<p align='center'>
<img src="https://github.com/clearbluejar/ghidriff/assets/3752074/170f1a54-24d9-4c8e-ac4d-3b5bea860750" width=60% >
</p>
<p align="center">
<img align="center" alt="GitHub Workflow Status (with event)" src="https://img.shields.io/github/actions/workflow/status/clearbluejar/ghidriff/pytest-devcontainer.yml?label=pytest&style=for-the-badge">
<img align="center" alt="PyPI - Downloads" src="https://img.shields.io/pypi/dm/ghidriff?color=yellow&label=PyPI%20downloads&style=for-the-badge">
<img align="center" src="https://img.shields.io/github/stars/clearbluejar/ghidriff?style=for-the-badge">
## Ghidriff - Ghidra Binary Diffing Engine
`ghidriff` provides a command-line binary diffing capability with a fresh take on diffing workflow and results.
It leverages the power of Ghidra's ProgramAPI and [FlatProgramAPI](https://ghidra.re/ghidra_docs/api/ghidra/program/flatapi/FlatProgramAPI.html) to find the *added*, *deleted*, and *modified* functions of two arbitrary binaries. It is written in Python3 using `pyhidra` to orchestrate Ghidra and `jpype` as the Python to Java interface to Ghidra.
Its primary use case is patch diffing. Its ability to perform a patch diff with a single command makes it ideal for automated analysis. The diffing results are stored in JSON and rendered in markdown (optionally side-by-side HTML). The markdown output promotes "social" diffing, as results are easy to publish in a gist or include in your next writeup or blog post.
## High Level
```mermaid
flowchart LR
a(old binary - rpcrt4.dll-v1) --> b[GhidraDiffEngine]
c(new binary - rpcrt4.dll-v2) --> b
b --> e(Ghidra Project Files)
b --> diffs_output_dir
subgraph diffs_output_dir
direction LR
i(rpcrt4.dll-v1-v2.diff.md)
h(rpcrt4.dll-v1-v2.diff.json)
j(rpcrt4.dll-v1-v2.diff.side-by-side.html)
end
```
### Sample Diffs
<div>
<a href="https://gist.github.com/clearbluejar/b95ae854a92ee917cd0b5c7055b60282"><img width="30%" align=top alt="image" src="https://github.com/clearbluejar/ghidriff/assets/3752074/d53b681f-8cc9-479c-af4c-5ec697cf4989"></a>
<a href="https://gist.github.com/clearbluejar/b95ae854a92ee917cd0b5c7055b60282#visual-chart-diff"><img width="30%" align=top alt="image" src="https://github.com/clearbluejar/ghidriff/assets/3752074/16d7ae4c-4df9-4bcd-b4af-0ce576d49ad1"></a>
<a href="https://diffpreview.github.io/?f6fecbc507a9f1a92c9231e3db7ef40d"><img width="30%" align=top src="https://github.com/clearbluejar/ghidriff/assets/3752074/662ed834-738d-4be1-96c3-8500ccab9591"/></a>
<div>
### Features
- Command Line (patch diffing workflow reduced to a single step)
- Highlights important changes in the TOC
- Fast - Can diff the full Windows kernel in less than a minute (after Ghidra analysis is complete)
- Enables Social Diffing
- Beautiful Markdown Output
- Easily hosted in a GitHub or GitLab gist, blog, or anywhere markdown is supported
- Visual Diff Graph Results
- Supports both unified and side by side diff results (unified is default)
- Provides unique Meta Diffs:
- Binary Strings
- Called
- Calling
- Binary Metadata
- Batteries Included
- Docker support
- Automated Testing
- Ghidra (No license required)
See below for [CVE diffs and sample usage](#sample-usage)
### Design Goals
- Find all added, deleted, and modified functions
- Provide foundation for automation
- Simple, Fast, Accurate
- Resilient
- Extendable
- Easy sharing of results
- Social Diffing
### Powered by Ghidra
The heavy lifting of the binary analysis is done by Ghidra and the diffing is possible via Ghidra's Program API. `ghidriff` provides a diffing [workflow](#engine), function matching, and resulting markdown and HTML diff output.
## Docs
- [ghidriff official Docs](https://clearbluejar.github.io/ghidriff)
- [Blog Post](https://clearbluejar.github.io/posts/ghidriff-ghidra-binary-diffing-engine/)
## Engine
<p align='center'>
<img src="https://user-images.githubusercontent.com/3752074/229976340-96394970-152f-4d88-9fe4-a46589b31c50.png" height="300">
</p>
> An "engine" is a self-contained, but externally-controllable, piece of code that encapsulates powerful logic designed to perform a specific type of work.
`ghidriff` provides a core base class [GhidraDiffEngine](ghidriff/ghidra_diff_engine.py) that can be extended to create your own binary diffing [implementations](#implementations).
The base class implements the first 3 steps of the Ghidra [headless workflow](https://github.com/clearbluejar/ghidra-python-vscode-devcontainer-skeleton#steps):
>1. **Create Ghidra Project** - Directory and collection of Ghidra project files and data
>2. **Import Binary to project** - Import one or more binaries to the project for analysis
>3. **Analyze Binary** - Ghidra will perform default binary analysis on each binary
The base class provides the abstract method [find_matches](ghidriff/ghidra_diff_engine.py) where the actual diffing (function matching) takes place.
## Extending ghidriff
`ghidriff` can be used as is, but it offers developers the ability to extend the tool by implementing their own differ. The basic idea is create new diffing tools by implementing the `find_matches` method from the base class.
```python
class NewDiffTool(GhidraDiffEngine):
def __init__(self,verbose=False) -> None:
super().__init__(verbose)
@abstractmethod
def find_matches(
self,
old: Union[str, pathlib.Path],
new: Union[str, pathlib.Path]
) -> dict:
"""My amazing differ"""
# find added, deleted, and modified functions
# <code goes here>
return [unmatched, matched]
```
### Implementations
There are currently 3 diffing implementations, which also display the evolution of diffing for the project.
1. [SimpleDiff](ghidriff/simple_diff.py) - A simple diff implementation. "Simple" as in it relies mostly on known symbol names for matching.
2. [StructualGraphDiff](ghidriff/structural_graph_diff.py) - A slightly more advanced differ, beginning to perform some more advanced hashing (such as Halvar's Structural Graph Comparison)
3. [VersionTrackingDiff](ghidriff/version_tracking_diff.py) - The latest differ, with several [correlators](ghidriff/correlators.py) (an algorithm used to score specific associations based on code, program flow, or any observable aspect of comparison) for function matching. **This one is fast.**
Each implementation leverages the base class, and implements `find_changes`.
## Usage
```bash
usage: ghidriff [-h] [--engine {SimpleDiff,StructualGraphDiff,VersionTrackingDiff}] [-o OUTPUT_PATH] [--summary SUMMARY] [-p PROJECT_LOCATION] [-n PROJECT_NAME] [-s SYMBOLS_PATH] [--threaded | --no-threaded] [--force-analysis] [--force-diff] [--no-symbols] [--log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}]
[--file-log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}] [--log-path LOG_PATH] [--va] [--min-func-len MIN_FUNC_LEN] [--use-calling-counts USE_CALLING_COUNTS] [--max-ram-percent MAX_RAM_PERCENT] [--print-flags] [--jvm-args [JVM_ARGS]] [--sxs] [--max-section-funcs MAX_SECTION_FUNCS]
[--md-title MD_TITLE]
old new [new ...]
ghidriff - A Command Line Ghidra Binary Diffing Engine
positional arguments:
old Path to old version of binary '/somewhere/bin.old'
new Path to new version of binary '/somewhere/bin.new'. (For multiple new binaries add oldest to newest)
options:
-h, --help show this help message and exit
--engine {SimpleDiff,StructualGraphDiff,VersionTrackingDiff}
The diff implementation to use. (default: VersionTrackingDiff)
-o OUTPUT_PATH, --output-path OUTPUT_PATH
Output path for resulting diffs (default: ghidriffs)
--summary SUMMARY Add a summary diff if more than two bins are provided (default: False)
```
### Extendend Usage
There are quite a few options here, and some complexity. Generally you can succeed with the defaults, but you can override the defaults as needed. One example might be to increase the JVM RAM used to run Ghidra to enable faster analysis of large binaries (`--max-ram-percent 80`). See help for details of other options.
<details><summary>Show Extended Usage</summary>
```bash
Ghidra Project Options:
-p PROJECT_LOCATION, --project-location PROJECT_LOCATION
Ghidra Project Path (default: ghidra_projects)
-n PROJECT_NAME, --project-name PROJECT_NAME
Ghidra Project Name (default: ghidriff)
-s SYMBOLS_PATH, --symbols-path SYMBOLS_PATH
Ghidra local symbol store directory (default: symbols)
Engine Options:
--threaded, --no-threaded
Use threading during import, analysis, and diffing. Recommended (default: True)
--force-analysis Force a new binary analysis each run (slow) (default: False)
--force-diff Force binary diff (ignore arch/symbols mismatch) (default: False)
--no-symbols Turn off symbols for analysis (default: False)
--log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}
Set console log level (default: INFO)
--file-log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}
Set log file level (default: INFO)
--log-path LOG_PATH Set ghidriff log path. (default: ghidriff.log)
--va, --verbose-analysis
Verbose logging for analysis step. (default: False)
--min-func-len MIN_FUNC_LEN
Minimum function length to consider for diff (default: 10)
--use-calling-counts USE_CALLING_COUNTS
Add calling/called reference counts (default: True)
JVM Options:
--max-ram-percent MAX_RAM_PERCENT
Set JVM Max Ram % of host RAM (default: 60.0)
--print-flags Print JVM flags at start (default: False)
--jvm-args [JVM_ARGS]
JVM args to add at start (default: None)
Markdown Options:
--sxs Include side by side code diff (default: False)
--max-section-funcs MAX_SECTION_FUNCS
Max number of functions to display per section. (default: 200)
--md-title MD_TITLE Overwrite default title for markdown diff (default: None)
```
</details>
## Quick Start Environment Setup
1. [Download](https://github.com/NationalSecurityAgency/ghidra/releases) and [install Ghidra](https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/stable/GhidraDocs/InstallationGuide.html#Install).
2. Set Ghidra Environment Variable `GHIDRA_INSTALL_DIR` to Ghidra install location.
3. Pip install `ghidriff`
### Windows
```powershell
PS C:\Users\user> [System.Environment]::SetEnvironmentVariable('GHIDRA_INSTALL_DIR','C:\ghidra_10.2.3_PUBLIC_20230208\ghidra_10.2.3_PUBLIC')
PS C:\Users\user> pip install ghidriff
```
### Linux / Mac
```bash
export GHIDRA_INSTALL_DIR="/path/to/ghidra/"
pip install ghidriff
```
## Ghidriff in a Box
Don't want to install Ghidra and Java on your host? Try "Ghidriff in a box". It supports multiple-platforms (x64 and arm64).
<p align='center'>
<img src="https://github.com/clearbluejar/ghidriff/assets/3752074/688756fc-038c-471a-8e49-e56a1c06e77c" height="300">
</p>
### Docker
`docker pull ghcr.io/clearbluejar/ghidriff:latest`
This is a docker container with the latest [PyPi version of Ghidriff](https://pypi.org/project/ghidriff/) installed. You can check the latest container [here](https://github.com/clearbluejar/ghidriff/pkgs/container/ghidriff).
#### For Docker command-line diffing
You will need to map the binaries you want to compare into the container. See below for an example.
