Dailydave mailing list archives
Re: Binary Paths
From: Alexander Sotirov <asotirov () determina com>
Date: Tue, 15 Aug 2006 12:27:01 -0700
Dave Aitel wrote:
I guess I was a bit vague. What would really clear things up would be some Python code in BinNavi 2.0 or some C# code in eEye's differ, but I'm still prepping to go to China so I don't have time for that. What I'm looking to do is dial down the accuracy a bit on bindiff, but have it work anonymously without everyone sharing all their DLL's. In a sense, I want to have a z=f(x,y) where x is a DLL y is a memory location, and z is a string representation of that memory location that can be given to another person to plug into their debugger (y'=f'(x',z)) which will end up at reasonably the same spot, most of the time.
How about finding a pattern of instructions that can identify a specific location in the DLL? I've been using simple regexps over IDA disassembly to identify patch points in multiple DLL versions, and it works great. In most cases the code doesn't really change that much (or at all) between different DLL revisions. One improvement would be to discard some instructions or normalize their operands to allow for fuzzier matching. For example, structure offsets can be excluded from the pattern, because they are more likely to change between versions. Alex _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Binary Paths Dave Aitel (Aug 15)
- Re: Binary Paths Alexander Sotirov (Aug 15)