Dailydave mailing list archives
Partial Binary Diffing?
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 13 Sep 2006 10:35:11 -0400
One thing I'm interested in lately is partial binary diffing. I'm doing a vulnerability assessment right now, and I notice that they're running an old version of bobsftpserver.exe. So I download the version right after that, and try a diff. Unfortunately, both versions are compressed with some unknown compression utility. So I attach to them with Immunity Debugger, and I notice they uncompress nicely in memory. IDA's "universal unpacker" fails, so I decide I need to copy the executables out, and try bindiffing (with Sabre-Security Bindiff v2) the result. My first Immunity Debugger plug-in is the result. It took roughly 15 minutes to do, but I had all the spare parts laying around (pelib.py is originally part of CANVAS). This worked great in theory. (Script is below). So then IDA's analysis crashes on the resulting PE file. But it made me think: Usually I only want to bindiff a certain subset of functionality. I really really don't care about the UI stuff, or the configuration reading stuff. I want to bindiff the path the network data takes. One way would be to have Binnavi export a PE file after culling all the bits I don't want and diff those. Another way is to do a run-trace in Immdbg and have it diff the run-trace somehow. At this stage, I'm not sure which is the easiest way. Easy is important, because I know that most vulnerability assessments do not include lengthy binary analysis stints. #!/usr/bin/env python """ pe_export.py - a module for Immunity Debugger that exports """ import sys if "Libs" not in sys.path: sys.path.append("Libs") if "." not in sys.path: sys.path.append(".") import pelib #These imports won't work except from ImmDBG import immdbg from immdbgutils import * def main(): imm = immdbg.ImmDBG() allmodules=imm.getAllModules() for key in allmodules.keys(): imm.Log("Found module: %s"%key) usekey="" for key in allmodules.keys(): if key.count(".exe"): imm.Log("Found executable to dump %s"%key) usekey=key break module_to_dump=allmodules[key] base=module_to_dump.getCodebase() size=module_to_dump.getCodesize() codememory=imm.readMemory(base,size) if __name__=="__main__": print "This module is for use within Immunity Debugger only" _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Partial Binary Diffing? Dave Aitel (Sep 13)
- Re: Partial Binary Diffing? Jeremy Kelley (Sep 15)