```bash
mkdir -p ghidriffs
wget https://msdl.microsoft.com/download/symbols/clfs.sys/9848245C6f000/clfs.sys -O ghidriffs/clfs.sys.x64.10.0.22621.2506
wget https://msdl.microsoft.com/download/symbols/clfs.sys/D929C6E56f000/clfs.sys -O ghidriffs/clfs.sys.x64.10.0.22621.2715
docker run -it --rm -v $(pwd)/ghidriffs:/ghidriffs ghcr.io/clearbluejar/ghidriff:latest ghidriffs/clfs.sys.x64.10.0.22621.2506 ghidriffs/clfs.sys.x64.10.0.22621.2715
```
The result will produce the following.
```bash
tree ghidriffs
ghidriffs
├── clfs.sys.x64.10.0.22621.2506
├── clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.ghidriff.md
├── clfs.sys.x64.10.0.22621.2715
├── ghidra_projects
│ └── ghidriff-clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715
│ ├── ghidriff-clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.gpr
│ ├── ghidriff-clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.lock
│ └── ghidriff-clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.rep
├── ghidriff.log
├── json
│ └── clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.ghidriff.json
└── symbols
├── 000admin
├── clfs.pdb
│ ├── 6EAE8987F981603FEFA0E55DE0CE2C521
│ │ └── clfs.pdb
│ └── E3D1FEA241ECEC3DC6DB2B278A22A6A31
│ └── clfs.pdb
└── pingme.txt
```
### Devcontainer - For Ghidriff development
Use the [.devcontainer](.devcontainer) in this repo. If you don't know how, follow the detailed instructions here: [ghidra-python-vscode-devcontainer-skeleton quick setup](https://github.com/clearbluejar/ghidra-python-vscode-devcontainer-skeleton#quick-start-setup---dev-container--best-option).
## Use Cases
### Diffing a full Windows Kernel
#### Download two versions of the kernel (older and latest binary):
```bash
wget https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/F7E31BA91047000/ntoskrnl.exe -O ntoskrnl.exe.10.0.22621.1344
wget https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/17B6B7221047000/ntoskrnl.exe -O ntoskrnl.exe.10.0.22621.1413
```
<details><summary>Console Output:</summary>
```console
vscode ➜ /workspaces/ghidriff (main) $ wget https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/F7E31BA91047000/ntoskrnl.exe -O ntoskrnl.exe.10.0.22621.1344
--2023-05-17 03:18:40-- https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/F7E31BA91047000/ntoskrnl.exe
Resolving msdl.microsoft.com (msdl.microsoft.com)... 204.79.197.219
Connecting to msdl.microsoft.com (msdl.microsoft.com)|204.79.197.219|:443... connected.
HTTP request sent, awaiting response... 302 Found
Could not parse String-Transport-Security header
Location: https://vsblobprodscussu5shard72.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/8BFC691F50434EC2DC87BBDFC06A6A5FBACE992E60062F9C8CE829F58E3BCFB300.blob?sv=2019-07-07&sr=b&si=1&sig=Kgrvf90Kc15ac%2FtHsgPPj9ztxxTfkQ0yHGQh8dLDwQs%3D&spr=https&se=2023-05-18T03%3A32%3A47Z&rscl=x-e2eid-420cea82-598a4a00-a990abf8-919be2ff-session-5e9eb5eb-195146cb-b123c222-30eef52e [following]
--2023-05-17 03:18:40-- https://vsblobprodscussu5shard72.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/8BFC691F50434EC2DC87BBDFC06A6A5FBACE992E60062F9C8CE829F58E3BCFB300.blob?sv=2019-07-07&sr=b&si=1&sig=Kgrvf90Kc15ac%2FtHsgPPj9ztxxTfkQ0yHGQh8dLDwQs%3D&spr=https&se=2023-05-18T03%3A32%3A47Z&rscl=x-e2eid-420cea82-598a4a00-a990abf8-919be2ff-session-5e9eb5eb-195146cb-b123c222-30eef52e
Resolving vsblobprodscussu5shard72.blob.core.windows.net (vsblobprodscussu5shard72.blob.core.windows.net)... 20.209.34.36
Connecting to vsblobprodscussu5shard72.blob.core.windows.net (vsblobprodscussu5shard72.blob.core.windows.net)|20.209.34.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11990400 (11M) [application/octet-stream]
Saving to: ‘ntoskrnl.exe.10.0.22621.1344’
ntoskrnl.exe.10.0.22621.1344 100%[===============================================================================================================>] 11.43M 2.47MB/s in 5.5s
2023-05-17 03:18:46 (2.08 MB/s) - ‘ntoskrnl.exe.10.0.22621.1344’ saved [11990400/11990400]
vscode ➜ /workspaces/ghidriff (main) $ wget https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/17B6B7221047000/ntoskrnl.exe -O ntoskrnl.exe.10.0.22621.1413
--2023-05-17 03:18:58-- https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/17B6B7221047000/ntoskrnl.exe
Resolving msdl.microsoft.com (msdl.microsoft.com)... 204.79.197.219
Connecting to msdl.microsoft.com (msdl.microsoft.com)|204.79.197.219|:443... connected.
HTTP request sent, awaiting response... 302 Found
Could not parse String-Transport-Security header
Location: https://vsblobprodscussu5shard75.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/D946523F2726056CD289008C977D02C0C0FBBCBB89D9FA40ADBB42CDE8D5022A00.blob?sv=2019-07-07&sr=b&si=1&sig=KfYz9cB7cUPO9JVo0U8eIj0etpASEWOyvCv5NkwVkfw%3D&spr=https&se=2023-05-18T03%3A50%3A53Z&rscl=x-e2eid-4960dee3-47d94aa4-a2207913-b73825a4-session-2879fa10-75774ef4-93e39015-3be72abb [following]
--2023-05-17 03:18:59-- https://vsblobprodscussu5shard75.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/D946523F2726056CD289008C977D02C0C0FBBCBB89D9FA40ADBB42CDE8D5022A00.blob?sv=2019-07-07&sr=b&si=1&sig=KfYz9cB7cUPO9JVo0U8eIj0etpASEWOyvCv5NkwVkfw%3D&spr=https&se=2023-05-18T03%3A50%3A53Z&rscl=x-e2eid-4960dee3-47d94aa4-a2207913-b73825a4-session-2879fa10-75774ef4-93e39015-3be72abb
Resolving vsblobprodscussu5shard75.blob.core.windows.net (vsblobprodscussu5shard75.blob.core.windows.net)... 20.209.34.36
Connecting to vsblobprodscussu5shard75.blob.core.windows.net (vsblobprodscussu5shard75.blob.core.windows.net)|20.209.34.36|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11990336 (11M) [application/octet-stream]
Saving to: ‘ntoskrnl.exe.10.0.22621.1413’
ntoskrnl.exe.10.0.22621.1413 100%[===============================================================================================================>] 11.43M 1.02MB/s in 12s
2023-05-17 03:19:11 (1004 KB/s) - ‘ntoskrnl.exe.10.0.22621.1413’ saved [11990336/11990336]
```
</details>
#### Run ghidriff:
```bash
ghidriff ntoskrnl.exe.10.0.22621.1344 ntoskrnl.exe.10.0.22621.1413
```
<details><summary>Console Output</summary>
```console
(.env) vscode ➜ /workspaces/ghidriff (main) $ ghidriff ntoskrnl.exe.10.0.22621.1344 ntoskrnl.exe.10.0.22621.1413
INFO | ghidriff | Init Ghidra Diff Engine...
INFO | ghidriff | Engine Console Log: INFO
INFO | ghidriff | Engine File Log: .ghidriffs/ghidriff.log INFO
INFO | ghidriff | Starting Ghidra...
INFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization)
INFO Using log file: /workspaces/ghidriff/.ghidriffs/ghidriff.log (LoggingInitialization)
INFO Loading user preferences: /home/vscode/.ghidra/.ghidra_10.2.3_PUBLIC/preferences (Preferences)
INFO Class search complete (716 ms) (ClassSearcher)
INFO Initializing SSL Context (SSLContextInitializer)
INFO Initializing Random Number Generator... (SecureRandomFactory)
INFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory)
INFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory)
INFO | ghidriff | GHIDRA_INSTALL_DIR: /ghidra
INFO | ghidriff | GHIDRA 10.2.3 Build Date: 2023-Feb-08 1242 EST Release: PUBLIC
INFO | ghidriff | Engine Args:
INFO | ghidriff | old: ['ntoskrnl.exe.10.0.22621.1344']
INFO | ghidriff | new: [['ntoskrnl.exe.10.0.22621.1413']]
INFO | ghidriff | engine: VersionTrackingDiff
INFO | ghidriff | output_path: .ghidriffs
INFO | ghidriff | summary: False
INFO | ghidriff | project_location: .ghidra_projects
INFO | ghidriff | project_name: ghidriff
INFO | ghidriff | symbols_path: .symbols
INFO | ghidriff | threaded: True
INFO | ghidriff | force_analysis: False
INFO | ghidriff | force_diff: False
INFO | ghidriff | no_symbols: False
INFO | ghidriff | log_level: INFO
INFO | ghidriff | file_log_level: INFO
INFO | ghidriff | log_path: ghidriff.log
INFO | ghidriff | va: False
INFO | ghidriff | max_ram_percent: 60.0
INFO | ghidriff | print_flags: False
INFO | ghidriff | jvm_args: None
INFO | ghidriff | side_by_side: False
INFO | ghidriff | max_section_funcs: 200
INFO | ghidriff | md_title: None
INFO | ghidriff | Setting Up Ghidra Project...
INFO Creating project: /workspaces/ghidriff/.ghidra_projects/ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413/ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413 (DefaultProject)
INFO | ghidriff | Created project: ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413
INFO | ghidriff | Project Location: /workspaces/ghidriff/.ghidra_projects/ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413
INFO | ghidriff | Importing ntoskrnl.exe.10.0.22621.1344
INFO Starting cache cleanup: /tmp/vscode-Ghidra/fscache2 (FileCacheMaintenanceDaemon)
INFO Finished cache cleanup, estimated storage used: 0 (FileCacheMaintenanceDaemon)
INFO Using Loader: Portable Executable (PE) (AutoImporter)
INFO | ghidriff | Importing ntoskrnl.exe.10.0.22621.1413
INFO Using Loader: Portable Executable (PE) (AutoImporter)
INFO | ghidriff | Setting up Symbol Server for symbols...
