{}’ instead of ‘[]’ for empty list field values. Fix for #219. GUI: When a reverser uses the “Diff pseudo-code” option and both codes are equal, show a warning message, but also show the diffing. HEUR: In heuristic “Call Address Sequence” use also the “Partial results” when the function name is the same. HEUR: Added heuristic “Same RVA”. Only matches with a minimum ratio of 0.7 will be considered. HEUR: Removed the “Slow” flag from the heuristic “Same Rare Constant”. HEUR: Use the 3 calculated fuzzy hashes in heuristic “Pseudo-code Fuzzy Hash”. HEUR: Moved heuristic “Similar Pseudo-code and Names” from the probably unreliable category to normal. HEUR: Removed wrong heuristics “Similar Small Pseudo-codes” and “Equal Small Pseudo-codes” because they caused a lot of false positives (heuristics for finding matches tend to fail with small functions, and these were no exception). Also, applied suggestion for issue #220. [hide][Hidden Content]]