[Dailydave] Partial Binary Diffing?

Dave Aitel dave at immunityinc.com
Wed Sep 13 09:35:11 EST 2006 

One thing I'm interested in lately is partial binary diffing. I'm doing 
a vulnerability assessment right now, and I notice that they're running 
an old version of bobsftpserver.exe. So I download the version right 
after that, and try a diff. Unfortunately, both versions are compressed 
with some unknown compression utility. So I attach to them with Immunity 
Debugger, and I notice they uncompress nicely in memory. IDA's 
"universal unpacker" fails, so I decide I need to copy the executables 
out, and try bindiffing (with Sabre-Security Bindiff v2) the result.

My first Immunity Debugger plug-in is the result. It took roughly 15 
minutes to do, but I had all the spare parts laying around (pelib.py is 
originally part of CANVAS). This worked great in theory. (Script is below).

So then IDA's analysis crashes on the resulting PE file. But it made me 
think: Usually I only want to bindiff a certain subset of functionality. 
I really really don't care about the UI stuff, or the configuration 
reading stuff. I want to bindiff the path the network data takes.

One way would be to have Binnavi export a PE file after culling all the 
bits I don't want and diff those. Another way is to do a run-trace in 
Immdbg and have it diff the run-trace somehow. At this stage, I'm not 
sure which is the easiest way. Easy is important, because I know that 
most vulnerability assessments do not include lengthy binary analysis 
stints.

#!/usr/bin/env python
"""
pe_export.py  - a module for Immunity Debugger that exports

"""
import sys
if "Libs" not in sys.path:
    sys.path.append("Libs")
if "." not in sys.path: sys.path.append(".")
import pelib

#These imports won't work except from ImmDBG
import immdbg
from immdbgutils import *

def main():
    imm = immdbg.ImmDBG()
    allmodules=imm.getAllModules()
    for key in allmodules.keys():
        imm.Log("Found module: %s"%key)
    usekey=""
    for key in allmodules.keys():
        if key.count(".exe"):
            imm.Log("Found executable to dump %s"%key)
            usekey=key
            break
    module_to_dump=allmodules[key]
    base=module_to_dump.getCodebase()
    size=module_to_dump.getCodesize()
    codememory=imm.readMemory(base,size)
   
if __name__=="__main__":
    print "This module is for use within Immunity Debugger only"

More information about the Dailydave mailing list