INFO | ghidriff | path: .symbols level: 1
INFO | ghidriff | Symbol Server Configured path: SymbolServerService:
symbolStore: LocalSymbolStore: [ rootDir: /workspaces/ghidriff/.symbols, storageLevel: -1],
symbolServers:
HttpSymbolServer: [ url: https://msdl.microsoft.com/download/symbols/, storageLevel: -1]
HttpSymbolServer: [ url: https://chromium-browser-symsrv.commondatastorage.googleapis.com/, storageLevel: -1]
HttpSymbolServer: [ url: https://symbols.mozilla.org/, storageLevel: -1]
HttpSymbolServer: [ url: https://software.intel.com/sites/downloads/symbols/, storageLevel: -1]
HttpSymbolServer: [ url: https://driver-symbols.nvidia.com/, storageLevel: -1]
HttpSymbolServer: [ url: https://download.amd.com/dir/bin/, storageLevel: -1]
INFO Connecting to https://msdl.microsoft.com/download/symbols/ (ConsoleTaskMonitor)
INFO Success (ConsoleTaskMonitor)
INFO Storing ntkrnlmp.pdb in local symbol store (12.66MB) (ConsoleTaskMonitor)
INFO | ghidriff | Pdb stored at: /workspaces/ghidriff/.symbols/ntkrnlmp.pdb/FB0913AF0585F234BD64A64A87C62DB11/ntkrnlmp.pdb
INFO Connecting to https://msdl.microsoft.com/download/symbols/ (ConsoleTaskMonitor)
INFO Success (ConsoleTaskMonitor)
INFO Storing ntkrnlmp.pdb in local symbol store (12.66MB) (ConsoleTaskMonitor)
INFO | ghidriff | Pdb stored at: /workspaces/ghidriff/.symbols/ntkrnlmp.pdb/797E613DB16DB6C0E57795A0CB03F4711/ntkrnlmp.pdb
INFO | ghidriff | Program: /ntoskrnl.exe.10.0.22621.1344 imported: True has_pdb: True pdb_loaded: False analyzed False
INFO | ghidriff | Program: /ntoskrnl.exe.10.0.22621.1413 imported: True has_pdb: True pdb_loaded: False analyzed False
INFO | ghidriff | Starting analysis for 2 binaries
INFO | ghidriff | Analyzing: ntoskrnl.exe.10.0.22621.1413 - .ProgramDB
INFO | ghidriff | Analyzing: ntoskrnl.exe.10.0.22621.1344 - .ProgramDB
WARNING| ghidriff | Turning off 'Shared Return Calls' for ntoskrnl.exe.10.0.22621.1344 - .ProgramDB
INFO | ghidriff | Starting Ghidra analysis of ntoskrnl.exe.10.0.22621.1344 - .ProgramDB...
INFO PDB analyzer parsing file: /workspaces/ghidriff/.symbols/ntkrnlmp.pdb/FB0913AF0585F234BD64A64A87C62DB11/ntkrnlmp.pdb (PdbUniversalAnalyzer)
WARNING| ghidriff | Turning off 'Shared Return Calls' for ntoskrnl.exe.10.0.22621.1413 - .ProgramDB
INFO | ghidriff | Starting Ghidra analysis of ntoskrnl.exe.10.0.22621.1413 - .ProgramDB...
INFO PDB analyzer parsing file: /workspaces/ghidriff/.symbols/ntkrnlmp.pdb/797E613DB16DB6C0E57795A0CB03F4711/ntkrnlmp.pdb (PdbUniversalAnalyzer)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/<unnamed-tag_00001117> (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/<unnamed-tag_0000111B> (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/<unnamed-tag_0000111F> (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_WMI_LOGGER_CONTEXT (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_PPM_PLATFORM_STATE (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_IOP_IRP_EXTENSION (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_EX_HEAP_POOL_NODE (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_BLOB (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_MMPAGING_FILE (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_MMCLONE_DESCRIPTOR (CppCompositeType)
WARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_KUSER_SHARED_DATA (CppCompositeType)
INFO Resolve time: 1939 mS (DefaultPdbApplicator)
INFO resolveCount: 3644 (DefaultPdbApplicator)
INFO Resolve time: 1854 mS (DefaultPdbApplicator)
INFO resolveCount: 3644 (DefaultPdbApplicator)
WARN Decompiling 1402efc70, pcode error at 14000000c: Unable to resolve constructor at 14000000c (DecompileCallback)
WARN Decompiling 1402efc70, pcode error at 14000000c: Unable to resolve constructor at 14000000c (DecompileCallback)
WARN Decompiling 1402efc70, pcode error at 14000000c: Unable to resolve constructor at 14000000c (DecompileCallback)
INFO Packed database cache: /tmp/vscode-Ghidra/packed-db-cache (PackedDatabaseCache)
INFO -----------------------------------------------------
ASCII Strings 0.137 secs
Apply Data Archives 3.295 secs
Call Convention ID 2.037 secs
Call-Fixup Installer 0.998 secs
Create Address Tables 0.021 secs
Create Address Tables - One Time 5.159 secs
Create Function 8.858 secs
Data Reference 17.246 secs
Decompiler Switch Analysis 266.328 secs
Demangler Microsoft 3.514 secs
Disassemble 0.232 secs
Disassemble Entry Points 58.448 secs
Disassemble Entry Points - One Time 1.802 secs
Embedded Media 0.123 secs
External Entry References 0.125 secs
Function ID 114.335 secs
Function Start Search 0.859 secs
Non-Returning Functions - Discovered 25.594 secs
Non-Returning Functions - Known 0.144 secs
PDB Universal 168.601 secs
Reference 6.969 secs
Scalar Operand References 91.615 secs
Shared Return Calls 4.718 secs
Stack 291.121 secs
Subroutine References 14.672 secs
Subroutine References - One Time 0.027 secs
Windows x86 PE Exception Handling 0.470 secs
Windows x86 PE RTTI Analyzer 0.091 secs
Windows x86 Thread Environment Block (TEB) Analyzer 0.115 secs
WindowsResourceReference 0.413 secs
x86 Constant Reference Analyzer 261.728 secs
-----------------------------------------------------
Total Time 1349 secs
-----------------------------------------------------
(AutoAnalysisManager)
INFO -----------------------------------------------------
ASCII Strings 3.249 secs
Apply Data Archives 3.290 secs
Call Convention ID 1.984 secs
Call-Fixup Installer 0.947 secs
Create Address Tables 0.007 secs
Create Address Tables - One Time 5.178 secs
Create Function 8.855 secs
Data Reference 17.320 secs
Decompiler Switch Analysis 264.962 secs
Demangler Microsoft 3.649 secs
Disassemble 0.468 secs
Disassemble Entry Points 58.480 secs
Disassemble Entry Points - One Time 1.805 secs
Embedded Media 0.102 secs
External Entry References 0.120 secs
Function ID 114.285 secs
Function Start Search 0.987 secs
Non-Returning Functions - Discovered 25.826 secs
Non-Returning Functions - Known 0.034 secs
PDB Universal 169.189 secs
Reference 6.714 secs
Scalar Operand References 91.422 secs
Shared Return Calls 4.760 secs
Stack 291.137 secs
Subroutine References 14.711 secs
Subroutine References - One Time 0.018 secs
Windows x86 PE Exception Handling 0.463 secs
Windows x86 PE RTTI Analyzer 0.089 secs
Windows x86 Thread Environment Block (TEB) Analyzer 0.119 secs
WindowsResourceReference 0.403 secs
x86 Constant Reference Analyzer 262.810 secs
-----------------------------------------------------
Total Time 1353 secs
-----------------------------------------------------
(AutoAnalysisManager)
INFO | ghidriff | Analysis for ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413:/ntoskrnl.exe.10.0.22621.1413 complete
INFO | ghidriff | Analysis for ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413:/ntoskrnl.exe.10.0.22621.1344 complete
INFO | ghidriff | Diffing bins: ntoskrnl.exe.10.0.22621.1344 - ntoskrnl.exe.10.0.22621.1413
INFO | ghidriff | Setup 16 decompliers
INFO | ghidriff | Loaded old program: ntoskrnl.exe.10.0.22621.1344
INFO | ghidriff | Loaded new program: ntoskrnl.exe.10.0.22621.1413
INFO | ghidriff | p1 sym count: reported: 244603 analyzed: 16772
INFO | ghidriff | p2 sym count: reported: 244606 analyzed: 16809
INFO | ghidriff | Found unmatched: 65 matched: 16758 symbols
INFO Hashing symbols in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing symbols in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Eliminate non-unique matches (ConsoleTaskMonitor)
INFO Finding symbol matches (ConsoleTaskMonitor)
INFO | ghidriff | Exec time: 2.1672 secs
INFO | ghidriff | Match count 54939
INFO | ghidriff | Counter({('SymbolsHash',): 27893})
INFO | ghidriff | Running correlator: ExactBytesFunctionHasher
INFO | ghidriff | name: ExactBytesFunctionHasher hasher: ghidra.app.plugin.match.ExactBytesFunctionHasher@7167d81b one_to_one: True one_to_many: False
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Finding function matches (ConsoleTaskMonitor)
INFO | ghidriff | ExactBytesFunctionHasher Exec time: 0.8299 secs
INFO | ghidriff | Match count: 100
INFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactBytesFunctionHasher',): 100})
INFO | ghidriff | Running correlator: ExactInstructionsFunctionHasher
INFO | ghidriff | name: ExactInstructionsFunctionHasher hasher: ghidra.app.plugin.match.ExactInstructionsFunctionHasher@3c9cfcde one_to_one: True one_to_many: False
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Finding function matches (ConsoleTaskMonitor)
INFO | ghidriff | ExactInstructionsFunctionHasher Exec time: 0.4906 secs
INFO | ghidriff | Match count: 123
INFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100})
INFO | ghidriff | Running correlator: StructuralGraphExactHash
INFO | ghidriff | name: StructuralGraphExactHash hasher: <jpype._jproxy.proxy.StructuralGraphExactHasher object at 0xffff26c53bf0> one_to_one: True one_to_many: False
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Finding function matches (ConsoleTaskMonitor)
INFO | ghidriff | StructuralGraphExactHash Exec time: 1.3213 secs
INFO | ghidriff | Match count: 0
INFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100})
INFO | ghidriff | Running correlator: ExactMnemonicsFunctionHasher
INFO | ghidriff | name: ExactMnemonicsFunctionHasher hasher: ghidra.app.plugin.match.ExactMnemonicsFunctionHasher@7533923b one_to_one: True one_to_many: False
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Finding function matches (ConsoleTaskMonitor)
INFO | ghidriff | ExactMnemonicsFunctionHasher Exec time: 2.5697 secs
INFO | ghidriff | Match count: 0
INFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100})
INFO | ghidriff | Running correlator: BulkInstructionHash
INFO | ghidriff | name: BulkInstructionHash hasher: <jpype._jproxy.proxy.BulkInstructionsHasher object at 0xffff26c53b50> one_to_one: True one_to_many: False
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Finding function matches (ConsoleTaskMonitor)
INFO | ghidriff | BulkInstructionHash Exec time: 1.1462 secs
INFO | ghidriff | Match count: 2
INFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100, ('BulkInstructionHash',): 2})
INFO | ghidriff | Running correlator: StructuralGraphHash
INFO | ghidriff | name: StructuralGraphHash hasher: <jpype._jproxy.proxy.StructuralGraphHasher object at 0xffff26c53ab0> one_to_one: True one_to_many: True
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Finding function matches (ConsoleTaskMonitor)
INFO | ghidriff | StructuralGraphHash Exec time: 0.1894 secs
INFO | ghidriff | Match count: 693
INFO | ghidriff | Counter({('SymbolsHash',): 27893, ('StructuralGraphHash',): 693, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100, ('BulkInstructionHash',): 2})
INFO | ghidriff | Running correlator: BulkBasicBlockMnemonicHash
INFO | ghidriff | name: BulkBasicBlockMnemonicHash hasher: <jpype._jproxy.proxy.BulkBasicBlockMnemonicHasher object at 0xffff26c53a10> one_to_one: True one_to_many: True
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Finding function matches (ConsoleTaskMonitor)
INFO | ghidriff | BulkBasicBlockMnemonicHash Exec time: 0.1846 secs
INFO | ghidriff | Match count: 0
INFO | ghidriff | Counter({('SymbolsHash',): 27893, ('StructuralGraphHash',): 693, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100, ('BulkInstructionHash',): 2})
INFO | ghidriff | Running correlator: SigCallingCalledHasher
INFO | ghidriff | name: SigCallingCalledHasher hasher: <jpype._jproxy.proxy.SigCallingCalledHasher object at 0xffff26c53970> one_to_one: True one_to_many: False
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor)
INFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor)
INFO Finding function matches (ConsoleTaskMonitor)
INFO | ghidriff | SigCallingCalledHasher Exec time: 0.1398 secs
INFO | ghidriff | Match count: 0
INFO | ghidriff | Counter({('SymbolsHash',): 27893, ('StructuralGraphHash',): 693, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100, ('BulkInstructionHash',): 2})
INFO | ghidriff | p1 missing = 1
INFO | ghidriff | p2 missing = 1
INFO | ghidriff | Deduping symbols and functions...
INFO | ghidriff | Sorting symbols and strings...
INFO | ghidriff | Sorting functions...
INFO | ghidriff | Starting esym lookups for 71 symbols using 8 threads
INFO | ghidriff | Completed 4 at 5%
INFO | ghidriff | Completed 8 at 11%
INFO | ghidriff | Completed 12 at 16%
INFO | ghidriff | Completed 16 at 22%
INFO | ghidriff | Completed 20 at 28%
INFO | ghidriff | Completed 24 at 33%
INFO | ghidriff | Completed 28 at 39%
INFO | ghidriff | Completed 32 at 45%
INFO | ghidriff | Completed 36 at 50%
INFO | ghidriff | Completed 40 at 56%
INFO | ghidriff | Completed 44 at 61%
INFO | ghidriff | Completed 48 at 67%
INFO | ghidriff | Completed 52 at 73%
INFO | ghidriff | Completed 56 at 78%
INFO | ghidriff | Completed 60 at 84%
INFO | ghidriff | Completed 64 at 90%
INFO | ghidriff | Completed 68 at 95%
INFO | ghidriff | Finished diffing old program: ntoskrnl.exe.10.0.22621.1344
INFO | ghidriff | Finished diffing program: ntoskrnl.exe.10.0.22621.1413
INFO | ghidriff | {
"added_funcs_len": 1,
"deleted_funcs_len": 1,
"modified_funcs_len": 11,
"added_symbols_len": 12,
"deleted_symbols_len": 8,
"diff_time": 86.45361375808716,
"deleted_strings_len": 6,
"added_strings_len": 39,
"match_types": {
"SymbolsHash": 27893,
"ExactBytesFunctionHasher": 100,
"ExactInstructionsFunctionHasher": 123,
"BulkInstructionHash": 2,
"StructuralGraphHash": 693
},
"items_to_process": 33,
"diff_types": {
"code": 5,
"length": 5,
"refcount": 7,
"calling": 6,
"address": 6,
"called": 3
},
"unmatched_funcs_len": 2,
"total_funcs_len": 60664,
"matched_funcs_len": 60662,
"matched_funcs_with_code_changes_len": 5,
"matched_funcs_with_non_code_changes_len": 6,
"matched_funcs_no_changes_len": 60651,
"match_func_similarity_percent": "99.9819%",
"func_match_overall_percent": "99.9967%"
}
INFO | ghidriff | Writing md diff...
INFO | ghidriff | Generating markdown from {'added_funcs_len': 1, 'deleted_funcs_len': 1, 'modified_funcs_len': 11, 'added_symbols_len': 12, 'deleted_symbols_len': 8, 'diff_time': 86.45361375808716, 'deleted_strings_len': 6, 'added_strings_len': 39, 'match_types': Counter({'SymbolsHash': 27893, 'StructuralGraphHash': 693, 'ExactInstructionsFunctionHasher': 123, 'ExactBytesFunctionHasher': 100, 'BulkInstructionHash': 2}), 'items_to_process': 33, 'diff_types': Counter({'refcount': 7, 'calling': 6, 'address': 6, 'code': 5, 'length': 5, 'called': 3}), 'unmatched_funcs_len': 2, 'total_funcs_len': 60664, 'matched_funcs_len': 60662, 'matched_funcs_with_code_changes_len': 5, 'matched_funcs_with_non_code_changes_len': 6, 'matched_funcs_no_changes_len': 60651, 'match_func_similarity_percent': '99.9819%', 'func_match_overall_percent': '99.9967%'}
INFO | ghidriff | Known Command line: python ghidriff --project-location .ghidra_projects --project-name ghidriff --symbols-path .symbols --threaded --log-level INFO --file-log-level INFO --log-path ghidriff.log --max-ram-percent 60.0 --max-section-funcs 200 ntoskrnl.exe.10.0.22621.1344 ntoskrnl.exe.10.0.22621.1413
INFO | ghidriff | Extra Command line: --engine VersionTrackingDiff --output-path .ghidriffs
INFO | ghidriff | Writing pdiff json...
INFO | ghidriff | Wrote .ghidriffs/ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413_diff.md
INFO | ghidriff | Wrote .ghidriffs/json/ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413_diff.json
```
</details>
#### Analyze the Diff
Results in this beatiful markdown: [ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413.diff.md](https://gist.github.com/clearbluejar/b95ae854a92ee917cd0b5c7055b60282)
See if you can figure out what function was patched for [CVE-2023-2342](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23420).
- Details of [CVE-2023-2342](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23420) can be found here: [https://bugs.chromium.org/p/project-zero/issues/detail?id=2392](https://bugs.chromium.org/p/project-zero/issues/detail?id=2392)
Prefer a side by side diff? Try out `ghidriff`'s custom html viewer. https://diffpreview.github.io/?b95ae854a92ee917cd0b5c7055b60282
##### Results stored in `ghidriffs` folder
```bash
$ tree ghidriffs
ghidriffs
├── ghidra_projects
│ └── ghidriff-ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283
│ ├── ghidriff-ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283.gpr
│ └── ghidriff-ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283.rep
│ ├── idata
│ ├── project.prp
│ ├── user
│ └── versioned
├── ghidriff.log
├── json
│ └── ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283.ghidriff.json
├── ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283.ghidriff.md
└── symbols
├── ntkrnlmp.pdb
├── 69071F680ADFE36F178C6EC06E79E09C1
│ └── ntkrnlmp.pdb
└── 738ED8FF966E8502EFE17095B9F1F5481
└── ntkrnlmp.pdb
```
### Diffing CVE-2023-21768
Details of the CVE-2023-21768 (detailed in this blog [post](https://securityintelligence.com/posts/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/)). What if you wanted to repeat this patch diff with `ghidriff`?
1. Download two versions of `AFD.sys` (vulnerable and patched):
```bash
wget https://msdl.microsoft.com/download/symbols/afd.sys/0C5C6994A8000/afd.sys -O afd.sys.x64.10.0.22621.1028
wget https://msdl.microsoft.com/download/symbols/afd.sys/50989142A9000/afd.sys -O afd.sys.x64.10.0.22621.1415
```
2. Run `ghidriff`:
```bash
ghidriff afd.sys.x64.10.0.22621.1028 afd.sys.x64.10.0.22621.1415
```
3. Review results
The diff results are posted in this GitHub [gist](https://gist.github.com/clearbluejar/f6fecbc507a9f1a92c9231e3db7ef40d). The vulnerable function `AfdNotifyRemoveIoCompletion` was identified here with a [single line change](https://gist.github.com/clearbluejar/f6fecbc507a9f1a92c9231e3db7ef40d#afdnotifyremoveiocompletion-diff).
Want to see the entire diff in a side by side? https://diffpreview.github.io/?f6fecbc507a9f1a92c9231e3db7ef40d or jump to the [single line change](https://diffpreview.github.io/?f6fecbc507a9f1a92c9231e3db7ef40d#d2h-703858:~:text=ProbeForWrite(*(PVOID%20*)(param_3%20%2B%200x18)%2C4%2C4)%3B)
## Notes
### Markdown Spec + MermaidJs
- Striving to be compliant with [GFM](https://github.github.com/gfm/) and [cmark](https://spec.commonmark.org/). Still working on it though. See issues.
- MermaidJs requires your markdown [renderer support](https://mermaid.js.org/ecosystem/integrations-community.html).
Raw data
{
"_id": null,
"home_page": "https://github.com/clearbluejar/ghidriff",
"name": "ghidriff",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": null,
"keywords": "patchdiff, binaries, bindiff, ghidra, ghidriff",
"author": "clearbluejar",
"author_email": "clearbluejar@clearbluejar.com",
"download_url": "https://files.pythonhosted.org/packages/91/e5/280cade67c2437c06fc22c5a20b397b67cd93e2b588a8245742580ddbbbc/ghidriff-0.7.1.tar.gz",
"platform": "any",
"description": "<p align='center'>\n<img src=\"https://github.com/clearbluejar/ghidriff/assets/3752074/170f1a54-24d9-4c8e-ac4d-3b5bea860750\" width=60% >\n</p>\n\n\n<p align=\"center\"> \n<img align=\"center\" alt=\"GitHub Workflow Status (with event)\" src=\"https://img.shields.io/github/actions/workflow/status/clearbluejar/ghidriff/pytest-devcontainer.yml?label=pytest&style=for-the-badge\">\n<img align=\"center\" alt=\"PyPI - Downloads\" src=\"https://img.shields.io/pypi/dm/ghidriff?color=yellow&label=PyPI%20downloads&style=for-the-badge\">\n<img align=\"center\" src=\"https://img.shields.io/github/stars/clearbluejar/ghidriff?style=for-the-badge\">\n\n## Ghidriff - Ghidra Binary Diffing Engine\n\n`ghidriff` provides a command-line binary diffing capability with a fresh take on diffing workflow and results.\n\nIt leverages the power of Ghidra's ProgramAPI and [FlatProgramAPI](https://ghidra.re/ghidra_docs/api/ghidra/program/flatapi/FlatProgramAPI.html) to find the *added*, *deleted*, and *modified* functions of two arbitrary binaries. It is written in Python3 using `pyhidra` to orchestrate Ghidra and `jpype` as the Python to Java interface to Ghidra.\n\nIts primary use case is patch diffing. Its ability to perform a patch diff with a single command makes it ideal for automated analysis. The diffing results are stored in JSON and rendered in markdown (optionally side-by-side HTML). The markdown output promotes \"social\" diffing, as results are easy to publish in a gist or include in your next writeup or blog post.\n\n## High Level\n\n```mermaid\nflowchart LR\n\na(old binary - rpcrt4.dll-v1) --> b[GhidraDiffEngine]\nc(new binary - rpcrt4.dll-v2) --> b\n\nb --> e(Ghidra Project Files)\nb --> diffs_output_dir\n\nsubgraph diffs_output_dir\n direction LR\n i(rpcrt4.dll-v1-v2.diff.md)\n h(rpcrt4.dll-v1-v2.diff.json)\n j(rpcrt4.dll-v1-v2.diff.side-by-side.html)\nend\n```\n\n### Sample Diffs\n\n<div>\n <a href=\"https://gist.github.com/clearbluejar/b95ae854a92ee917cd0b5c7055b60282\"><img width=\"30%\" align=top alt=\"image\" src=\"https://github.com/clearbluejar/ghidriff/assets/3752074/d53b681f-8cc9-479c-af4c-5ec697cf4989\"></a>\n <a href=\"https://gist.github.com/clearbluejar/b95ae854a92ee917cd0b5c7055b60282#visual-chart-diff\"><img width=\"30%\" align=top alt=\"image\" src=\"https://github.com/clearbluejar/ghidriff/assets/3752074/16d7ae4c-4df9-4bcd-b4af-0ce576d49ad1\"></a>\n <a href=\"https://diffpreview.github.io/?f6fecbc507a9f1a92c9231e3db7ef40d\"><img width=\"30%\" align=top src=\"https://github.com/clearbluejar/ghidriff/assets/3752074/662ed834-738d-4be1-96c3-8500ccab9591\"/></a>\n<div>\n\n### Features\n\n- Command Line (patch diffing workflow reduced to a single step)\n- Highlights important changes in the TOC\n- Fast - Can diff the full Windows kernel in less than a minute (after Ghidra analysis is complete)\n- Enables Social Diffing\n - Beautiful Markdown Output\n - Easily hosted in a GitHub or GitLab gist, blog, or anywhere markdown is supported\n - Visual Diff Graph Results\n- Supports both unified and side by side diff results (unified is default)\n- Provides unique Meta Diffs:\n - Binary Strings\n - Called\n - Calling\n - Binary Metadata\n- Batteries Included\n - Docker support\n - Automated Testing\n - Ghidra (No license required)\n\nSee below for [CVE diffs and sample usage](#sample-usage)\n\n### Design Goals\n\n- Find all added, deleted, and modified functions\n- Provide foundation for automation\n- Simple, Fast, Accurate\n- Resilient\n- Extendable\n- Easy sharing of results\n- Social Diffing\n\n### Powered by Ghidra\n\nThe heavy lifting of the binary analysis is done by Ghidra and the diffing is possible via Ghidra's Program API. `ghidriff` provides a diffing [workflow](#engine), function matching, and resulting markdown and HTML diff output.\n\n## Docs\n\n- [ghidriff official Docs](https://clearbluejar.github.io/ghidriff)\n- [Blog Post](https://clearbluejar.github.io/posts/ghidriff-ghidra-binary-diffing-engine/)\n\n## Engine\n\n<p align='center'>\n<img src=\"https://user-images.githubusercontent.com/3752074/229976340-96394970-152f-4d88-9fe4-a46589b31c50.png\" height=\"300\">\n</p>\n\n> An \"engine\" is a self-contained, but externally-controllable, piece of code that encapsulates powerful logic designed to perform a specific type of work.\n\n`ghidriff` provides a core base class [GhidraDiffEngine](ghidriff/ghidra_diff_engine.py) that can be extended to create your own binary diffing [implementations](#implementations).\n\nThe base class implements the first 3 steps of the Ghidra [headless workflow](https://github.com/clearbluejar/ghidra-python-vscode-devcontainer-skeleton#steps):\n>1. **Create Ghidra Project** - Directory and collection of Ghidra project files and data\n>2. **Import Binary to project** - Import one or more binaries to the project for analysis\n>3. **Analyze Binary** - Ghidra will perform default binary analysis on each binary\n\nThe base class provides the abstract method [find_matches](ghidriff/ghidra_diff_engine.py) where the actual diffing (function matching) takes place.\n\n## Extending ghidriff \n\n`ghidriff` can be used as is, but it offers developers the ability to extend the tool by implementing their own differ. The basic idea is create new diffing tools by implementing the `find_matches` method from the base class. \n\n```python\nclass NewDiffTool(GhidraDiffEngine):\n\n def __init__(self,verbose=False) -> None:\n super().__init__(verbose)\n\n @abstractmethod\n def find_matches(\n self, \n old: Union[str, pathlib.Path],\n new: Union[str, pathlib.Path]\n ) -> dict:\n \"\"\"My amazing differ\"\"\"\n\n # find added, deleted, and modified functions\n # <code goes here>\n\n return [unmatched, matched]\n```\n\n### Implementations\n\nThere are currently 3 diffing implementations, which also display the evolution of diffing for the project.\n\n1. [SimpleDiff](ghidriff/simple_diff.py) - A simple diff implementation. \"Simple\" as in it relies mostly on known symbol names for matching. \n2. [StructualGraphDiff](ghidriff/structural_graph_diff.py) - A slightly more advanced differ, beginning to perform some more advanced hashing (such as Halvar's Structural Graph Comparison)\n3. [VersionTrackingDiff](ghidriff/version_tracking_diff.py) - The latest differ, with several [correlators](ghidriff/correlators.py) (an algorithm used to score specific associations based on code, program flow, or any observable aspect of comparison) for function matching. **This one is fast.**\n\nEach implementation leverages the base class, and implements `find_changes`.\n\n## Usage\n\n```bash\nusage: ghidriff [-h] [--engine {SimpleDiff,StructualGraphDiff,VersionTrackingDiff}] [-o OUTPUT_PATH] [--summary SUMMARY] [-p PROJECT_LOCATION] [-n PROJECT_NAME] [-s SYMBOLS_PATH] [--threaded | --no-threaded] [--force-analysis] [--force-diff] [--no-symbols] [--log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}]\n [--file-log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}] [--log-path LOG_PATH] [--va] [--min-func-len MIN_FUNC_LEN] [--use-calling-counts USE_CALLING_COUNTS] [--max-ram-percent MAX_RAM_PERCENT] [--print-flags] [--jvm-args [JVM_ARGS]] [--sxs] [--max-section-funcs MAX_SECTION_FUNCS]\n [--md-title MD_TITLE]\n old new [new ...]\n\nghidriff - A Command Line Ghidra Binary Diffing Engine\n\npositional arguments:\n old Path to old version of binary '/somewhere/bin.old'\n new Path to new version of binary '/somewhere/bin.new'. (For multiple new binaries add oldest to newest)\n\noptions:\n -h, --help show this help message and exit\n --engine {SimpleDiff,StructualGraphDiff,VersionTrackingDiff}\n The diff implementation to use. (default: VersionTrackingDiff)\n -o OUTPUT_PATH, --output-path OUTPUT_PATH\n Output path for resulting diffs (default: ghidriffs)\n --summary SUMMARY Add a summary diff if more than two bins are provided (default: False)\n```\n\n\n### Extendend Usage\n\nThere are quite a few options here, and some complexity. Generally you can succeed with the defaults, but you can override the defaults as needed. One example might be to increase the JVM RAM used to run Ghidra to enable faster analysis of large binaries (`--max-ram-percent 80`). See help for details of other options. \n\n<details><summary>Show Extended Usage</summary>\n\n```bash\nGhidra Project Options:\n -p PROJECT_LOCATION, --project-location PROJECT_LOCATION\n Ghidra Project Path (default: ghidra_projects)\n -n PROJECT_NAME, --project-name PROJECT_NAME\n Ghidra Project Name (default: ghidriff)\n -s SYMBOLS_PATH, --symbols-path SYMBOLS_PATH\n Ghidra local symbol store directory (default: symbols)\n\nEngine Options:\n --threaded, --no-threaded\n Use threading during import, analysis, and diffing. Recommended (default: True)\n --force-analysis Force a new binary analysis each run (slow) (default: False)\n --force-diff Force binary diff (ignore arch/symbols mismatch) (default: False)\n --no-symbols Turn off symbols for analysis (default: False)\n --log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}\n Set console log level (default: INFO)\n --file-log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}\n Set log file level (default: INFO)\n --log-path LOG_PATH Set ghidriff log path. (default: ghidriff.log)\n --va, --verbose-analysis\n Verbose logging for analysis step. (default: False)\n --min-func-len MIN_FUNC_LEN\n Minimum function length to consider for diff (default: 10)\n --use-calling-counts USE_CALLING_COUNTS\n Add calling/called reference counts (default: True)\n\nJVM Options:\n --max-ram-percent MAX_RAM_PERCENT\n Set JVM Max Ram % of host RAM (default: 60.0)\n --print-flags Print JVM flags at start (default: False)\n --jvm-args [JVM_ARGS]\n JVM args to add at start (default: None)\n\nMarkdown Options:\n --sxs Include side by side code diff (default: False)\n --max-section-funcs MAX_SECTION_FUNCS\n Max number of functions to display per section. (default: 200)\n --md-title MD_TITLE Overwrite default title for markdown diff (default: None)\n```\n\n</details>\n\n## Quick Start Environment Setup\n\n1. [Download](https://github.com/NationalSecurityAgency/ghidra/releases) and [install Ghidra](https://htmlpreview.github.io/?https://github.com/NationalSecurityAgency/ghidra/blob/stable/GhidraDocs/InstallationGuide.html#Install).\n2. Set Ghidra Environment Variable `GHIDRA_INSTALL_DIR` to Ghidra install location.\n3. Pip install `ghidriff`\n\n### Windows\n\n```powershell\nPS C:\\Users\\user> [System.Environment]::SetEnvironmentVariable('GHIDRA_INSTALL_DIR','C:\\ghidra_10.2.3_PUBLIC_20230208\\ghidra_10.2.3_PUBLIC')\nPS C:\\Users\\user> pip install ghidriff\n```\n### Linux / Mac\n\n```bash\nexport GHIDRA_INSTALL_DIR=\"/path/to/ghidra/\"\npip install ghidriff\n```\n\n## Ghidriff in a Box \n\nDon't want to install Ghidra and Java on your host? Try \"Ghidriff in a box\". It supports multiple-platforms (x64 and arm64).\n\n<p align='center'>\n<img src=\"https://github.com/clearbluejar/ghidriff/assets/3752074/688756fc-038c-471a-8e49-e56a1c06e77c\" height=\"300\">\n</p>\n\n### Docker\n\n`docker pull ghcr.io/clearbluejar/ghidriff:latest`\n\n\nThis is a docker container with the latest [PyPi version of Ghidriff](https://pypi.org/project/ghidriff/) installed. You can check the latest container [here](https://github.com/clearbluejar/ghidriff/pkgs/container/ghidriff).\n\n\n#### For Docker command-line diffing\n\nYou will need to map the binaries you want to compare into the container. See below for an example.\n```bash\nmkdir -p ghidriffs\nwget https://msdl.microsoft.com/download/symbols/clfs.sys/9848245C6f000/clfs.sys -O ghidriffs/clfs.sys.x64.10.0.22621.2506\nwget https://msdl.microsoft.com/download/symbols/clfs.sys/D929C6E56f000/clfs.sys -O ghidriffs/clfs.sys.x64.10.0.22621.2715\ndocker run -it --rm -v $(pwd)/ghidriffs:/ghidriffs ghcr.io/clearbluejar/ghidriff:latest ghidriffs/clfs.sys.x64.10.0.22621.2506 ghidriffs/clfs.sys.x64.10.0.22621.2715\n```\n\nThe result will produce the following. \n\n```bash\ntree ghidriffs\nghidriffs\n\u251c\u2500\u2500 clfs.sys.x64.10.0.22621.2506\n\u251c\u2500\u2500 clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.ghidriff.md\n\u251c\u2500\u2500 clfs.sys.x64.10.0.22621.2715\n\u251c\u2500\u2500 ghidra_projects\n\u2502 \u2514\u2500\u2500 ghidriff-clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715\n\u2502 \u251c\u2500\u2500 ghidriff-clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.gpr\n\u2502 \u251c\u2500\u2500 ghidriff-clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.lock\n\u2502 \u2514\u2500\u2500 ghidriff-clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.rep\n\u251c\u2500\u2500 ghidriff.log\n\u251c\u2500\u2500 json\n\u2502 \u2514\u2500\u2500 clfs.sys.x64.10.0.22621.2506-clfs.sys.x64.10.0.22621.2715.ghidriff.json\n\u2514\u2500\u2500 symbols\n \u251c\u2500\u2500 000admin\n \u251c\u2500\u2500 clfs.pdb\n \u2502 \u251c\u2500\u2500 6EAE8987F981603FEFA0E55DE0CE2C521\n \u2502 \u2502 \u2514\u2500\u2500 clfs.pdb\n \u2502 \u2514\u2500\u2500 E3D1FEA241ECEC3DC6DB2B278A22A6A31\n \u2502 \u2514\u2500\u2500 clfs.pdb\n \u2514\u2500\u2500 pingme.txt\n\n```\n\n### Devcontainer - For Ghidriff development\n\nUse the [.devcontainer](.devcontainer) in this repo. If you don't know how, follow the detailed instructions here: [ghidra-python-vscode-devcontainer-skeleton quick setup](https://github.com/clearbluejar/ghidra-python-vscode-devcontainer-skeleton#quick-start-setup---dev-container--best-option).\n\n\n## Use Cases\n\n### Diffing a full Windows Kernel \n\n#### Download two versions of the kernel (older and latest binary):\n\n```bash\nwget https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/F7E31BA91047000/ntoskrnl.exe -O ntoskrnl.exe.10.0.22621.1344\nwget https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/17B6B7221047000/ntoskrnl.exe -O ntoskrnl.exe.10.0.22621.1413\n```\n\n<details><summary>Console Output:</summary>\n\n```console \nvscode \u279c /workspaces/ghidriff (main) $ wget https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/F7E31BA91047000/ntoskrnl.exe -O ntoskrnl.exe.10.0.22621.1344\n--2023-05-17 03:18:40-- https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/F7E31BA91047000/ntoskrnl.exe\nResolving msdl.microsoft.com (msdl.microsoft.com)... 204.79.197.219\nConnecting to msdl.microsoft.com (msdl.microsoft.com)|204.79.197.219|:443... connected.\nHTTP request sent, awaiting response... 302 Found\nCould not parse String-Transport-Security header\nLocation: https://vsblobprodscussu5shard72.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/8BFC691F50434EC2DC87BBDFC06A6A5FBACE992E60062F9C8CE829F58E3BCFB300.blob?sv=2019-07-07&sr=b&si=1&sig=Kgrvf90Kc15ac%2FtHsgPPj9ztxxTfkQ0yHGQh8dLDwQs%3D&spr=https&se=2023-05-18T03%3A32%3A47Z&rscl=x-e2eid-420cea82-598a4a00-a990abf8-919be2ff-session-5e9eb5eb-195146cb-b123c222-30eef52e [following]\n--2023-05-17 03:18:40-- https://vsblobprodscussu5shard72.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/8BFC691F50434EC2DC87BBDFC06A6A5FBACE992E60062F9C8CE829F58E3BCFB300.blob?sv=2019-07-07&sr=b&si=1&sig=Kgrvf90Kc15ac%2FtHsgPPj9ztxxTfkQ0yHGQh8dLDwQs%3D&spr=https&se=2023-05-18T03%3A32%3A47Z&rscl=x-e2eid-420cea82-598a4a00-a990abf8-919be2ff-session-5e9eb5eb-195146cb-b123c222-30eef52e\nResolving vsblobprodscussu5shard72.blob.core.windows.net (vsblobprodscussu5shard72.blob.core.windows.net)... 20.209.34.36\nConnecting to vsblobprodscussu5shard72.blob.core.windows.net (vsblobprodscussu5shard72.blob.core.windows.net)|20.209.34.36|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 11990400 (11M) [application/octet-stream]\nSaving to: \u2018ntoskrnl.exe.10.0.22621.1344\u2019\n\nntoskrnl.exe.10.0.22621.1344 100%[===============================================================================================================>] 11.43M 2.47MB/s in 5.5s \n\n2023-05-17 03:18:46 (2.08 MB/s) - \u2018ntoskrnl.exe.10.0.22621.1344\u2019 saved [11990400/11990400]\n\nvscode \u279c /workspaces/ghidriff (main) $ wget https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/17B6B7221047000/ntoskrnl.exe -O ntoskrnl.exe.10.0.22621.1413\n--2023-05-17 03:18:58-- https://msdl.microsoft.com/download/symbols/ntoskrnl.exe/17B6B7221047000/ntoskrnl.exe\nResolving msdl.microsoft.com (msdl.microsoft.com)... 204.79.197.219\nConnecting to msdl.microsoft.com (msdl.microsoft.com)|204.79.197.219|:443... connected.\nHTTP request sent, awaiting response... 302 Found\nCould not parse String-Transport-Security header\nLocation: https://vsblobprodscussu5shard75.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/D946523F2726056CD289008C977D02C0C0FBBCBB89D9FA40ADBB42CDE8D5022A00.blob?sv=2019-07-07&sr=b&si=1&sig=KfYz9cB7cUPO9JVo0U8eIj0etpASEWOyvCv5NkwVkfw%3D&spr=https&se=2023-05-18T03%3A50%3A53Z&rscl=x-e2eid-4960dee3-47d94aa4-a2207913-b73825a4-session-2879fa10-75774ef4-93e39015-3be72abb [following]\n--2023-05-17 03:18:59-- https://vsblobprodscussu5shard75.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/D946523F2726056CD289008C977D02C0C0FBBCBB89D9FA40ADBB42CDE8D5022A00.blob?sv=2019-07-07&sr=b&si=1&sig=KfYz9cB7cUPO9JVo0U8eIj0etpASEWOyvCv5NkwVkfw%3D&spr=https&se=2023-05-18T03%3A50%3A53Z&rscl=x-e2eid-4960dee3-47d94aa4-a2207913-b73825a4-session-2879fa10-75774ef4-93e39015-3be72abb\nResolving vsblobprodscussu5shard75.blob.core.windows.net (vsblobprodscussu5shard75.blob.core.windows.net)... 20.209.34.36\nConnecting to vsblobprodscussu5shard75.blob.core.windows.net (vsblobprodscussu5shard75.blob.core.windows.net)|20.209.34.36|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 11990336 (11M) [application/octet-stream]\nSaving to: \u2018ntoskrnl.exe.10.0.22621.1413\u2019\n\nntoskrnl.exe.10.0.22621.1413 100%[===============================================================================================================>] 11.43M 1.02MB/s in 12s \n\n2023-05-17 03:19:11 (1004 KB/s) - \u2018ntoskrnl.exe.10.0.22621.1413\u2019 saved [11990336/11990336]\n```\n\n</details>\n\n#### Run ghidriff:\n\n```bash\nghidriff ntoskrnl.exe.10.0.22621.1344 ntoskrnl.exe.10.0.22621.1413\n```\n\n<details><summary>Console Output</summary>\n\n```console\n(.env) vscode \u279c /workspaces/ghidriff (main) $ ghidriff ntoskrnl.exe.10.0.22621.1344 ntoskrnl.exe.10.0.22621.1413\nINFO | ghidriff | Init Ghidra Diff Engine...\nINFO | ghidriff | Engine Console Log: INFO\nINFO | ghidriff | Engine File Log: .ghidriffs/ghidriff.log INFO\nINFO | ghidriff | Starting Ghidra...\nINFO Using log config file: jar:file:/ghidra/Ghidra/Framework/Generic/lib/Generic.jar!/generic.log4j.xml (LoggingInitialization) \nINFO Using log file: /workspaces/ghidriff/.ghidriffs/ghidriff.log (LoggingInitialization) \nINFO Loading user preferences: /home/vscode/.ghidra/.ghidra_10.2.3_PUBLIC/preferences (Preferences) \nINFO Class search complete (716 ms) (ClassSearcher) \nINFO Initializing SSL Context (SSLContextInitializer) \nINFO Initializing Random Number Generator... (SecureRandomFactory) \nINFO Random Number Generator initialization complete: NativePRNGNonBlocking (SecureRandomFactory) \nINFO Trust manager disabled, cacerts have not been set (ApplicationTrustManagerFactory) \nINFO | ghidriff | GHIDRA_INSTALL_DIR: /ghidra\nINFO | ghidriff | GHIDRA 10.2.3 Build Date: 2023-Feb-08 1242 EST Release: PUBLIC\nINFO | ghidriff | Engine Args:\nINFO | ghidriff | old: ['ntoskrnl.exe.10.0.22621.1344']\nINFO | ghidriff | new: [['ntoskrnl.exe.10.0.22621.1413']]\nINFO | ghidriff | engine: VersionTrackingDiff\nINFO | ghidriff | output_path: .ghidriffs\nINFO | ghidriff | summary: False\nINFO | ghidriff | project_location: .ghidra_projects\nINFO | ghidriff | project_name: ghidriff\nINFO | ghidriff | symbols_path: .symbols\nINFO | ghidriff | threaded: True\nINFO | ghidriff | force_analysis: False\nINFO | ghidriff | force_diff: False\nINFO | ghidriff | no_symbols: False\nINFO | ghidriff | log_level: INFO\nINFO | ghidriff | file_log_level: INFO\nINFO | ghidriff | log_path: ghidriff.log\nINFO | ghidriff | va: False\nINFO | ghidriff | max_ram_percent: 60.0\nINFO | ghidriff | print_flags: False\nINFO | ghidriff | jvm_args: None\nINFO | ghidriff | side_by_side: False\nINFO | ghidriff | max_section_funcs: 200\nINFO | ghidriff | md_title: None\nINFO | ghidriff | Setting Up Ghidra Project...\nINFO Creating project: /workspaces/ghidriff/.ghidra_projects/ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413/ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413 (DefaultProject) \nINFO | ghidriff | Created project: ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413\nINFO | ghidriff | Project Location: /workspaces/ghidriff/.ghidra_projects/ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413\nINFO | ghidriff | Importing ntoskrnl.exe.10.0.22621.1344\nINFO Starting cache cleanup: /tmp/vscode-Ghidra/fscache2 (FileCacheMaintenanceDaemon) \nINFO Finished cache cleanup, estimated storage used: 0 (FileCacheMaintenanceDaemon) \nINFO Using Loader: Portable Executable (PE) (AutoImporter) \nINFO | ghidriff | Importing ntoskrnl.exe.10.0.22621.1413\nINFO Using Loader: Portable Executable (PE) (AutoImporter) \nINFO | ghidriff | Setting up Symbol Server for symbols...\nINFO | ghidriff | path: .symbols level: 1\nINFO | ghidriff | Symbol Server Configured path: SymbolServerService:\n symbolStore: LocalSymbolStore: [ rootDir: /workspaces/ghidriff/.symbols, storageLevel: -1],\n symbolServers:\n HttpSymbolServer: [ url: https://msdl.microsoft.com/download/symbols/, storageLevel: -1]\n HttpSymbolServer: [ url: https://chromium-browser-symsrv.commondatastorage.googleapis.com/, storageLevel: -1]\n HttpSymbolServer: [ url: https://symbols.mozilla.org/, storageLevel: -1]\n HttpSymbolServer: [ url: https://software.intel.com/sites/downloads/symbols/, storageLevel: -1]\n HttpSymbolServer: [ url: https://driver-symbols.nvidia.com/, storageLevel: -1]\n HttpSymbolServer: [ url: https://download.amd.com/dir/bin/, storageLevel: -1]\nINFO Connecting to https://msdl.microsoft.com/download/symbols/ (ConsoleTaskMonitor) \nINFO Success (ConsoleTaskMonitor) \nINFO Storing ntkrnlmp.pdb in local symbol store (12.66MB) (ConsoleTaskMonitor) \nINFO | ghidriff | Pdb stored at: /workspaces/ghidriff/.symbols/ntkrnlmp.pdb/FB0913AF0585F234BD64A64A87C62DB11/ntkrnlmp.pdb\nINFO Connecting to https://msdl.microsoft.com/download/symbols/ (ConsoleTaskMonitor) \nINFO Success (ConsoleTaskMonitor) \nINFO Storing ntkrnlmp.pdb in local symbol store (12.66MB) (ConsoleTaskMonitor) \nINFO | ghidriff | Pdb stored at: /workspaces/ghidriff/.symbols/ntkrnlmp.pdb/797E613DB16DB6C0E57795A0CB03F4711/ntkrnlmp.pdb\nINFO | ghidriff | Program: /ntoskrnl.exe.10.0.22621.1344 imported: True has_pdb: True pdb_loaded: False analyzed False\nINFO | ghidriff | Program: /ntoskrnl.exe.10.0.22621.1413 imported: True has_pdb: True pdb_loaded: False analyzed False\nINFO | ghidriff | Starting analysis for 2 binaries\nINFO | ghidriff | Analyzing: ntoskrnl.exe.10.0.22621.1413 - .ProgramDB\nINFO | ghidriff | Analyzing: ntoskrnl.exe.10.0.22621.1344 - .ProgramDB\nWARNING| ghidriff | Turning off 'Shared Return Calls' for ntoskrnl.exe.10.0.22621.1344 - .ProgramDB\nINFO | ghidriff | Starting Ghidra analysis of ntoskrnl.exe.10.0.22621.1344 - .ProgramDB...\nINFO PDB analyzer parsing file: /workspaces/ghidriff/.symbols/ntkrnlmp.pdb/FB0913AF0585F234BD64A64A87C62DB11/ntkrnlmp.pdb (PdbUniversalAnalyzer) \nWARNING| ghidriff | Turning off 'Shared Return Calls' for ntoskrnl.exe.10.0.22621.1413 - .ProgramDB\nINFO | ghidriff | Starting Ghidra analysis of ntoskrnl.exe.10.0.22621.1413 - .ProgramDB...\nINFO PDB analyzer parsing file: /workspaces/ghidriff/.symbols/ntkrnlmp.pdb/797E613DB16DB6C0E57795A0CB03F4711/ntkrnlmp.pdb (PdbUniversalAnalyzer) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/<unnamed-tag_00001117> (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/<unnamed-tag_0000111B> (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/<unnamed-tag_0000111F> (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_WMI_LOGGER_CONTEXT (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_PPM_PLATFORM_STATE (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_IOP_IRP_EXTENSION (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_EX_HEAP_POOL_NODE (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_BLOB (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_MMPAGING_FILE (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_MMCLONE_DESCRIPTOR (CppCompositeType) \nWARN PDB STRUCTURE reconstruction failed to align /ntkrnlmp.pdb/_KUSER_SHARED_DATA (CppCompositeType) \nINFO Resolve time: 1939 mS (DefaultPdbApplicator) \nINFO resolveCount: 3644 (DefaultPdbApplicator) \nINFO Resolve time: 1854 mS (DefaultPdbApplicator) \nINFO resolveCount: 3644 (DefaultPdbApplicator) \nWARN Decompiling 1402efc70, pcode error at 14000000c: Unable to resolve constructor at 14000000c (DecompileCallback) \nWARN Decompiling 1402efc70, pcode error at 14000000c: Unable to resolve constructor at 14000000c (DecompileCallback) \nWARN Decompiling 1402efc70, pcode error at 14000000c: Unable to resolve constructor at 14000000c (DecompileCallback) \nINFO Packed database cache: /tmp/vscode-Ghidra/packed-db-cache (PackedDatabaseCache) \n\n \nINFO -----------------------------------------------------\n ASCII Strings 0.137 secs\n Apply Data Archives 3.295 secs\n Call Convention ID 2.037 secs\n Call-Fixup Installer 0.998 secs\n Create Address Tables 0.021 secs\n Create Address Tables - One Time 5.159 secs\n Create Function 8.858 secs\n Data Reference 17.246 secs\n Decompiler Switch Analysis 266.328 secs\n Demangler Microsoft 3.514 secs\n Disassemble 0.232 secs\n Disassemble Entry Points 58.448 secs\n Disassemble Entry Points - One Time 1.802 secs\n Embedded Media 0.123 secs\n External Entry References 0.125 secs\n Function ID 114.335 secs\n Function Start Search 0.859 secs\n Non-Returning Functions - Discovered 25.594 secs\n Non-Returning Functions - Known 0.144 secs\n PDB Universal 168.601 secs\n Reference 6.969 secs\n Scalar Operand References 91.615 secs\n Shared Return Calls 4.718 secs\n Stack 291.121 secs\n Subroutine References 14.672 secs\n Subroutine References - One Time 0.027 secs\n Windows x86 PE Exception Handling 0.470 secs\n Windows x86 PE RTTI Analyzer 0.091 secs\n Windows x86 Thread Environment Block (TEB) Analyzer 0.115 secs\n WindowsResourceReference 0.413 secs\n x86 Constant Reference Analyzer 261.728 secs\n-----------------------------------------------------\n Total Time 1349 secs\n-----------------------------------------------------\n (AutoAnalysisManager) \nINFO -----------------------------------------------------\n ASCII Strings 3.249 secs\n Apply Data Archives 3.290 secs\n Call Convention ID 1.984 secs\n Call-Fixup Installer 0.947 secs\n Create Address Tables 0.007 secs\n Create Address Tables - One Time 5.178 secs\n Create Function 8.855 secs\n Data Reference 17.320 secs\n Decompiler Switch Analysis 264.962 secs\n Demangler Microsoft 3.649 secs\n Disassemble 0.468 secs\n Disassemble Entry Points 58.480 secs\n Disassemble Entry Points - One Time 1.805 secs\n Embedded Media 0.102 secs\n External Entry References 0.120 secs\n Function ID 114.285 secs\n Function Start Search 0.987 secs\n Non-Returning Functions - Discovered 25.826 secs\n Non-Returning Functions - Known 0.034 secs\n PDB Universal 169.189 secs\n Reference 6.714 secs\n Scalar Operand References 91.422 secs\n Shared Return Calls 4.760 secs\n Stack 291.137 secs\n Subroutine References 14.711 secs\n Subroutine References - One Time 0.018 secs\n Windows x86 PE Exception Handling 0.463 secs\n Windows x86 PE RTTI Analyzer 0.089 secs\n Windows x86 Thread Environment Block (TEB) Analyzer 0.119 secs\n WindowsResourceReference 0.403 secs\n x86 Constant Reference Analyzer 262.810 secs\n-----------------------------------------------------\n Total Time 1353 secs\n-----------------------------------------------------\n (AutoAnalysisManager) \nINFO | ghidriff | Analysis for ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413:/ntoskrnl.exe.10.0.22621.1413 complete\nINFO | ghidriff | Analysis for ghidriff-ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413:/ntoskrnl.exe.10.0.22621.1344 complete\nINFO | ghidriff | Diffing bins: ntoskrnl.exe.10.0.22621.1344 - ntoskrnl.exe.10.0.22621.1413\nINFO | ghidriff | Setup 16 decompliers\nINFO | ghidriff | Loaded old program: ntoskrnl.exe.10.0.22621.1344\nINFO | ghidriff | Loaded new program: ntoskrnl.exe.10.0.22621.1413\nINFO | ghidriff | p1 sym count: reported: 244603 analyzed: 16772\nINFO | ghidriff | p2 sym count: reported: 244606 analyzed: 16809\nINFO | ghidriff | Found unmatched: 65 matched: 16758 symbols\nINFO Hashing symbols in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing symbols in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Eliminate non-unique matches (ConsoleTaskMonitor) \nINFO Finding symbol matches (ConsoleTaskMonitor) \nINFO | ghidriff | Exec time: 2.1672 secs\nINFO | ghidriff | Match count 54939\nINFO | ghidriff | Counter({('SymbolsHash',): 27893})\nINFO | ghidriff | Running correlator: ExactBytesFunctionHasher\nINFO | ghidriff | name: ExactBytesFunctionHasher hasher: ghidra.app.plugin.match.ExactBytesFunctionHasher@7167d81b one_to_one: True one_to_many: False\nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Finding function matches (ConsoleTaskMonitor) \nINFO | ghidriff | ExactBytesFunctionHasher Exec time: 0.8299 secs\nINFO | ghidriff | Match count: 100\nINFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactBytesFunctionHasher',): 100})\nINFO | ghidriff | Running correlator: ExactInstructionsFunctionHasher\nINFO | ghidriff | name: ExactInstructionsFunctionHasher hasher: ghidra.app.plugin.match.ExactInstructionsFunctionHasher@3c9cfcde one_to_one: True one_to_many: False\nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Finding function matches (ConsoleTaskMonitor) \nINFO | ghidriff | ExactInstructionsFunctionHasher Exec time: 0.4906 secs\nINFO | ghidriff | Match count: 123\nINFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100})\nINFO | ghidriff | Running correlator: StructuralGraphExactHash\nINFO | ghidriff | name: StructuralGraphExactHash hasher: <jpype._jproxy.proxy.StructuralGraphExactHasher object at 0xffff26c53bf0> one_to_one: True one_to_many: False\nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Finding function matches (ConsoleTaskMonitor) \nINFO | ghidriff | StructuralGraphExactHash Exec time: 1.3213 secs\nINFO | ghidriff | Match count: 0\nINFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100})\nINFO | ghidriff | Running correlator: ExactMnemonicsFunctionHasher\nINFO | ghidriff | name: ExactMnemonicsFunctionHasher hasher: ghidra.app.plugin.match.ExactMnemonicsFunctionHasher@7533923b one_to_one: True one_to_many: False\nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Finding function matches (ConsoleTaskMonitor) \nINFO | ghidriff | ExactMnemonicsFunctionHasher Exec time: 2.5697 secs\nINFO | ghidriff | Match count: 0\nINFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100})\nINFO | ghidriff | Running correlator: BulkInstructionHash\nINFO | ghidriff | name: BulkInstructionHash hasher: <jpype._jproxy.proxy.BulkInstructionsHasher object at 0xffff26c53b50> one_to_one: True one_to_many: False\nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Finding function matches (ConsoleTaskMonitor) \nINFO | ghidriff | BulkInstructionHash Exec time: 1.1462 secs\nINFO | ghidriff | Match count: 2\nINFO | ghidriff | Counter({('SymbolsHash',): 27893, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100, ('BulkInstructionHash',): 2})\nINFO | ghidriff | Running correlator: StructuralGraphHash\nINFO | ghidriff | name: StructuralGraphHash hasher: <jpype._jproxy.proxy.StructuralGraphHasher object at 0xffff26c53ab0> one_to_one: True one_to_many: True\nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Finding function matches (ConsoleTaskMonitor) \nINFO | ghidriff | StructuralGraphHash Exec time: 0.1894 secs\nINFO | ghidriff | Match count: 693\nINFO | ghidriff | Counter({('SymbolsHash',): 27893, ('StructuralGraphHash',): 693, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100, ('BulkInstructionHash',): 2})\nINFO | ghidriff | Running correlator: BulkBasicBlockMnemonicHash\nINFO | ghidriff | name: BulkBasicBlockMnemonicHash hasher: <jpype._jproxy.proxy.BulkBasicBlockMnemonicHasher object at 0xffff26c53a10> one_to_one: True one_to_many: True\nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Finding function matches (ConsoleTaskMonitor) \nINFO | ghidriff | BulkBasicBlockMnemonicHash Exec time: 0.1846 secs\nINFO | ghidriff | Match count: 0\nINFO | ghidriff | Counter({('SymbolsHash',): 27893, ('StructuralGraphHash',): 693, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100, ('BulkInstructionHash',): 2})\nINFO | ghidriff | Running correlator: SigCallingCalledHasher\nINFO | ghidriff | name: SigCallingCalledHasher hasher: <jpype._jproxy.proxy.SigCallingCalledHasher object at 0xffff26c53970> one_to_one: True one_to_many: False\nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1344 (ConsoleTaskMonitor) \nINFO Hashing functions in ntoskrnl.exe.10.0.22621.1413 (ConsoleTaskMonitor) \nINFO Finding function matches (ConsoleTaskMonitor) \nINFO | ghidriff | SigCallingCalledHasher Exec time: 0.1398 secs\nINFO | ghidriff | Match count: 0\nINFO | ghidriff | Counter({('SymbolsHash',): 27893, ('StructuralGraphHash',): 693, ('ExactInstructionsFunctionHasher',): 123, ('ExactBytesFunctionHasher',): 100, ('BulkInstructionHash',): 2})\nINFO | ghidriff | p1 missing = 1\nINFO | ghidriff | p2 missing = 1\nINFO | ghidriff | Deduping symbols and functions...\nINFO | ghidriff | Sorting symbols and strings...\nINFO | ghidriff | Sorting functions...\nINFO | ghidriff | Starting esym lookups for 71 symbols using 8 threads\nINFO | ghidriff | Completed 4 at 5%\nINFO | ghidriff | Completed 8 at 11%\nINFO | ghidriff | Completed 12 at 16%\nINFO | ghidriff | Completed 16 at 22%\nINFO | ghidriff | Completed 20 at 28%\nINFO | ghidriff | Completed 24 at 33%\nINFO | ghidriff | Completed 28 at 39%\nINFO | ghidriff | Completed 32 at 45%\nINFO | ghidriff | Completed 36 at 50%\nINFO | ghidriff | Completed 40 at 56%\nINFO | ghidriff | Completed 44 at 61%\nINFO | ghidriff | Completed 48 at 67%\nINFO | ghidriff | Completed 52 at 73%\nINFO | ghidriff | Completed 56 at 78%\nINFO | ghidriff | Completed 60 at 84%\nINFO | ghidriff | Completed 64 at 90%\nINFO | ghidriff | Completed 68 at 95%\nINFO | ghidriff | Finished diffing old program: ntoskrnl.exe.10.0.22621.1344\nINFO | ghidriff | Finished diffing program: ntoskrnl.exe.10.0.22621.1413\nINFO | ghidriff | {\n \"added_funcs_len\": 1,\n \"deleted_funcs_len\": 1,\n \"modified_funcs_len\": 11,\n \"added_symbols_len\": 12,\n \"deleted_symbols_len\": 8,\n \"diff_time\": 86.45361375808716,\n \"deleted_strings_len\": 6,\n \"added_strings_len\": 39,\n \"match_types\": {\n \"SymbolsHash\": 27893,\n \"ExactBytesFunctionHasher\": 100,\n \"ExactInstructionsFunctionHasher\": 123,\n \"BulkInstructionHash\": 2,\n \"StructuralGraphHash\": 693\n },\n \"items_to_process\": 33,\n \"diff_types\": {\n \"code\": 5,\n \"length\": 5,\n \"refcount\": 7,\n \"calling\": 6,\n \"address\": 6,\n \"called\": 3\n },\n \"unmatched_funcs_len\": 2,\n \"total_funcs_len\": 60664,\n \"matched_funcs_len\": 60662,\n \"matched_funcs_with_code_changes_len\": 5,\n \"matched_funcs_with_non_code_changes_len\": 6,\n \"matched_funcs_no_changes_len\": 60651,\n \"match_func_similarity_percent\": \"99.9819%\",\n \"func_match_overall_percent\": \"99.9967%\"\n}\nINFO | ghidriff | Writing md diff...\nINFO | ghidriff | Generating markdown from {'added_funcs_len': 1, 'deleted_funcs_len': 1, 'modified_funcs_len': 11, 'added_symbols_len': 12, 'deleted_symbols_len': 8, 'diff_time': 86.45361375808716, 'deleted_strings_len': 6, 'added_strings_len': 39, 'match_types': Counter({'SymbolsHash': 27893, 'StructuralGraphHash': 693, 'ExactInstructionsFunctionHasher': 123, 'ExactBytesFunctionHasher': 100, 'BulkInstructionHash': 2}), 'items_to_process': 33, 'diff_types': Counter({'refcount': 7, 'calling': 6, 'address': 6, 'code': 5, 'length': 5, 'called': 3}), 'unmatched_funcs_len': 2, 'total_funcs_len': 60664, 'matched_funcs_len': 60662, 'matched_funcs_with_code_changes_len': 5, 'matched_funcs_with_non_code_changes_len': 6, 'matched_funcs_no_changes_len': 60651, 'match_func_similarity_percent': '99.9819%', 'func_match_overall_percent': '99.9967%'}\nINFO | ghidriff | Known Command line: python ghidriff --project-location .ghidra_projects --project-name ghidriff --symbols-path .symbols --threaded --log-level INFO --file-log-level INFO --log-path ghidriff.log --max-ram-percent 60.0 --max-section-funcs 200 ntoskrnl.exe.10.0.22621.1344 ntoskrnl.exe.10.0.22621.1413\nINFO | ghidriff | Extra Command line: --engine VersionTrackingDiff --output-path .ghidriffs\nINFO | ghidriff | Writing pdiff json...\nINFO | ghidriff | Wrote .ghidriffs/ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413_diff.md\nINFO | ghidriff | Wrote .ghidriffs/json/ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413_diff.json\n```\n</details>\n\n#### Analyze the Diff\n\n\nResults in this beatiful markdown: [ntoskrnl.exe.10.0.22621.1344-ntoskrnl.exe.10.0.22621.1413.diff.md](https://gist.github.com/clearbluejar/b95ae854a92ee917cd0b5c7055b60282)\n\nSee if you can figure out what function was patched for [CVE-2023-2342](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23420).\n\n- Details of [CVE-2023-2342](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23420) can be found here: [https://bugs.chromium.org/p/project-zero/issues/detail?id=2392](https://bugs.chromium.org/p/project-zero/issues/detail?id=2392)\n\nPrefer a side by side diff? Try out `ghidriff`'s custom html viewer. https://diffpreview.github.io/?b95ae854a92ee917cd0b5c7055b60282\n\n##### Results stored in `ghidriffs` folder\n\n```bash\n$ tree ghidriffs\nghidriffs\n\u251c\u2500\u2500 ghidra_projects\n\u2502 \u2514\u2500\u2500 ghidriff-ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283\n\u2502 \u251c\u2500\u2500 ghidriff-ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283.gpr\n\u2502 \u2514\u2500\u2500 ghidriff-ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283.rep\n\u2502 \u251c\u2500\u2500 idata\n\u2502 \u251c\u2500\u2500 project.prp\n\u2502 \u251c\u2500\u2500 user\n\u2502 \u2514\u2500\u2500 versioned\n\u251c\u2500\u2500 ghidriff.log\n\u251c\u2500\u2500 json\n\u2502 \u2514\u2500\u2500 ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283.ghidriff.json\n\u251c\u2500\u2500 ntoskrnl.exe.10.0.22621.2215-ntoskrnl.exe.10.0.22621.2283.ghidriff.md\n\u2514\u2500\u2500 symbols\n \u251c\u2500\u2500 ntkrnlmp.pdb\n \u251c\u2500\u2500 69071F680ADFE36F178C6EC06E79E09C1\n \u2502 \u2514\u2500\u2500 ntkrnlmp.pdb\n \u2514\u2500\u2500 738ED8FF966E8502EFE17095B9F1F5481\n \u2514\u2500\u2500 ntkrnlmp.pdb\n```\n\n### Diffing CVE-2023-21768\n\nDetails of the CVE-2023-21768 (detailed in this blog [post](https://securityintelligence.com/posts/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/)). What if you wanted to repeat this patch diff with `ghidriff`?\n\n1. Download two versions of `AFD.sys` (vulnerable and patched):\n\n```bash\nwget https://msdl.microsoft.com/download/symbols/afd.sys/0C5C6994A8000/afd.sys -O afd.sys.x64.10.0.22621.1028\nwget https://msdl.microsoft.com/download/symbols/afd.sys/50989142A9000/afd.sys -O afd.sys.x64.10.0.22621.1415\n```\n\n2. Run `ghidriff`:\n\n```bash\nghidriff afd.sys.x64.10.0.22621.1028 afd.sys.x64.10.0.22621.1415\n```\n\n3. Review results\n\nThe diff results are posted in this GitHub [gist](https://gist.github.com/clearbluejar/f6fecbc507a9f1a92c9231e3db7ef40d). The vulnerable function `AfdNotifyRemoveIoCompletion` was identified here with a [single line change](https://gist.github.com/clearbluejar/f6fecbc507a9f1a92c9231e3db7ef40d#afdnotifyremoveiocompletion-diff).\n\nWant to see the entire diff in a side by side? https://diffpreview.github.io/?f6fecbc507a9f1a92c9231e3db7ef40d or jump to the [single line change](https://diffpreview.github.io/?f6fecbc507a9f1a92c9231e3db7ef40d#d2h-703858:~:text=ProbeForWrite(*(PVOID%20*)(param_3%20%2B%200x18)%2C4%2C4)%3B)\n\n## Notes\n\n### Markdown Spec + MermaidJs\n- Striving to be compliant with [GFM](https://github.github.com/gfm/) and [cmark](https://spec.commonmark.org/). Still working on it though. See issues.\n- MermaidJs requires your markdown [renderer support](https://mermaid.js.org/ecosystem/integrations-community.html). \n",
"bugtrack_url": null,
"license": "GPL-3.0 license",
"summary": "Ghidra Binary Diffing Engine",
"version": "0.7.1",
"project_urls": {
"Homepage": "https://github.com/clearbluejar/ghidriff"
},
"split_keywords": [
"patchdiff",
" binaries",
" bindiff",
" ghidra",
" ghidriff"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "3c0265d4dbece3739db0a639aea9b154d4bd9a17c3daf49564bed77cc1d8afe6",
"md5": "b7f5b53f2e595298081443be7e0d4bfb",
"sha256": "716f9d5799c71722d3f37210cdfedbd6d4acc0a5cf1cad02115ed38c8807872d"
},
"downloads": -1,
"filename": "ghidriff-0.7.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "b7f5b53f2e595298081443be7e0d4bfb",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 69634,
"upload_time": "2024-04-30T17:53:53",
"upload_time_iso_8601": "2024-04-30T17:53:53.271230Z",
"url": "https://files.pythonhosted.org/packages/3c/02/65d4dbece3739db0a639aea9b154d4bd9a17c3daf49564bed77cc1d8afe6/ghidriff-0.7.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "91e5280cade67c2437c06fc22c5a20b397b67cd93e2b588a8245742580ddbbbc",
"md5": "500979d47335191a56ba41b179167261",
"sha256": "a6a29819065e0428a587a66fb530dc305773e458ad07b5f2f1600646c6ad961b"
},
"downloads": -1,
"filename": "ghidriff-0.7.1.tar.gz",
"has_sig": false,
"md5_digest": "500979d47335191a56ba41b179167261",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 90612,
"upload_time": "2024-04-30T17:53:54",
"upload_time_iso_8601": "2024-04-30T17:53:54.755243Z",
"url": "https://files.pythonhosted.org/packages/91/e5/280cade67c2437c06fc22c5a20b397b67cd93e2b588a8245742580ddbbbc/ghidriff-0.7.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-30 17:53:54",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "clearbluejar",
"github_project": "ghidriff",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "ghidriff"
}
JSON
